DX NetOps Manager

Spectrum: OneClick Java Certificate Expiry 

02-15-2019 04:19 AM

Dear Spectrum Community Users,

 

This is to inform you that the OneClick Java Certificate will be expiring by March 8th 2019. The CA Spectrum product team is going to deliver patches for all the supported versions prior to that date. Customers are advised to install the patches on their current install base when they are made available.

 

Here is the schedule for the Java certificate patches for the following GA versions:

 

Product

Versions

Date of Delivery

CA Spectrum

10.2.1, 10.2.3 & 10.3

15th Feb, 2019

10.2 & 10.2.2

25th Feb, 2019

 

CA Spectrum product team is committed to providing quality support and services.  Your success is very important to us, and we look forward to continuing our successful partnership with you.

 

Thank you,

CA Spectrum Product Team

Statistics
0 Favorited
12 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Comments

03-07-2019 04:17 PM

Update: This appears to be an issue when using Chrome browser.

 

I was able to reach the file service with the Firefox browser.

 

-Fred

03-07-2019 04:15 PM

We cannot reach this link, either.  

 

Getting the same error message: 

The webpage at ftp://ftp.ca.com/pub/CA-SPECTRUM/Updates/GA/ might be temporarily down or it may have moved permanently to a new web address.

ERR_INVALID_RESPONSE
-Fred

03-06-2019 05:46 AM

This will be an issue at the end of this week. 

03-04-2019 11:32 AM

No, not being able to access that link. In the meanwhile, I've request the patch needed to my local support in Portugal, as they are able to access the FTP.

Let's wait and see.

 

KR,

Edgar

03-04-2019 11:11 AM

Thank you Jason for the fast response, but for some how, I'm not being able to access that link, on EDGE says "Can't reach this page" and on FF it's empty.

Trying one more thing… get back to you soon.

03-04-2019 10:56 AM

Hi Edgar,

 

The hotfix patches are available here:

ftp://ftp.ca.com/pub/CA-SPECTRUM/Updates/GA/

 

Cheers

Jay

03-04-2019 10:44 AM

Hello Jason,

Can you post the location of the necessary patch to install the Java fix?

 

Thank you,

Edgar

02-28-2019 09:47 AM

Hi Veronique,

  Unfortunately it does require the BMP patch.  We need to keep consistency across versions/releases/patch levels so this was the only way to do it.  My apologies for the inconvenience this causes.

Cheers

Jay

02-28-2019 07:35 AM

Hi Raphael,

Correct, you cannot just move the machine time ahead.  Unfortunately that is not a valid test.  There are more parts "behind the scenes" to time stamping jar files and certificate validation.  That's why I installed 10.1.0 base to show everyone that the OC client does launch after the expired data passes (the certificate expired in 2016 but I can still launch OC because the certificate is still valid, not revoked). 

Cheers

Jay  

02-28-2019 04:07 AM

Hello Sarbdeep_Singh, meaja05,

 

a colleague did a little test all in one locally installed Linux Spectrum server without any luck.

 

1)

[spectrum@spectrum10pri ~]$ cat /opt/spectrum/Install-Tools/.history

10.1.0.0.237 06/10/2016 11:33

10.1.1.0.64 06/10/2016 12:07

10.2.0.0.244 12/27/2016 09:51

Spectrum_10.02.00.PTF_10.2.020 installed on 04/12/2017 10:13:57.

Spectrum_10.02.00.PTF_10.2.020 was uninstalled on 05/02/2017 15:33:11.

Spectrum_10.02.00.PTF_10.2.036a installed on 05/02/2017 15:48:38.

Spectrum_10.02.00.PTF_10.2.036a was uninstalled on 07/17/2017 10:12:36.

10.2.1.0.98 07/17/2017 10:32

Spectrum_10.02.01.BMP_10.2.101 installed on 10/20/2017 09:22:43.

10.2.2.0.71 11/06/2017 14:22

10.2.3.0.107 01/03/2019 13:25

Spectrum_10.02.03.BMP_10.2.301 installed on 01/03/2019 13:39:06.

