[SOLVED] Unsigned Jar issue with older IPMI jnlp viewer

Get help with installation and configuration of OWS. Please post specific bug reports, pull requests, or source code extensions on github.
egosoup
Posts: 1
Joined: 22 Oct 2020, 01:29

[SOLVED] Unsigned Jar issue with older IPMI jnlp viewer

Post by egosoup »

I ran into an issue using an IPMI viewer jnlp on an old server.

When using azul 11.0.7 and OpenWebStart, I was ultimately getting the error:

Code: Select all

net.sourceforge.jnlp.LaunchException: Fatal: Initialization Error: Could not initialize application. The application has not been initialized, for more information execute javaws from the command line.
	at net.sourceforge.jnlp.Launcher.createApplication(Launcher.java:587)
	at net.sourceforge.jnlp.Launcher.launchApplication(Launcher.java:372)
	at net.sourceforge.jnlp.Launcher.access$200(Launcher.java:70)
	at net.sourceforge.jnlp.Launcher$TgThread.run(Launcher.java:654)
Caused by: net.sourceforge.jnlp.LaunchException: Fatal: Application Error: Cannot grant permissions to unsigned jars. Application requested security permissions, but jars are not signed.
	at net.sourceforge.jnlp.runtime.classloader.SecurityDelegateImpl.getClassLoaderSecurity(SecurityDelegateImpl.java:102)
	at net.sourceforge.jnlp.runtime.classloader.JNLPClassLoader.setSecurity(JNLPClassLoader.java:385)
	at net.sourceforge.jnlp.runtime.classloader.JNLPClassLoader.initializeResources(JNLPClassLoader.java:770)
	at net.sourceforge.jnlp.runtime.classloader.JNLPClassLoader.<init>(JNLPClassLoader.java:348)
	at net.sourceforge.jnlp.runtime.classloader.JNLPClassLoader.createInstance(JNLPClassLoader.java:421)
	at net.sourceforge.jnlp.runtime.classloader.JNLPClassLoader.getInstance(JNLPClassLoader.java:493)
	at net.sourceforge.jnlp.runtime.classloader.JNLPClassLoader.getInstance(JNLPClassLoader.java:466)
	at net.sourceforge.jnlp.Launcher.createApplication(Launcher.java:579)
	... 3 more

From past experience there was an issue where the ipmi viewer jar was signed using MD5, since this is disabled by default, the JVM fails to validate it, and seems to treat it as unsigned.

To resolve the issue on Windows 10, I edited the file at:
%USERPROFILE%\.cache\icedtea-web\jvm-cache\azul_11.0.7\conf\security\java.security

I changed lines 648 and 649.

From:

Code: Select all

jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
	DSA keySize < 1024

To:

Code: Select all

jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024, DSA keySize < 1024
I thought this might be helpful to others if they have a similar issue.

If there is a jvm-agnostic way to apply this setting in OpenWebStart, that would be ideal, or if there was a way to apply it for a specific jar file.

DmitriiVolokitin
Posts: 4
Joined: 07 May 2021, 16:05

Re: [SOLVED] Unsigned Jar issue with older IPMI jnlp viewer

Post by DmitriiVolokitin »

Hello,

I ran an issue with Cannot grant permissions to unsigned jars

Before it works with version 1.2.2. Now I have updated to version 1.3.3 and start getting this error message.

Code: Select all

Closing DownloadServiceListener
Waiting for exception dialog to be closed
Launch exception
netx: Initialization Error: Could not initialize application. (Fatal: Application Error: Cannot grant permissions to unsigned jars. Application requested security permissions, but jars are not signed.)
App already has trusted publisher: false
Jar found at C:\Users\Dmitrii.Volokitin\.cache\icedtea-web\cache\0\3\subm-simcard-webstart.jar has been verified as UNSIGNED
DownloadServiceListener will be disposed
I have already tried to fix it, replace the text in the files.

