Main Menu

KB - Web Start "Application Blocked" Solutions

Problem Description

Oracle released Java 1.7 in July 2011. BASIS’ subsequent versions between BBj 12.00 and BBj 13.02, that support Java 1.7, included self-signed jars. Oracle no longer supports this Web Start security model after Java 1.7u21 and customers who upgrade Java beyond 1.7u21 cannot run Web Start applications without decreasing the Java Security Level on the client computer to ‘Medium’.
 

BASIS began including an example security certificate in BBj 13.03 in response to Oracle’s security changes in Java 1.7u40. Oracle again changed the security model in Java 1.7u51 and Web Start will block applications using this security certificate after it expires on March 25, 2014. In response to Oracle’s changing security model, BASIS plans to release BBj 13.13 on March 17, 2014 to allow customers enough time to test and upgrade their site to keep Web Start from blocking applications.

Web Start Security Specifics in JVM 1.7

Refer to the following table to understand when Web Start will block your clients as Oracle increases the security restrictions on such deployments:

          Blocks After  Version(s) Blocked
  December 10, 2013 BBj 12.00 through 13.02 with JVM > 1.7u21
  March 25, 2014 BBj 13.03 through 13.11
  June 30, 2015 BBj 13.12
  Non-blocking BBj 13.13   

Recommended Solution

The recommended solution is to upgrade to BBj 13.13 before the expiration date. If you cannot upgrade before the certificate expires, this article defines the options that are available in order to continue to run. Refer to the decision path below for an overview of the options. Click here to view a larger decision path. WebStartDecision.png

About the Interim Solutions

About the Emergency Solution

 About adjusting the Java Security Level

 For a more comprehensive decision tree, click here.

 

Q: Can I avoid having an expired certificate without upgrading?

A: If you cannot upgrade, the next best solution is to update the code-signing certificate. However, use this option only until you can upgrade.
 

You can update the “BBj Developer Example Key” code-signing certificate included in BBj 13.03 through 13.11 with a new certificate that expires June 30, 2015.
 

Note: BBj revisions 13.12 and higher already install the certificate that expires June 30, 2015, so no certificate update is required for those installations. BASIS still recommends upgrading to the more secure BBj 13.13 as soon as possible.
 

Update the certificate by following these steps:

  1. Download the latest BBjKeystore.jar from the BASIS website and save it to the <BBjInstallDir>\lib directory.

  2. Stop BBjServices on the server.

  3. Run the Java version of Enterprise Manager on the server and choose [Local]. See Figure 1.
    Figure1
    Figure 1. The BBj Enterprise Manager Login window.
     

  1. Add the jar file as follows (see Figure 2):
    Figure2
    Figure 2. The Enterprise Manager’s Local Machine Configuration window.

    a.
    Choose [Java Settings].
    b. 
    Click [Add] in the Classpath tab and add the BBjKeystore.jar file to the classpath.
    c.
    Press [Move Up] to move BBjKeystore.jar up until it appears first in the list.
    d. 
    Click [Save].

  2. Rename the jnlp_signed_jar_cache in the <BBjInstallDir>\cache directory to jnlp_signed_jar_cache_old.

  3. Restart BBjServices.

  4. If the Java Security Level setting on is set to:  

- Medium, the application will continue to run*.
- High or Very High, the application will run* but will ask the first time
for confirmation that you trust the certificate. See
Figure 3.

*Web Start requires confirmation before trusting the new certificate the first time the client runs an application.


Figure3Figure 3. The Security Warning dialog appears to Web Start clients when checking the updated certificate.

The updated certificate now allows your BBj 13.03 through 13.11 applications to run until June 30, 2015. The recommended solution is to upgrade to BBj 13.13 as soon as possible before this date.

 

(back to top)
 

Q: Will my Web Start clients be blocked if I cannot upgrade and cannot update the certificate?

A: Based on the Java Security Level and whether or not the client trusted the certificate before it expired, they may be blocked.

If you cannot upgrade, your Web Start clients that ran any application from a BBj 13.03 through BBj 13.11 application server can continue to run. These clients will use the trusted “BBj Developer Example Key” even after it expires on March 25, 2014. Provided the Java Security Level is not set to ‘Very High’ on your client computer, your applications will continue to run; this applies to any application that already ran as well as any other BBj application.

In this case, if your Java Security Level setting is set to:

- Medium, the application will continue to run.
- High, the application will run but a security warning will appear every
time it starts: “
Running this application may be a security risk.”
See
Figure 4.Figure4

Figure 4. The Security Warning dialog appears to Web Start clients after the certificate’s expiration date.