Spectrum_10.02.03.BMP_10.2.302 installed on 03/13/2019 08:23:43.

 

2)

disabled NTP and moved time ahead to March 12th 2019.

 

3)

tried to launch OneClick UI using the Spectrum builtin Java runtime environment with default Java security settings

 

[spectrum@spectrum10pri bin]$ /opt/spectrum/Java/bin/java -version

java version "1.8.0_112"

Java(TM) SE Runtime Environment (build 1.8.0_112-b15)

Java HotSpot(TM) 64-Bit Server VM (build 25.112-b15, mixed mode)

 

[spectrum@spectrum10pri bin]$ /opt/spectrum/Java/bin/javaws http://localhost:8080/spectrum/oneclick.jnlp

=> Java security error message

 

4)

tried to launch OneClick UI using a little more recent Java runtime environment with default Java security settings

~/jre1.8.0_151/bin/javaws http://localhost:8080/spectrum/oneclick.jnlp

 => Java security error message

 

5)

modified Java security settings level from "Very High" to "High" and added URL to exception site list

 

6)

tried to launch OneClick UI using the Spectrum builtin Java runtime environment with modifiedJava security settings

[spectrum@spectrum10pri bin]$ /opt/spectrum/Java/bin/javaws http://localhost:8080/spectrum/oneclick.jnlp

=> Java security error message

 

7)

 

tried to launch OneClick UI using a little more recent Java runtime environment with default Java security settings

~/jre1.8.0_151/bin/javaws http://localhost:8080/spectrum/oneclick.jnlp

 => Java security error message

 

So even in a Java-wise untouched environment, unfortunately we can't find a way to launch the OneClick UI after March 8th without installing the new PTF. This is still contrasting your statements.

Furthermore, several people have asked, why the BMP302 is made a pre-requisite for PTF whithout getting an answer yet.

 

 

regards,
Raphael

02-28-2019 02:01 AM

Dear all,

 

Request you to please follow the following announcement as we covered all the question/concerns related to Java certificate expiry.

Java Certificate Expiration Announcement 

 

Thanks,
Sarb

02-27-2019 10:28 AM

The PTF require the pre-installation of some BMP patch (as you said earlier):

 

This patch requires one of the following required versions:
Spectrum_10.02.03.BMP_10.2.302
be installed. This version was not found in
your /usr/SPECTRUM/Install-Tools/.history file.

 

Is CA really not going to provide a patch that we can install straightaway ?

02-27-2019 09:19 AM

Sure...

 

 

And here's the cert info:

 

Cheers

Jay

02-27-2019 08:59 AM

Thanks Jay,

 

Although you didn't have change your java config, can you share what java settings you have.

 

Regards

 

Martin

02-25-2019 03:48 PM

The 10.2.0 and 10.2.2 patches are now available on the ftp site as noted above.

 

Again, please take note, if you are running 10.1.0 and above, the jar files are timestamped at the time of creation so that the certificate is still valid and you will be able to launch your OneClick client.  It has not been revoked, just expired so if you do not install the patch you can still launch the OC client.

 

Here's an example from a 10.1.0 system.  I installed 10.0 and then installed 10.1 fresh which has a java certificate expiration of Sun Oct 16 2016. Since the jar files were timestamped starting in 10.1 the certificate is still valid, just expired. If would be a problem if it was revoked but it is not revoked.  I did not have to make any changes to Java certificate checking/config:

 

  1. Launch OC using java 1.8.0_31 – OC launched no problem – no errors, no warnings
  2. Launch OC using java 1.8.0_51 – OC launched no problem – no errors, no warnings
  3. Launch OC using java 1.8.0_121 – OC launched no problem – no errors, no warnings
  4. Launch OC using java 1.8.0_172 – OC launched no problem – no errors, no warnings

 

I did also test on a 10.1.2 install with java 1.8.0_161 and again, without making changes to Java config, OC launched with no problem, no errors and no warnings.

