DX NetOps

 View Only
Expand all | Collapse all

Spec KB: The java certificate for CA Spectrum is set to expire on October 16, 2016

  • 1.  Spec KB: The java certificate for CA Spectrum is set to expire on October 16, 2016

    Broadcom Employee
    Posted Sep 14, 2016 11:08 AM

    Spec KB: The java certificate for CA Spectrum is set to expire on October 16, 2016

    Document ID:  TEC1903096

    ShowHide Technical Document Details

    • Products
      • CA Spectrum
    • Releases
      • CA Spectrum:Release:10.x
      • CA Spectrum:Release:9.4.x
    • Components
      • CORE / SPECTROSERVER
      • ONECLICK

    Question:

    The CA Spectrum OneClick java certificate is going to expire on October 16th 2016.  What version(s) of CA Spectrum will have an updated java certificate?

    Answer:

    The CA Spectrum OneClick java certificate has been updated in CA Spectrum 10.1.1 (and above) and CA Spectrum 9.4.4.  The updated certificate will expire in 2019. If you do not upgrade your version of CA Spectrum to 10.1.1 (or above - ie 10.2) or 9.4.4 then you may not be able to launch the CA Spectrum OneClick client.  You will need to either upgrade CA Spectrum or change your java security settings and set the OneClick url to be in the exception list.



  • 2.  Re: Spec KB: The java certificate for CA Spectrum is set to expire on October 16, 2016

    Posted Sep 15, 2016 11:10 AM
      |   view attached

     

    That’s annoying :

    Version V10.1.1 does not work for our instance (see https://communities.ca.com/thread/241758702 ) and I don’t want to have to reinstall our test instance (which is now on v10.1.1) in order to test 9.4.4 …

     

    Veronique



  • 3.  Re: Spec KB: The java certificate for CA Spectrum is set to expire on October 16, 2016

    Posted Sep 28, 2016 02:45 AM

    Does the patch have to be applied on all spectrum servers (SS and OneClick) or can we apply it only on the OneClick server(s) ?

    Thanks,

    Veronique



  • 4.  Re: Spec KB: The java certificate for CA Spectrum is set to expire on October 16, 2016

    Broadcom Employee
    Posted Sep 28, 2016 03:20 AM

    It only needs to be applied on OneClick server(s). 

    regards, 

    Sheenam



  • 5.  Re: Spec KB: The java certificate for CA Spectrum is set to expire on October 16, 2016

    Posted Oct 03, 2016 04:25 AM

    Hi,

    Sorry to ask again, but ...

    We are running version 9.4.2.1.62.

    On https://docops.ca.com/ca-spectrum/9-4-1-to-9-4-4/en/release-information/features-and-enhancements#FeaturesandEnhancements-FeaturesandEnhancementsin9.4.2.1  it says:

    Features and Enhancements in 9.4.2.1

    This release of CA Spectrum includes the following update:

    CA Spectrum OneClick JRE certificate is renewed.

     

       And on https://docops.ca.com/ca-spectrum/9-4-1-to-9-4-4/en/release-information/features-and-enhancements#FeaturesandEnhancements-FeaturesandEnhancementsin9.4.4 it says the same:

    Features and Enhancements in 9.4.4

    This release of CA Spectrum has the following upgraded third-party components:

    • MySQL 5.5.44
    • JDK - 1.8.0_92
    • Common collections - 3.2.2

    Other updates:

    CA Spectrum OneClick JRE certificate is renewed.

     

     

    Should we still upgrade to 9.4.4, or the certificate shipped with 9.4.2.1 is ok ? How can I check it ?

    Many thanks,

    Veronique



  • 6.  Re: Spec KB: The java certificate for CA Spectrum is set to expire on October 16, 2016

    Broadcom Employee
    Posted Oct 03, 2016 05:45 AM

    Hi Veronique, 

    No problem at all - we are here to clarify your concerns

    Yes the same statement in both the release was mentioned - sorry for the confusion. In 9.4.2.1, CA renewed the JRE certificate that was set to expire at that point in time. Now the certificate in 9.4.2.1 is set to expire by 16th Oct and is renewed in the 9.4.4 release.

    Hope this answers your question. 

    Regards, 

    Sheenam



  • 7.  Re: Spec KB: The java certificate for CA Spectrum is set to expire on October 16, 2016

    Posted Sep 30, 2016 10:42 AM

    We recently upgraded to 9.4.3 in last week of August and It will take at least more 2 to 3 months to get it upgraded to 9.4.4 or higher.