From:

Code: Select all

jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
	DSA keySize < 1024
To:

Code: Select all

jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024, DSA keySize < 1024 
Files:
  • %USERPROFILE%\.cache\icedtea-web\jvm-cache\adopt_11.0.10\conf\security\java.security
  • %USERPROFILE%\AppData\Local\Programs\OpenWebStart\jre\lib\security\java.security
  • C:\Program Files\Java\jdk1.8.0_92\jre\lib\security\java.security
I use:
  • Windows 10
  • OpenWebStart 1.3.3
  • Icedtea-web adopt_11.0.10
  • Java jdk1.8.0_92
Last edited by DmitriiVolokitin on 10 May 2021, 11:23, edited 2 times in total.

Janak Mulani
Posts: 850
Joined: 24 Mar 2020, 13:37

Re: [SOLVED] Unsigned Jar issue with older IPMI jnlp viewer

Post by Janak Mulani »

Hi Dimitri,

Thanks for posting the solution to your issue. However it is not clear if you are still facing with OWS 1.3.3
the issue:

Code: Select all

 Initialization Error: Could not initialize application. (Fatal: Application Error: Cannot grant permissions to unsigned jars. Application requested security permissions, but jars are not signed.) 
or is it solved after modifying the java.security files.

Please come back to us with your log files if you are still facing the issue.

Thanks

DmitriiVolokitin
Posts: 4
Joined: 07 May 2021, 16:05

Re: [SOLVED] Unsigned Jar issue with older IPMI jnlp viewer

Post by DmitriiVolokitin »

Hello Janak,

I still facing the problem.

In the attachment you can find:
  • Printscreen errors
  • Console-log
In case you need more information. Just let me know I will try to provide it.
Attachments
Console-log.txt
(9.62 KiB) Downloaded 2327 times
Error-2.png
Error-2.png (68.38 KiB) Viewed 80997 times
Error-1.png
Error-1.png (14.96 KiB) Viewed 80997 times
Last edited by DmitriiVolokitin on 19 May 2021, 14:57, edited 1 time in total.

Stephan Classen
Posts: 232
Joined: 27 Mar 2020, 09:55

Re: [SOLVED] Unsigned Jar issue with older IPMI jnlp viewer

Post by Stephan Classen »

The console log you included contains the following line:

Code: Select all

Exception while downloading resource location=https://172.29.20.47:9443//gsmr/resources/lib/subm-simcard-webstart.jar version=null state=INCOMPLETE from https://172.29.20.47:9443//gsmr/resources/lib/subm-simcard-webstart.jar - Connection refused: connect
Can you check that the jar is in fact downloadable from https://172.29.20.47:9443//gsmr/resourc ... bstart.jar

DmitriiVolokitin
Posts: 4
Joined: 07 May 2021, 16:05

Re: [SOLVED] Unsigned Jar issue with older IPMI jnlp viewer

Post by DmitriiVolokitin »

Hello Stephan,

I can download it. Just for additional information, it works with version 1.2.2 before the update.
Attachments
Download-1.png
Download-1.png (64.45 KiB) Viewed 80957 times
Download-2.png
Download-2.png (40.19 KiB) Viewed 80957 times

Janak Mulani
Posts: 850
Joined: 24 Mar 2020, 13:37

Re: [SOLVED] Unsigned Jar issue with older IPMI jnlp viewer

Post by Janak Mulani »

Hi

Just to clarify:

You said that the same jnlp worked with OWS 1.2.2 but is not working with OWS v 1.3.3.

It used to work with v 1.2.2 after you made changes regarding MD5 to java.security of the azul_11.0.7 JVM used to run the jnlp app.

When you run with OWS 1.3.3 you use the Adopt jdk1.8.0_92 JVM to run the jnlp app. Is this correct?

You say that you have changed the java.security file of Adopt jdk1.8.0_92 regarding MD5.

When you run your jnlp (same jnlp which you used to run with 1.2.2) with OWS 1.3.3 and Adopt JDK 1.8U92 you no longer get the following:

Code: Select all

application Error: Cannot grant permissions to unsigned jars. Application requested security permissions, but jars are not signed.
Is this correct?