 

Cheers

Jay

 

PS -- Please note that just moving your machine time ahead is not a valid test on whether or not OC clients will work.  There are other pieces to jar time stamping that come into play.

02-22-2019 08:19 AM

Hi Jason

 

Yes, it is working now. Thanks! 

02-22-2019 07:54 AM

Hi Jeroen,

  Can you try downloading the patch again? I reposted it.  Let me know if that fixes it.

Cheers

Jay

02-22-2019 02:38 AM

Hi All 

 

We are trying to install the Spectrum_10.03.00.PTF_10.3.016/     on windows 2012. However we get an error when launching the .exe file.    See screenshot. It looks like there is something wrong with the .exe .

I have even tried to launch it on my own local computer and it gives the same error. 

 

 

 

 

02-21-2019 08:26 AM

Hi All,

 We have confirmed the issue is with the new jars in the certification packs.  We are rebuilding the certification packs and will post once they are available.  You can install the jre update patch if you have not installed the cert pack and will not have problems.  If you have already installed both you can just install the updated cert patch once posted.

Cheers!

Jay

02-20-2019 10:29 AM

Hello Sarbdeep,

 

Your comment - "This patch is only required in cases where customers may have policies which will block applications running jars with expired certificates, otherwise no need to apply this patch.", should be in the first email. You guys asked all the client to install before March 8th now you are telling it's only needed if jars are blocked by policy.

 

regards

 

Prakash

02-20-2019 10:16 AM

Hi Jason, that worked to get the OC client to start.

 

Here's the list of files I moved from ${SPECROOT}/tomcat/webapps/spectrum/lib/contrib/

 

clientadva.jar
 clientaudc.jar
clientavoc.jar
clientcrpo.jar
clientinfoblox.jar
clientmerak.jar
clientmisen.jar
clientoacc.jar
clientruck.jar
clientsanv.jar
clientsecu.jar
clientsvpk.jar
clientversa.jar

 

Thank you.

 

-=glenn=-

02-20-2019 09:40 AM

Those jar files are from the certifacation packs which added new views for OneClick.  Removing those jars will allow OC to start.  We're looking into this...

02-20-2019 09:35 AM

yes - i ran into the same error after installation.

 

I'll see if removing the older jar files fixes or changes the issue for me. 10.2.3 running on Linux.

 

-=glenn=-

02-20-2019 05:44 AM

Installed the patch on two Oneclick  Servers with windows 2012 and  noticed not all jar files in \win32app\Spectrum\tomcat\webapps\spectrum\lib\contrib\ are replaced with new ones.  The clients cannot start Oneclick and generate this error:

 

 

After removing these files from the folder, the clients can start the application. But we're missing some views in oneclick then. So looks like the patch is incomplete. Anyone else having this error?

 

Regards,

 

David

 

02-20-2019 01:13 AM

Deal all,

 

I see lot of comments related to  impact  and time stamps. Hope the following response will clarify your doubts:

 

With the time-stamping in place the OneClick clients will still run without issues even after the certificate expiry period. This patch is only required in cases where customers may have policies which will block applications running jars with expired certificates, otherwise no need to apply  this patch.

 

Please reach out to me(sarbdeep.singh@broadcom.com) if you need any other information.

 

Thanks,
Sarbdeep Singh

02-19-2019 08:52 PM

Hi team,

 

 There is any impact if the patch is not updated .?

02-19-2019 10:50 AM

Hello Sarbdeep_Singh, all,

 

the release notes of Spectrum_10.02.03.PTF_10.2.371 state, that the jar files "will no longer run" after the certificate expiry. Above postings are contrasting this by saying the OneClick client will continue to run even when not being patched. The lead time is short anyway, could we get some definitive statement to clarify wether we need to bother with this PTF or not please?

Additionally, since the lead time is that short, I don't like the idea of being forced to have a BMP302 installed as a pre-requiste, which is quite a big patch. For many customers it will be hard or even impossible to do proper testing during the remaining time.The PTF371 file list contains just jar files, that are loaded by the client. I assume, technically it would work to just replace the files and restart the clients without stopping any services on the server side.