    As an alternate way that is suggested to add the URL in exception list, I have followed the below steps to verify.

    1. Changed date to October 17, 2016 08:15:00 AM

    2. Launched OneClick --> as expected got certificate expiry window saying unable to launch application

    3. I have updated Java security exception list with OneClick url

    4. Tried to launch Oneclick and still getting the same error and unable to launch the console/app.

     

    Tried using different URLs: http://spectrum/abcd.com, http://spectrum/abcd.com/spectrum and http://spectrum/abcd.com/spectrum/oneclick.jnlp

     

    None of them allowed me to launch OneClick.

     

     

    Did I follow the correct steps? If not, please let me know what are the steps to make use of alternate method instead of upgrading.

     

     

    Regards,

    Rajashekar



  • 8.  Re: Spec KB: The java certificate for CA Spectrum is set to expire on October 16, 2016

    Posted Oct 03, 2016 06:05 AM

    When filling out the exception list, you should only have to specify the hostname/ip address of the url and the port if you are not using the default port.

     

     

    You may also have to set “Perform signed code certificate revocation checks on” to “Do not check (not recommended)” under Java Control Panel -> Advanced tab as seen below:

     



  • 9.  Re: Spec KB: The java certificate for CA Spectrum is set to expire on October 16, 2016

    Posted Oct 04, 2016 06:18 AM

    Hi Rajashekar

    Did you get to try what Joe described for setting the exceptions list? And has it worked?

     

    I don't have easy access to a machine where I can change the time to test and am interested to know if it works.

     

    Anyone else out there tried this and seen it work?

     

    Regards, John



  • 10.  Re: Spec KB: The java certificate for CA Spectrum is set to expire on October 16, 2016

    Posted Oct 04, 2016 07:36 AM

    Hi Joe and John,

     

    It is working as expected after  setting “Perform signed code certificate revocation checks on” to “Do not check (not recommended)” under Java Control Panel -> Advanced tab. 

     

    I did test this in 2 ways.

    1. By listing OneClick URL under exception site list and also setting “Perform signed code certificate revocation checks on” to “Do not check (not recommended)” under Java Control Panel -> Advanced tab.

    2. Just setting “Perform signed code certificate revocation checks on” to “Do not check (not recommended)” under Java Control Panel -> Advanced tab.

     

    The second one also allowing the OneClick to launch irrespective of the exception list. That means, I believe setting “Perform signed code certificate revocation checks on” to “Do not check (not recommended)” under Java Control Panel -> Advanced tab is alone enough to get it launch.

     

    Joe, Can you please verify at your end and confirm?

     

     

    Regards,

    Rajashekar



  • 11.  Re: Spec KB: The java certificate for CA Spectrum is set to expire on October 16, 2016

    Posted Oct 03, 2016 06:46 AM

    I am sorry but after I have read this post I have a lot of doubts about the Upgrade.

     

    I have the 9.3.0.3.15 distributed and Fault Tolerance version of Spectrum.

     

    I have readed that H4 patch is only necessary to intalling in OneCLick. I always thought that OneClick and SpectroServer couldn´t to work in different versions.

     

    Another question, is the link to make a complete backup don´t working fine: "https://comm.support.ca.com/?legacyid=TEC512407"



  • 12.  Re: Spec KB: The java certificate for CA Spectrum is set to expire on October 16, 2016

    Posted Oct 06, 2016 03:51 AM

    Thanks, the link to the backup didn't work the last day. One more question, the 9.3_H4 patch will change the Java version that need the customers? We are working with 1.7 version of Java



  • 13.  Re: Spec KB: The java certificate for CA Spectrum is set to expire on October 16, 2016

    Broadcom Employee
    Posted Oct 07, 2016 11:39 AM

    Hi All, 

    We are in the process of releasing a few more patch versions for the java certificate. I have updated the original tech doc Knowledge Base Articles TEC1903096 with the updated versions and information on what patches you need to install if you are not able to use the java workaround.  The push to the server generally takes about an hour or two, so please give it a little bit to be updated.  Here is a short snippet of the info:

     

    The CA Spectrum OneClick java certificate has been updated in the following versions:

    9.2.3 Hotfix 14

    9.3 Hotfix 04

    9.4 Hotfix 04

    9.4.2.2 - only compatible with 9.4.2.1

    9.4.3.1 - only compatible with 9.4.3.0

    10.0.01 - only compatible with 10.0.0

    10.01.00.01 - only compatible with 10.1

    10.01.01

    10.01.02

     

    Please review the spreadsheet in the tech doc once the update is published to review patch install options.

