DX Application Performance Management

  • 1.  Critical notification for CA APM/Introscope Workstation Web Start client regarding JRE certificate expiry

    Broadcom Employee
    Posted 02-27-2015 10:55 AM

    Hello APM Communities,

     

    shortly this will be reaching customers also as a Proactive Email Notification:

     

     

    Dear CA Customer:

    The purpose of this Critical Alert is to inform you of a potential problem that has been recently identified with CA APM/Introscope Workstation Web Start client. Please read the information provided below and follow the instructions in order to avoid being impacted by this problem.

    PRODUCT(S) AFFECTED: CA APM/Introscope Workstation

    RELEASE: 9.7 and under

    PROBLEM DESCRIPTION:

    On March 1, 2015, CA APM Java JRE certificate will expire. This will impact all the customers who use web start client. Customers who initiate the workstation through the downloaded JNLP will be blocked if their security is set beyond medium.


    SYMPTOMS:
    On March 2, 2015, customers using web start client for initiating the workstation, will encounter an Application Blocked Security alert, if their security setting is configured beyond medium. Further clicking on the ok button will quit the process without any action.

    IMPACT:
    If not resolved customer cannot access the enterprise manager with web start client.


    WORKAROUND:

    Below are options to work around this issue:

       Option 1: If the security level is set to high or above, the level should be brought down to medium. Once the security level is set to medium, the web start client can be initiated to start the workstation.

       In order to do this -> Go to Control Panel -> Java - > Security and adjust the security level.

       Option 2: Add the web start URL to the exception site list. Once this site is added reinitiating the web start client starts the workstation.

    In order to do this - > Go to Control Panel -> Java - > Security -> Click on Edit Site List and add the URL in the location box.


    PROBLEM RESOLUTION:

    Resolution in progress, a follow up notification will be sent when available.

    If you have any questions about this Critical Alert, please contact CA Support.

    Thank you,

    CA Support Team

    Copyright © 2015 CA. All rights reserved. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies.



  • 2.  Re: Critical notification for CA APM/Introscope Workstation Web Start client regarding JRE certificate expiry

    Posted 02-27-2015 01:37 PM

    Excellent to read that "problem resolution is in progress"*. Would have liked to have a time estimate too :-)

    * I can imagine large enterprises not allowing admin rights users and in some cases even with admin right you might not be able to change options (e.g. IE).



  • 3.  Re: Critical notification for CA APM/Introscope Workstation Web Start client regarding JRE certificate expiry

    Posted 02-28-2015 08:03 AM

    Hi CA, nice to know this.

    Fred.K. you are right, the workaround is useless in general nobody is authorized to do this.

     

    BTW.

    If a problem sulution became available, this solution should fix the problem without updating the whole EM.

    You should fix this problem for old versions too (we ship Introscope 9.5.2. since some month to the field).

     

    With regards,

    Lutz

     

    p.s.

    I'm happy to stay at home for some days next week.

    Last attempt to add a reply, the new website doesn't fit to my browser.



  • 4.  Re: Critical notification for CA APM/Introscope Workstation Web Start client regarding JRE certificate expiry

    Posted 03-03-2015 01:15 PM

    Hello,

     

       The bulletin mentions an option 2 for editing the site exception list. That method does not work for everyone because the button to edit that list is missing from the control panel of some JVMs.  I found that alternatively you can go to the "%LOCALAPPDATA%Low\Sun\Java\Deployment\security" directory and directly edit the "exception.sites" file (you will likely need to create this file).  You should add the URL of any APM MOM which is affected by this problem.  My exception.sites file looks something like the following:

    ----------------------------------------------------------------------------------------------------

    http://prodMOM01.mycompany.com:8081/

    http://prodMOM02.mycompany.com:8081/

    http://testMOM01.mycompany.com:8081/

    ----------------------------------------------------------------------------------------------------


    This method works for us, although my security folks aren't crazy about it.  Do we have any idea when patches will be available for APM 9.6?



    Thank you,


    Sean Stidman




  • 5.  Re: Critical notification for CA APM/Introscope Workstation Web Start client regarding JRE certificate expiry

    Posted 03-12-2015 11:17 AM

    Has a timeline been established yet for when a patch will be release?  Our security guys are also not crazy about the proposed work arounds so I would really like to have that certificate updated so that we can do this the right way.  I keep getting questioned about when CA will resolve this issue but I have no answer.

     

     

     

    Thank you,

     

    Sean Stidman



  • 6.  Re: Critical notification for CA APM/Introscope Workstation Web Start client regarding JRE certificate expiry

    Broadcom Employee
    Posted 03-12-2015 11:20 AM

    They have worked on a patch for certain versions. Please open a ticket with CSO.



  • 7.  Re: Critical notification for CA APM/Introscope Workstation Web Start client regarding JRE certificate expiry

    Posted 03-13-2015 07:07 AM

    I created a CA Support Case (00048121 ) which the reply is to attempt to use the two workarounds, both of which I am unable to do due to our security policies.

     

    Is opening a ticket with CSO the same as a CA Support Case?

     

    Do you have any details on the possible patch installation impacts?

     

    Thanks,

    Billy



  • 8.  Re: Critical notification for CA APM/Introscope Workstation Web Start client regarding JRE certificate expiry

    Posted 03-26-2015 08:29 AM

    Received an update to my support case:

     

    PROBLEM RESOLUTION:

    CA Technologies has a new 3-year certificate which will require upgrading to APM 9.7.1 or 9.8.0.

    We have sent questions to our CA account manager and our Solution Account Manager on this topic asking when did 9.6 become unsupported?

     

    Received a voice mail that APM 9.7.1 is on the support site, couldn't find it.

     

    9.8 is the 2Q or 3Q release.

     

    Given how much time and resources have to be invested in a full upgrade, (typically three months to move it through the various environments before production deploy) , the only work around is to start installing the workstation directly on end user systems and restart the end user move over to webview (again).  Hopefully the advance users that need max/min and adjustable resolution will yell so I know which of the end users to install the workstation for so I don't have to do a blanket install to all company workstations.



  • 9.  Re: Critical notification for CA APM/Introscope Workstation Web Start client regarding JRE certificate expiry

    Posted 04-13-2015 01:53 PM

    On April 10th received 9.6 HotFix 10 which we have deployed to one of three environments and so far so good. <knock on wood>  Hopefully we will be installing the hot fix which is a replacement <em home>/product/workstation/plugin directory and clearing out the configuration and work directories on the enterprise managers.

     

    If all goes well in our tier two environment, non-production, we are planning to do our production patch in two weeks 4/26....on Sunday.

     

    Results may vary,

     

    Billy