Dear Spectrum Community Users,
This is to inform you that the OneClick Java Certificate will be expiring by March 8th 2019. The CA Spectrum product team is going to deliver patches for all the supported versions prior to that date. Customers are advised to install the patches on their current install base when they are made available.
Here is the schedule for the Java certificate patches for the following GA versions:
Product
Versions
Date of Delivery
CA Spectrum
10.2.1, 10.2.3 & 10.3
15th Feb, 2019
10.2 & 10.2.2
25th Feb, 2019
CA Spectrum product team is committed to providing quality support and services. Your success is very important to us, and we look forward to continuing our successful partnership with you.
Thank you,
CA Spectrum Product Team
Update: This appears to be an issue when using Chrome browser.
I was able to reach the file service with the Firefox browser.
-Fred
We cannot reach this link, either.
Getting the same error message:
The webpage at ftp://ftp.ca.com/pub/CA-SPECTRUM/Updates/GA/ might be temporarily down or it may have moved permanently to a new web address.
This will be an issue at the end of this week.
No, not being able to access that link. In the meanwhile, I've request the patch needed to my local support in Portugal, as they are able to access the FTP.
Let's wait and see.
KR,
Edgar
Thank you Jason for the fast response, but for some how, I'm not being able to access that link, on EDGE says "Can't reach this page" and on FF it's empty.
Trying one more thing… get back to you soon.
Hi Edgar,
The hotfix patches are available here:
ftp://ftp.ca.com/pub/CA-SPECTRUM/Updates/GA/
Cheers
Jay
Hello Jason,
Can you post the location of the necessary patch to install the Java fix?
Hi Veronique,
Unfortunately it does require the BMP patch. We need to keep consistency across versions/releases/patch levels so this was the only way to do it. My apologies for the inconvenience this causes.
Hi Raphael,
Correct, you cannot just move the machine time ahead. Unfortunately that is not a valid test. There are more parts "behind the scenes" to time stamping jar files and certificate validation. That's why I installed 10.1.0 base to show everyone that the OC client does launch after the expired data passes (the certificate expired in 2016 but I can still launch OC because the certificate is still valid, not revoked).
Hello Sarbdeep_Singh, meaja05,
a colleague did a little test all in one locally installed Linux Spectrum server without any luck.
1)
[spectrum@spectrum10pri ~]$ cat /opt/spectrum/Install-Tools/.history
10.1.0.0.237 06/10/2016 11:33
10.1.1.0.64 06/10/2016 12:07
10.2.0.0.244 12/27/2016 09:51
Spectrum_10.02.00.PTF_10.2.020 installed on 04/12/2017 10:13:57.
Spectrum_10.02.00.PTF_10.2.020 was uninstalled on 05/02/2017 15:33:11.
Spectrum_10.02.00.PTF_10.2.036a installed on 05/02/2017 15:48:38.
Spectrum_10.02.00.PTF_10.2.036a was uninstalled on 07/17/2017 10:12:36.
10.2.1.0.98 07/17/2017 10:32
Spectrum_10.02.01.BMP_10.2.101 installed on 10/20/2017 09:22:43.
10.2.2.0.71 11/06/2017 14:22
10.2.3.0.107 01/03/2019 13:25
Spectrum_10.02.03.BMP_10.2.301 installed on 01/03/2019 13:39:06.
Spectrum_10.02.03.BMP_10.2.302 installed on 03/13/2019 08:23:43.
2)
disabled NTP and moved time ahead to March 12th 2019.
3)
tried to launch OneClick UI using the Spectrum builtin Java runtime environment with default Java security settings
[spectrum@spectrum10pri bin]$ /opt/spectrum/Java/bin/java -version
java version "1.8.0_112"
Java(TM) SE Runtime Environment (build 1.8.0_112-b15)
Java HotSpot(TM) 64-Bit Server VM (build 25.112-b15, mixed mode)
[spectrum@spectrum10pri bin]$ /opt/spectrum/Java/bin/javaws http://localhost:8080/spectrum/oneclick.jnlp
=> Java security error message
4)
tried to launch OneClick UI using a little more recent Java runtime environment with default Java security settings
~/jre1.8.0_151/bin/javaws http://localhost:8080/spectrum/oneclick.jnlp
5)
modified Java security settings level from "Very High" to "High" and added URL to exception site list
6)
tried to launch OneClick UI using the Spectrum builtin Java runtime environment with modifiedJava security settings
7)
So even in a Java-wise untouched environment, unfortunately we can't find a way to launch the OneClick UI after March 8th without installing the new PTF. This is still contrasting your statements.