However you are getting the error:

Code: Select all

Launch exception
netx: Initialization Error: Could not initialize application. (Fatal: Initialization Error: Unknown Main-Class. Could not determine the main class for this application.)
As Stephan pointed out there is an error in log file:

Code: Select all

Exception while downloading resource location=https://172.29.20.47:9443//gsmr/resources/lib/subm-simcard-webstart.jar version=null state=INCOMPLETE from https://172.29.20.47:9443//gsmr/resources/lib/subm-simcard-webstart.jar - Connection refused: connect


Can you please clear the OWS cache User Home\.cache\icedtea-web\cache and run the app again and let us know if it worked for example:

Code: Select all

javaws <url of the jnlp file>
Also for your info OWS 1.4.0 is released. So it will be better if you test with OWS 1.4.0 instead of v 1.3.3

Moreover about your question:
If there is a jvm-agnostic way to apply this setting in OpenWebStart, that would be ideal, or if there was a way to apply it for a specific jar file.
I don't think jdk.jar.disabledAlgorithms can be specified as a VM argument. However it is possible to specify a custom security file as a VM argument https://dzone.com/articles/how-override-java-security. May be you can specify this VM arg in your Jnlp file but that means wherever that jnlp file is run you will have to have the specified java.security file. In effect you make it jvm agnostic but this creates a constraint on where you jnlp can run. This is what I think but someone more knowledgeable may have a better idea.

DmitriiVolokitin
Posts: 4
Joined: 07 May 2021, 16:05

Re: [SOLVED] Unsigned Jar issue with older IPMI jnlp viewer

Post by DmitriiVolokitin »

Answers:
It used to work with v 1.2.2 after you made changes regarding MD5 to java.security of the azul_11.0.7 JVM used to run the jnlp app.
It works by default on v 1.2.2 without any changes.
When you run with OWS 1.3.3 you use the Adopt jdk1.8.0_92 JVM to run the jnlp app. Is this correct?
As I see in the logs, it uses "AdoptOpenJDK\jdk-11.0.11.9-hotspot".
You say that you have changed the java.security file of Adopt jdk1.8.0_92 regarding MD5.
I don't have "Adopt jdk1.8.0_92".

I have in the AdoptOpenJDK folder only "jdk-11.0.11.9-hotspot"

I have tried:
1. Deleted version 1.3.3 and install new 1.4.0 form scratch
2. Deleted cache folder in C:\Users\Dmitrii.Volokitin\.cache\icedtea-web\cache
3. Fix the problem "downloading resource location=https://172.29.20.47:9443". (see the log file in attchment).
4. Set "jdk.jar.disabledAlgorithms=MD2, DSA keySize < 1024" in the "java.security" files
  • C:\Program Files\AdoptOpenJDK\jdk-11.0.11.9-hotspot\conf\security\java.security
  • C:\Program Files\Java\jdk1.8.0_92\jre\lib\security\java.security
  • C:\Program Files\Java\jre1.8.0_92\lib\security\java.security
  • C:\Program Files\OpenWebStart\jre\lib\security\java.security
  • C:\Users\Dmitrii.Volokitin\.cache\icedtea-web\jvm-cache\adopt_11.0.10\conf\security\java.security
  • C:\Users\Dmitrii.Volokitin\.jdks\openjdk-15\conf\security\java.security
  • C:\Users\Dmitrii.Volokitin\.jdks\openjdk-15.0.2\conf\security\java.security
  • C:\Users\Dmitrii.Volokitin\AppData\Local\Programs\OpenWebStart\jre\lib\security\java.security
Regarding the certificate:
Certificate-1.png
Certificate-1.png (20.66 KiB) Viewed 80949 times
Certificate-2.png
Certificate-2.png (13.7 KiB) Viewed 80949 times
Certificate-3.png
Certificate-3.png (139.42 KiB) Viewed 80949 times
Ping:
Ping.png
Ping.png (37.02 KiB) Viewed 80949 times
Logs:
Console-log-1.4.0.txt
(9.5 KiB) Downloaded 2368 times

Stephan Classen
Posts: 232
Joined: 27 Mar 2020, 09:55

Re: [SOLVED] Unsigned Jar issue with older IPMI jnlp viewer

Post by Stephan Classen »

The new log file still contains the connection timeout when trying to download the JAR.
This is somehow out of our reach. Can you verify that 1.2.2 is still working?

https://github.com/karakun/OpenWebStart ... tag/v1.2.2

Please install it to a separate directory such that you can compare 1.4.0 and 1.2.2 without having to un- and re- install all the time

Post Reply