Am I misguided here or are you able to confirm my assumption?

 

regards,

Raphael

02-19-2019 05:27 AM

unfortunately due to the age of the servers we are running the platform on it is not likely we will be able to upgrade before we go EoS

02-19-2019 04:53 AM

Hi Ian,

 

What is your plans to upgrade to the latest version as 10.1.2 will be EOS by August 28th, 2019.

 

Thanks,
Sarb

02-19-2019 03:39 AM

any update on whether any patch for 10.1.2 as it is still in service for a few more months

02-18-2019 05:02 AM

Also we have several systems on 10.1.2 whilst this is EOL soon is there no patch for these ?

02-15-2019 11:15 AM

Hi All,

  The patches have been posted to the ftp.ca.com general availability area.  I have created a tech doc outlining this:

 

The OneClick java jre certificate for CA Spectrum - CA Knowledge  

 

As Sarb noted the 10.2.0 and 10.2.2 will be posted shortly to the ftp area while the 10.2.1, 10.2.3, and 10.3 are available:

 

10.2.0 - Spectrum_10.02.00.PTF_10.2.072
10.2.1 - Spectrum_10.02.01.PTF_10.2.1108
10.2.2 - Spectrum_10.02.02.PTF_10.2.242
10.2.3 - Spectrum_10.02.03.PTF_10.2.371
10.3.0 - Spectrum_10.03.00.PTF_10.3.016
 

The hotfix patches are available here:

ftp://ftp.ca.com/pub/CA-SPECTRUM/Updates/GA/

 

Please take note most of these require a bi monthly patch to be installed, which must be installed on all SS and OC, while the jre patches listed here are to be installed on the OC only (after the BMP if required -- check the release notes of the patch you need).  The BMP are also available at the ftp.ca.com site.  Login is anonymous with your email address as your password.

 

To answer some of the previous questions

1. Is the patch updated in 10.3.1?  Yes, the updated certificate was included in the 10.3.1 package so no patching is needed at this time.

2. If the patches are not installed, will OneClick still work?  Yes, starting with CA Spectrum release 10.0, the tomcat jar files have been timestamped in accordance with the certificate. The certificate has expired, it has not been revoked so in a typical java deployment we do not expect any interruptions.

3. Can the typical java jre be used without purchasing a license?  Yes, CA/Broadcom has a license agreement with Oracle in that users can only download and install the jre that we ship with Spectrum.  Any jre obtained or used outside of the jre shipped with Spectrum may be subject to Oracle licensing fees and will not be supported by CA/Broadcom.

 

I hope that answers the questions, please let us know.

Thank you

Jay 

02-15-2019 10:12 AM

Why is this notification so late? 

 

What is the plan to notify of expiry with more notice, as this continues to happen, seemingly with all of the latest releases?

 

At minimum, since it seems to happen so often, maybe the expiration date of certificates should be included in the release notes, that way we can start spamming CA/Broadcom for new certificates well before 3 weeks until expiry. 

02-15-2019 09:24 AM

Yes, we have included the fix in 10.3.1.

02-15-2019 08:17 AM

02-15-2019 06:38 AM

Can I confirm what the impact of this will be if the patching is not done ?

02-15-2019 06:33 AM

As Spectrum 10.3.1 is not mentioned, i guess this release already has renewed certificates shipped? 

I am going to install it in a customer environment without any remote access next week and want to prevent unpleasant surprises for that customer if possible. 

 

Regards

Marco

02-15-2019 05:27 AM

Thank you and why is this announced so late ? I understand it may have been out of your control but what was the path towards this. We are going to have to patch upwards of 14 different systems not including dev systems.

02-15-2019 05:19 AM

Yes, will update the information by end of the day.

Thanks,
Sarb

02-15-2019 05:12 AM

thanks for that but disappointed at the short lead time, will the patches be available through the normal download links ?

Related Entries and Links

No Related Resource entered.