If you prefer not to see this continuous reminder, you can choose to decrease the Java Security Level on the client computer to ‘Medium’ following the steps outlined in the answer to How can I run a blocked Web Start application if I cannot upgrade? below. However, the recommended solution is still to upgrade to BBj 13.13.

- Very High, the application will be blocked from running. See Figure 5.Figure5Figure 5. The Application Blocked dialog appears when Web Start blocks a BBj 13.03 through 13.11 Web Start application from running after the certificate’s expiration date.

 

To run this blocked application, you can choose to decrease the Java Security Level on the client computer to ‘Medium’. See the answer to How can I run a blocked Web Start application if I cannot upgrade? below. However, the recommended solution is still to upgrade to BBj 13.13.
 

If, however, you attempt to run a BBj 13.03 through BBj 13.11 application using Web Start after March 25, 2014 on a client computer that has not previously run any BBj application, then by default Web Start will block this application from running.  See Figure 5. It will not offer the option to install the expired certificate. To run a blocked application, see the answer to How can I run a blocked Web Start application if I cannot upgrade? below.
 

(back to top)
 

Q: How can I run a blocked Web Start application if I cannot upgrade?

A: Blocked applications can be run by adjusting the client’s Java security settings.

After the expiration date, Web Start clients can run a blocked BBj 13.03 through 13.11 application by adjusting the settings in the Security tab of the Java Control Panel. Depending on the installed version of the Java Runtime Environment (JRE), either one or two options are available. The ‘Exception Site List’ option is only available in JRE version 1.7u51 and higher.

Option 1: Add the BBj Application Server to Java’s Exception Site List

If you have JRE version 1.7u51 or higher installed, you can choose to add your Web Server URL to the client computers’ ‘Exception Site List’ and set the Java Security Level below ‘Very High’. This combination will allow your BBj applications to run with the expired certificate. However, the recommended solution is to upgrade to BBj 13.13.
 

Add your Web Server URL to the client computers’ Exception Site List by following these steps:

  1. On the client computer, launch the Java Control Panel.

  2. Select the ‘Security’ tab.

  3. Click the [Edit Site List] button. The ‘Exception Site List’ window appears.

  4. Click [Add] and type or paste in the parent URL of your application Web Server URL. If you are deploying your applications via the BBj Jetty Web Server, the URL will look like this: http://servername:8888/

  5. Click [OK]. A Security Warning window appears. See Figure 6.Figure6

Figure 6. The Security Warning dialog warns of a potential security risk.
 

  1. If this security risk is acceptable, click [Continue] to confirm.

  2. Click [OK] to close the Java Control Panel.

  3. If your Java Security Level is set to:  

- Medium, the application will now run.
- High, the application will now run.
- Very High, the application will be blocked from running. You can run
by choosing to decrease the Java Security Level on the client computer
to ‘High’ following the steps outlined in the answer to

How can I run a blocked Web Start application if I cannot upgrade?.

The Exception Site List and ‘High’ Java Security Level together allow your BBj 13.03 through 13.11 applications to run. However, the recommended solution is still to upgrade BBj.

Option 2: Decrease the Java Security Level to ‘Medium’

To run a blocked application on any version of Java, you can choose to decrease the Java Security Level on the client computer to ‘Medium’ following the steps outlined in, How can I run a blocked Web Start application if I cannot upgrade?. This will allow your BBj applications to run with the expired certificate. However, the recommended solution is to upgrade to BBj 13.13. Setting the Java Security Level to ‘Medium’ bypasses all Java certificate security and should only be done in an emergency. Consider updating to Java 1.7u51 and using the Exception Site List option instead.
 

(back to top)

 

Q: How do I change the client computer’s Java Security Level setting?

A: This setting can be changed through the Security tab in the Java Control Panel.

If you choose to change the Java Security Level setting, follow these steps:

  1. Launch the Java Control Panel.

  2. Select the ‘Security’ tab.

  3. Click and drag the ‘Security Level’ slider control to the desired level (‘Very High’, ‘High’, or ‘Medium’). Notice the text immediately below the slider control describing this security level. See Figure 7.Figure7

Figure 7. Java Control Panel’s Security tab displaying the selected security level of ‘Medium’
 

  1. If this security level is acceptable, click [OK] to close the Java Control Panel and use the new Security Level.

(back to top)

  Google+ View BASIS LinkedIN ProfileVisit our Twitter Feed Check out our Facebook Public Profile Click to View the BASIS youTube channel