    Thank you

    Jay



  • 14.  Re: Spec KB: The java certificate for CA Spectrum is set to expire on October 16, 2016

    Posted Oct 10, 2016 05:04 AM

    Hi Jason

    I've just had a look and the directory on the ftp site for 10.01.00.01 is empty. Can you take a look please and let me know if I've missed something or when the files will be there?

     

    Regards, John

     



  • 15.  Re: Spec KB: The java certificate for CA Spectrum is set to expire on October 16, 2016

    Broadcom Employee
    Posted Oct 10, 2016 06:36 AM

    Hi John, 

    The patch provided had some issue and we had to take it off. We will keep you posted once we put it back on FTP. 

     

    Regards, 

    Sheenam



  • 16.  Re: Spec KB: The java certificate for CA Spectrum is set to expire on October 16, 2016

    Posted Oct 10, 2016 09:18 AM

    Hi Sheenam

    Do you have some idea how soon this will be available?

     

    Regards, John



  • 17.  Re: Spec KB: The java certificate for CA Spectrum is set to expire on October 16, 2016

    Posted Oct 12, 2016 04:40 AM


  • 18.  Re: Spec KB: The java certificate for CA Spectrum is set to expire on October 16, 2016

    Posted Oct 12, 2016 04:47 AM

    They are there but the Windows version doesn't work. See my later comment.

     

    I would be interested to know if anyone else has tried the Windows version and how they have gotten on?



  • 19.  Re: Spec KB: The java certificate for CA Spectrum is set to expire on October 16, 2016

    Posted Oct 11, 2016 05:46 PM

    Hi gupsh13

    There are now files in the directory for 10.1.0.1, however I am having an issue running the Windows file. It opens a command window briefly and then exits. I've also noticed the checksum on the file (I've downloaded twice) is not correct. 

    Is there some issue with this patch?

     

    John

     

    PS I've raised case number 00530793 for this



  • 20.  Re: Spec KB: The java certificate for CA Spectrum is set to expire on October 16, 2016

    Posted Oct 10, 2016 09:23 AM

    Hi

    I have a question on the install of patch 9.4.2.2.

     

    The KB article says this is "Not required but recommended" for the SS and I intend to just install on the OC for now.

    In the Readme install instructions it says to "Shut down the OneClick server, the SpectroSERVER, the Control Panel, and any open bash shells." before install. 

    In the case where I am just going to install on the OC server do I need to shut down the SpectroServer, or is it just the Spectrum processes on the OC server that I need shut down?

     

    I have the same question for patch 10.1.0.1 when it becomes available.

     

    Regards, John



  • 21.  Re: Spec KB: The java certificate for CA Spectrum is set to expire on October 16, 2016

    Broadcom Employee
    Posted Oct 12, 2016 09:50 AM

    Hi John,

      Apologies for the problem with the Spectrum_10.01.00.01.4.Windows.exe patch.  Looks like there was a problem with the initial transfer.  I have posted an updated Spectrum_10.01.00.01.4.Windows.exe file.  The checksum for it is  0b4a9eca90cad1deabffd469f662ce08.

     

    In regards to your questions, if you are just installing it on the OC side, then just stop the process on the OC box.  No need to stop any processes on the SS boxes.

    Cheers

    Jay



  • 22.  Re: Spec KB: The java certificate for CA Spectrum is set to expire on October 16, 2016

    Posted Oct 12, 2016 10:44 AM

    Hi Jason

    I have downloaded, verified the checksum and tried to run this version by double clicking in Windows Explorer. I get the attached error message. Any idea how I should proceed?
    Regards, John


  • 23.  Re: Spec KB: The java certificate for CA Spectrum is set to expire on October 16, 2016

    Broadcom Employee
    Posted Oct 12, 2016 10:48 AM

    Yeah, unfortunately the Install Anywhere package we ship isn’t updated until 10.2, so you need to right click the executable and go to the Compatibility window and run it in compatibility mode…

    Cheers

    Jay



  • 24.  Re: Spec KB: The java certificate for CA Spectrum is set to expire on October 16, 2016

