search cancel

Java 8 update 351 appears to break Spectrum Webstart from Launching

book

Article ID: 252671

calendar_today

Updated On:

Products

CA Spectrum DX NetOps

Issue/Introduction

I just got Java 8 update 351-b10 delivered to my laptop.  When I try to launch the Java application I get the following error:

 

JNLPException[category: Security Error : Exception: null : LaunchDesc:
<jnlp spec="1.0+" codebase=https://OneClickServer:8443/spectrum href="$$href">
<information>
<title>DX NetOps Spectrum OneClick Console</title>
<vendor>CA Technologies, A Broadcom Company</vendor>
<homepage href="index.jsp"/>
<description>DX NetOps Spectrum OneClick Console</description>
<description kind="short">DX NetOps Spectrum OneClick Console</description>
<icon href="images/i_icon.jpg"/>
</information>
<security>
<all-permissions/>
</security>
<resources>
<jar href="lib/cryptojFIPS.jar;no_javaws_cheat"/>
</resources>
<component-desc/>
</jnlp> ]

at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResourcesHelper(Unknown Source)
at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResources(Unknown Source)
at com.sun.javaws.Launcher.prepareResources(Unknown Source)
at com.sun.javaws.Launcher.prepareAllResources(Unknown Source)
at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
at com.sun.javaws.Launcher.launch(Unknown Source)
at com.sun.javaws.Main.launchApp(Unknown Source)
at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
at com.sun.javaws.Main.access$000(Unknown Source)
at com.sun.javaws.Main$1.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)

===================================================================================================

Environment

Release : Any

Component: Spectrum OneClick

Cause

Removal of the exception for JARs that are signed with certificates that do not chain back to a Root CA included by default in the JDK cacerts keystore.

Reference the "Disable SHA-1 signed jars" section of https://www.java.com/en/configure_crypto.html for more information.

Reference the "Disabled SHA-1 Signed JARS" section of https://www.oracle.com/java/technologies/javase/8u351-relnotes.html for more information.

Resolution


1. Use the OpenJDK version which is shipped with OneClick. Reference the "What are best steps to migrate from Oracle Java to OpenJDK for Spectrum OneClick?" knowledge article.

2. Use the WebApp

3. Remove the block on SHA1 in the java.security file (highlighted in red) on the client system and re-download the JNLP file.

4. Downgrade JRE. The restriction was introduced in 8u351, so any JRE earlier will work.

This is discussed in the url's noted in the "Cause" section of this knowledge article.

Additional Information

November 15, 2022:  Engineering is working on a fix to switch from the crypto jar file to use bouncy castle. The fix should be ready within 2 to 3 weeks and will be made available for all of 21.2.x so no need to force an upgrade to a future release.

Spectrum 21.2.6 Only
   21.02.06.D125 (only 21.2.6 specific) with Bouncy Castle jars fix, is available now and can be given to customers.

Two cross-version (common) patches 
   22.02.04.D128 => patch is applicable for 22.02.01, 22.02.02, 22.02.03 and 22.02.04 versions.
   21.02.12.D127 => patch is applicable for 21.02.08, 21.0210 and 21.02.12 versions.

 

Attachments