Furthermore, several people have asked, why the BMP302 is made a pre-requisite for PTF whithout getting an answer yet.
regards,Raphael
Dear all,
Request you to please follow the following announcement as we covered all the question/concerns related to Java certificate expiry.
Java Certificate Expiration Announcement
Thanks,Sarb
The PTF require the pre-installation of some BMP patch (as you said earlier):
This patch requires one of the following required versions:Spectrum_10.02.03.BMP_10.2.302be installed. This version was not found inyour /usr/SPECTRUM/Install-Tools/.history file.
Is CA really not going to provide a patch that we can install straightaway ?
Sure...
And here's the cert info:
Thanks Jay,
Although you didn't have change your java config, can you share what java settings you have.
Regards
Martin
The 10.2.0 and 10.2.2 patches are now available on the ftp site as noted above.
Again, please take note, if you are running 10.1.0 and above, the jar files are timestamped at the time of creation so that the certificate is still valid and you will be able to launch your OneClick client. It has not been revoked, just expired so if you do not install the patch you can still launch the OC client.
Here's an example from a 10.1.0 system. I installed 10.0 and then installed 10.1 fresh which has a java certificate expiration of Sun Oct 16 2016. Since the jar files were timestamped starting in 10.1 the certificate is still valid, just expired. If would be a problem if it was revoked but it is not revoked. I did not have to make any changes to Java certificate checking/config:
I did also test on a 10.1.2 install with java 1.8.0_161 and again, without making changes to Java config, OC launched with no problem, no errors and no warnings.
PS -- Please note that just moving your machine time ahead is not a valid test on whether or not OC clients will work. There are other pieces to jar time stamping that come into play.
Hi Jason
Yes, it is working now. Thanks!
Hi Jeroen,
Can you try downloading the patch again? I reposted it. Let me know if that fixes it.
Hi All
We are trying to install the Spectrum_10.03.00.PTF_10.3.016/ on windows 2012. However we get an error when launching the .exe file. See screenshot. It looks like there is something wrong with the .exe .
I have even tried to launch it on my own local computer and it gives the same error.
Hi All,
We have confirmed the issue is with the new jars in the certification packs. We are rebuilding the certification packs and will post once they are available. You can install the jre update patch if you have not installed the cert pack and will not have problems. If you have already installed both you can just install the updated cert patch once posted.
Cheers!
Hello Sarbdeep,
Your comment - "This patch is only required in cases where customers may have policies which will block applications running jars with expired certificates, otherwise no need to apply this patch.", should be in the first email. You guys asked all the client to install before March 8th now you are telling it's only needed if jars are blocked by policy.
regards
Prakash
Hi Jason, that worked to get the OC client to start.
Here's the list of files I moved from ${SPECROOT}/tomcat/webapps/spectrum/lib/contrib/
clientadva.jar clientaudc.jarclientavoc.jarclientcrpo.jarclientinfoblox.jarclientmerak.jarclientmisen.jarclientoacc.jarclientruck.jarclientsanv.jarclientsecu.jarclientsvpk.jarclientversa.jar
Thank you.
-=glenn=-
Those jar files are from the certifacation packs which added new views for OneClick. Removing those jars will allow OC to start. We're looking into this...
yes - i ran into the same error after installation.
I'll see if removing the older jar files fixes or changes the issue for me. 10.2.3 running on Linux.
Installed the patch on two Oneclick Servers with windows 2012 and noticed not all jar files in \win32app\Spectrum\tomcat\webapps\spectrum\lib\contrib\ are replaced with new ones. The clients cannot start Oneclick and generate this error:
After removing these files from the folder, the clients can start the application. But we're missing some views in oneclick then. So looks like the patch is incomplete. Anyone else having this error?