    Posted Oct 12, 2016 04:08 AM

    Hi, I have upgrade our OneClick server to:

    cat /usr/SPECTRUM/Install-Tools/.install_history
    9.3.0.0.304 01/17/2014 11:29,tomct_cus|,SUCCESS
    9.3.0.1.82 06/10/2014 07:34,tomct_cus|,SUCCESS
    9.3.0.2.91 11/17/2014 10:56,tomct_cus|,SUCCESS
    9.4.0.0.223 05/04/2015 12:05,tomct_cus|,SUCCESS
    9.4.2.1.62 05/04/2015 12:19,tomct_cus|,SUCCESS
    9.4.2.2.3 10/11/2016 12:38,tomct_cus|,SUCCESS

     

    But the console "about" window says:

    "com.aprisma.spectrum.app.console.web.struts.AppTitle Version 9.4.4.0.3"

    Is it normal and safe ?

    thanks,

    Veronique



  • 25.  Re: Spec KB: The java certificate for CA Spectrum is set to expire on October 16, 2016

    Posted Oct 12, 2016 05:26 AM

    Hi Veronique

    For info I have also installed 9.4.2.2 but am getting the correct version in both the OneClick web page and OneClick Console About screens.

     

    > cat .install_history
    ,tomct_cus|,SUCCESS015 15:34
    9.4.2.1.62 05/15/2015 16:38,tomct_cus|,SUCCESS
    9.4.2.2.3 10/11/2016 20:32,tomct_cus|,SUCCESS

     

     

    Regards, John



  • 26.  Re: Spec KB: The java certificate for CA Spectrum is set to expire on October 16, 2016

    Posted Oct 12, 2016 05:33 AM

    Thanks for your reply. Did you use the linux file ?



  • 27.  Re: Spec KB: The java certificate for CA Spectrum is set to expire on October 16, 2016

    Posted Oct 12, 2016 05:38 AM

    Afraid not, this is a Windows environment.



  • 28.  Re: Spec KB: The java certificate for CA Spectrum is set to expire on October 16, 2016

    Posted Oct 12, 2016 05:42 AM
      |   view attached

    So it explains the difference.

    Can a CA expert please check why our Linux instance says “9.4.4.0.3” ? and confirm that this is harmless ?

    Thanks,

    Veronique



  • 29.  Re: Spec KB: The java certificate for CA Spectrum is set to expire on October 16, 2016

    Broadcom Employee
    Posted Oct 12, 2016 09:57 AM

    Hi Veronique, 

    As long as the files note the correct version, you should be all set. Just to confirm:

    <SPECROOT>/Install-Tools/.history

    <SPECROOT>/Install-Tools/IDX/OC/tomct.i - at the bottom of this file is a "rev"

    <SPECROOT>/.installrc

     

    Cheers

    Jay



  • 30.  Re: Spec KB: The java certificate for CA Spectrum is set to expire on October 16, 2016

    Posted Oct 13, 2016 10:32 AM

    Then there is a problem :

    cat /usr/SPECTRUM/Install-Tools/.history

    9.3.0.0.304 11/25/2013 09:20

    9.3.0.0.304 11/25/2013 09:54

    9.3.0.1.82 06/10/2014 11:22

    9.3.0.2.91 11/17/2014 08:29

    9.4.0.0.223 05/04/2015 08:20

    9.4.2.1.62 05/04/2015 08:31

    9.4.2.2.3 10/12/2016 10:54

     

    cat /usr/SPECTRUM/Install-Tools/IDX/OC/tomct.i

     

    file: OC file newtomcat/classes/org/apache/catalina/startup Authenticators.properties 0100750 1 1 917 0xeec7bd98 0

    rev: 9.4.4.000

    irev: 09.04.04.000

    size: OC 8673 31

     

    cat /usr/SPECTRUM/.installrc

    KEY: something_here

    PLATFORM: linux

    VERSION: 9.4.2.2.3

    OWNER: spectrum

    SSLHANDLE: 0

    LOCSERV: ourserver

    TOMCATPORT: 8080

    EXCLUDEPARTS: SA-CSI1000;SA-RPT-MGR;ST-CORBA;ST-CSI1000;ST-CSI1003

    LANGUAGE: en_US

     

    Is it bad ?

    Only one day left to take action ☹: our two OneClick servers have been upgraded to that version.

