Java 8 update 351 appears to break Spectrum Webstart from Launching
search cancel

Java 8 update 351 appears to break Spectrum Webstart from Launching

book

Article ID: 252671

calendar_today

Updated On:

Products

CA Spectrum DX NetOps

Issue/Introduction


I just got Java 8 update 351-b10 delivered to my laptop.  When I try to launch the Java application I get the following error:

 

JNLPException[category: Security Error : Exception: null : LaunchDesc:
<jnlp spec="1.0+" codebase=https://OneClickServer:8443/spectrum href="$$href">
<information>
<title>DX NetOps Spectrum OneClick Console</title>
<vendor>CA Technologies, A Broadcom Company</vendor>
<homepage href="index.jsp"/>
<description>DX NetOps Spectrum OneClick Console</description>
<description kind="short">DX NetOps Spectrum OneClick Console</description>
<icon href="images/i_icon.jpg"/>
</information>
<security>
<all-permissions/>
</security>
<resources>
<jar href="lib/cryptojFIPS.jar;no_javaws_cheat"/>
</resources>
<component-desc/>
</jnlp> ]

at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResourcesHelper(Unknown Source)
at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResources(Unknown Source)
at com.sun.javaws.Launcher.prepareResources(Unknown Source)
at com.sun.javaws.Launcher.prepareAllResources(Unknown Source)
at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
at com.sun.javaws.Launcher.launch(Unknown Source)
at com.sun.javaws.Main.launchApp(Unknown Source)
at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
at com.sun.javaws.Main.access$000(Unknown Source)
at com.sun.javaws.Main$1.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)

===================================================================================================

Environment

Release : 21.2.x, 22.2.x

Component: SPCOCK - Spectrum OneClick

 

Cause


Removal of the exception for JARs that are signed with certificates that do not chain back to a Root CA included by default in the JDK cacerts keystore.

Reference the "Disable SHA-1 signed jars" section of https://www.java.com/en/configure_crypto.html for more information.

Reference the "Disabled SHA-1 Signed JARS" section of https://www.oracle.com/java/technologies/javase/8u351-relnotes.html for more information.

Resolution

 
There are fixes available for 21.2.4 - 22.2.2.4 to switch from using cryptojFIPS to FIPS-compliant Bouncy Castle.

Spectrum 21.2.4 Only
Spectrum_21.02.04.D153 (only 21.2.4 specific) with Bouncy Castle jars fix

Spectrum 21.2.6 Only
   21.02.06.D125 (only 21.2.6 specific) with Bouncy Castle jars fix

Spectrum 21.2.8 - 21.2.12
   21.02.12.D127 => patch is applicable for 21.02.08, 21.02.10 and 21.02.12 versions. (It is not exclusive to 21.2.12)

Spectrum 22.2.1 - 22.2.4 (This library will be included in the 22.2.5 release)
   22.02.04.D128 => patch is applicable for 22.02.01, 22.02.02, 22.02.03 and 22.02.04 versions. (It is not exclusive to 22.2.4)



Note: The OneClick fixes include the global.jar which will cause the OneClick version in the console to display the fix version (
             example: If applying 22.02.04.D128 to 22.2.3 the oneclick console will display 22.2.4
             example: if applying 21.02.12.D127 to 21.2.10 the OneClick console will display 21.2.12 in the about screen).

          This is only a cosmetic issue and does not adversely affect OneClick in any way

Note: If you apply a fix and then upgrade you will need to reapply the appropriate fix once again.



Uninstall Note: Should the bouncy castle fix need to be backed out the cryptojFIPS.jar will need to be copied
                           FROM <SPECROOT>/tomcat/lib/  TO <SPECROOT>/tomcat/webapps/spectrum/lib/

Additional Information


Workarounds if obtaining or applying one of the fixes referenced above is not an immediate option

1. Use the OpenJDK version which is shipped with OneClick. Reference the "What are best steps to migrate from Oracle Java to OpenJDK for Spectrum OneClick?" knowledge article.

2. Use the WebApp

3. Remove the block on SHA1 in java.security file (C:\Program Files\Java\jre1.8.0_351\lib\security\java.security) (highlighted in yellow) on the client system and re-download the JNLP file.
From:

To:

Clear the Java Cache:
https://www.java.com/en/download/help/plugin_cache.html 

4. Downgrade JRE. The restriction was introduced in 8u351, so any JRE earlier will work.
This is discussed in the URL's noted in the "Cause" section of this knowledge article.