Regards,
David
Deal all,
I see lot of comments related to impact and time stamps. Hope the following response will clarify your doubts:
With the time-stamping in place the OneClick clients will still run without issues even after the certificate expiry period. This patch is only required in cases where customers may have policies which will block applications running jars with expired certificates, otherwise no need to apply this patch.
Please reach out to me(sarbdeep.singh@broadcom.com) if you need any other information.
Thanks,Sarbdeep Singh
Hi team,
There is any impact if the patch is not updated .?
Hello Sarbdeep_Singh, all,
the release notes of Spectrum_10.02.03.PTF_10.2.371 state, that the jar files "will no longer run" after the certificate expiry. Above postings are contrasting this by saying the OneClick client will continue to run even when not being patched. The lead time is short anyway, could we get some definitive statement to clarify wether we need to bother with this PTF or not please?
Additionally, since the lead time is that short, I don't like the idea of being forced to have a BMP302 installed as a pre-requiste, which is quite a big patch. For many customers it will be hard or even impossible to do proper testing during the remaining time.The PTF371 file list contains just jar files, that are loaded by the client. I assume, technically it would work to just replace the files and restart the clients without stopping any services on the server side.
Am I misguided here or are you able to confirm my assumption?
regards,
Raphael
unfortunately due to the age of the servers we are running the platform on it is not likely we will be able to upgrade before we go EoS
Hi Ian,
What is your plans to upgrade to the latest version as 10.1.2 will be EOS by August 28th, 2019.
any update on whether any patch for 10.1.2 as it is still in service for a few more months
Also we have several systems on 10.1.2 whilst this is EOL soon is there no patch for these ?
The patches have been posted to the ftp.ca.com general availability area. I have created a tech doc outlining this:
The OneClick java jre certificate for CA Spectrum - CA Knowledge
As Sarb noted the 10.2.0 and 10.2.2 will be posted shortly to the ftp area while the 10.2.1, 10.2.3, and 10.3 are available:
10.2.0 - Spectrum_10.02.00.PTF_10.2.07210.2.1 - Spectrum_10.02.01.PTF_10.2.110810.2.2 - Spectrum_10.02.02.PTF_10.2.24210.2.3 - Spectrum_10.02.03.PTF_10.2.37110.3.0 - Spectrum_10.03.00.PTF_10.3.016
Please take note most of these require a bi monthly patch to be installed, which must be installed on all SS and OC, while the jre patches listed here are to be installed on the OC only (after the BMP if required -- check the release notes of the patch you need). The BMP are also available at the ftp.ca.com site. Login is anonymous with your email address as your password.
To answer some of the previous questions
1. Is the patch updated in 10.3.1? Yes, the updated certificate was included in the 10.3.1 package so no patching is needed at this time.
2. If the patches are not installed, will OneClick still work? Yes, starting with CA Spectrum release 10.0, the tomcat jar files have been timestamped in accordance with the certificate. The certificate has expired, it has not been revoked so in a typical java deployment we do not expect any interruptions.
3. Can the typical java jre be used without purchasing a license? Yes, CA/Broadcom has a license agreement with Oracle in that users can only download and install the jre that we ship with Spectrum. Any jre obtained or used outside of the jre shipped with Spectrum may be subject to Oracle licensing fees and will not be supported by CA/Broadcom.
I hope that answers the questions, please let us know.
Thank you
Why is this notification so late?
What is the plan to notify of expiry with more notice, as this continues to happen, seemingly with all of the latest releases?
At minimum, since it seems to happen so often, maybe the expiration date of certificates should be included in the release notes, that way we can start spamming CA/Broadcom for new certificates well before 3 weeks until expiry.
Yes, we have included the fix in 10.3.1.
I'm confused. Is this statement still true?
https://communities.ca.com/docs/DOC-231183880-ca-spectrum-java-support
Can I confirm what the impact of this will be if the patching is not done ?
As Spectrum 10.3.1 is not mentioned, i guess this release already has renewed certificates shipped?
I am going to install it in a customer environment without any remote access next week and want to prevent unpleasant surprises for that customer if possible.
Marco
Thank you and why is this announced so late ? I understand it may have been out of your control but what was the path towards this. We are going to have to patch upwards of 14 different systems not including dev systems.
Yes, will update the information by end of the day.
thanks for that but disappointed at the short lead time, will the patches be available through the normal download links ?