    Thanks,

    Veronique



  • 31.  Re: Spec KB: The java certificate for CA Spectrum is set to expire on October 16, 2016

    Broadcom Employee
    Posted Oct 13, 2016 10:44 AM
      |   view attached

    Hi Veronique,

    I honestly don’t think it’s going to cause a problem (unless you try to install 9.4.4 at some point, but we could just remove the IDX/OC before installing).  The versioning of the files won’t matter for this.  It’s the java cert expiration that will matter.  So as long as your Java Control Panel now shows the cert expires on March 18th, 2019, you should be good to go.

     

    If you run a search in the IDX/OC folder for 9.4.4, do others come back that way?  Let me know, I’ll run it by engineering to see if there was a mixup with a build file in the backend…

     

    Thanks!

    Jay



  • 32.  Re: Spec KB: The java certificate for CA Spectrum is set to expire on October 16, 2016

    Posted Oct 13, 2016 11:06 AM
      |   view attached

    The JCP shows 2 certificates :

     

    1) CA, Inc. (VeriSign Class 3 Code Signing 2010 CA) : From: Thu Oct 16 02:00:00 CEST 2014, To: Mon Oct 17 01:59:59 CEST 2016

     

    2) CA, Inc. (Symantec Class 3 SHA256 Code Signing CA): From: Tue Mar 08 01:00:00 CET 2016,To: Sat Mar 09 00:59:59 CET 201

     

    I suppose that the second will be used when the first one expires ?

    Thanks,

    Veronique



  • 33.  Re: Spec KB: The java certificate for CA Spectrum is set to expire on October 16, 2016

    Broadcom Employee
    Posted Oct 13, 2016 11:10 AM
      |   view attached

    If you click on the certificate and click the Details, then select the “Validity” Field, the date will show in the bottom.  You may need to remove the old certificate…



  • 34.  Re: Spec KB: The java certificate for CA Spectrum is set to expire on October 16, 2016

    Broadcom Employee
    Posted Oct 13, 2016 10:18 AM

    Hi All,

    In further testing we have found that after the patch has been installed, you may need to "refresh" java settings to get the OC client to work as it may still cache the old cert.  Please review the following tech doc for further info:

    http://www.ca.com/us/services-support/ca-support/ca-support-online/knowledge-base-articles.TEC1398702.html 

    Cheers

    Jay



  • 35.  Re: Spec KB: The java certificate for CA Spectrum is set to expire on October 16, 2016

    Posted Oct 14, 2016 05:38 AM

    With v9.4.2.2 on Linux, has anything changed regarding tomcat itself ?

    We have an tool that stopped working, which is based on REST api using SSL.

    We get this error:

    Caused by: javax.net.ssl.SSLException: Received fatal alert: handshake_failure

    at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)

    at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666)

    at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634)

    at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1800)

    at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1083)

    at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:907)

    at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)

    at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:664)

    at weblogic.security.SSL.jsseadapter.JaSSLEngine$5.run(JaSSLEngine.java:134)

    at weblogic.security.SSL.jsseadapter.JaSSLEngine.doAction(JaSSLEngine.java:734)

    at weblogic.security.SSL.jsseadapter.JaSSLEngine.unwrap(JaSSLEngine.java:132)

    at weblogic.socket.JSSEFilterImpl.unwrap(JSSEFilterImpl.java:603)

    at weblogic.socket.JSSEFilterImpl.unwrapAndHandleResults(JSSEFilterImpl.java:507)

    at weblogic.socket.JSSEFilterImpl.doHandshake(JSSEFilterImpl.java:96)

    at weblogic.socket.JSSEFilterImpl.doHandshake(JSSEFilterImpl.java:75)

    at weblogic.socket.JSSESocket.startHandshake(JSSESocket.java:219)

    at weblogic.net.http.HttpsClient.New(HttpsClient.java:571)

    at weblogic.net.http.HttpsClient.New(HttpsClient.java:542)

    at weblogic.net.http.HttpsURLConnection.connect(HttpsURLConnection.java:248)

    at weblogic.net.http.HttpURLConnection.getInputStream(HttpURLConnection.java:636)

    at weblogic.net.http.SOAPHttpsURLConnection.getInputStream(SOAPHttpsURLConnection.java:37)

    at weblogic.net.http.HttpURLConnection.getResponseCode(HttpURLConnection.java:1444)

    at com.sun.jersey.client.urlconnection.URLConnectionClientHandler._invoke(URLConnectionClientHandler.java:249)

    at com.sun.jersey.client.urlconnection.URLConnectionClientHandler.handle(URLConnectionClientHandler.java:149)

    ... 84 more

     

    thanks,

    Veronique