Unable to launch OneClick java client due to Oracle Java security

book

Article ID: 209318

calendar_today

Updated On:

Products

CA Spectrum

Issue/Introduction


When trying to launch the java client it fails due to Oracle java's security deployment.  In this case, Java security setting
   is set to Very High and is managed at the enterprise as is the site exception list. 

 

 

 

 

Cause


Oracle JRE Security deployment

<basedir>/Sun/Java/Deployment/deployment.properties


#System Deployment Properties
#Tue Feb 09 14:28:34 EST 2021
deployment.security.level=VERY_HIGH
deployment.security.level.locked
deployment.webjava.enabled=true
deployment.webjava.enabled.locked
deployment.security.askgrantdialog.notinca=false
deployment.security.askgrantdialog.notinca.locked
deployment.security.askgrantdialog.show=false
deployment.security.askgrantdialog.show.locked
deployment.security.validation.ocsp=true
deployment.security.validation.ocsp.locked
deployment.security.blacklist.check=true
deployment.security.blacklist.check.locked
deployment.user.security.exception.sites=c\:\\windows\\sun\\java\\deployment\\exception.sites
deployment.security.validation.crl=true
deployment.security.validation.crl.locked
deployment.security.revocation.check=ALL_CERTIFICATES
deployment.security.revocation.check.locked
deployment.insecure.jres=PROMPT
deployment.insecure.jres.locked

   

 

The following 2 entries from the above block prevent this popup

deployment.security.askgrantdialog.show=false
deployment.security.askgrantdialog.show.locked

 


Checked the 10.4.1 OneClick client jar files
    - all are signed with a valid certificate whose date is valid as of this case

ex.
appletscm.jar
 
      >>> Signer
      X.509, CN=CA INC, OU=78615, O=CA INC, L=Islandia, ST=New York, C=US
      [certificate is valid from 1/7/19 7:00 PM to 1/7/22 6:59 PM]
      X.509, CN=Symantec Class 3 SHA256 Code Signing CA - G2, OU=Symantec Trust Network, O=Symantec Corporation, C=US
      [certificate is valid from 7/21/14 8:00 PM to 7/21/24 7:59 PM]
      X.509, CN=VeriSign Universal Root Certification Authority, OU="(c) 2008 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

 

    - all jars have the permissions attribute set
                  Manifest-Version: 1.0
                  Ant-Version: Apache Ant 1.9.4
                  Permissions: all-permissions

 

Environment

Release : 10.4.x (NetOps 20.2.x)

Component : Spectrum Core / OneClick

Resolution


This problem only happens when using Oracle JRE from the client side with  Security Set to very high and
   disabling user prompts using deployment security.


It is not yet known as to why the console is blocked as the jar files are all signed with a valid certificate and
   have the permissions attribute set.

Workaround: add the oneclick url to the site exceptions list to white list the application

Additional Information


Checked the oneclick client jar file certificates (certificate(s) used to dign the jars)

cd $SPECROOT/Java/bin/

for jar in $(ls ../../tomcat/webapps/spectrum/lib/)
do
     echo $jar >>/tmp/oneclick_jars.txt
     echo " " >>/tmp/oneclick_jars.txt
     ./jarsigner -verify -verbose -certs ../../tomcat/webapps/spectrum/lib/$jar|grep -A 12 ">>> Signer" >>/tmp/oneclick_jars.txt
done


I then ran (to see just the signed certs)

 

 


grep -A 1 -i Islandia /tmp/oneclick_jars.txt

Attachments