Java 1.7 update 51 breaking Cisco ASDM login

Monday, March 10. 2014

One day I needed to drill a hole to a Cisco firewall. I went to Adaptive Security Device Manager and could not log in. Whaat?!

It did work before, but apparently something changed. Sneak peek with Wireshark revealed that SSL handshake failed. Java console has something like this in it:

java.lang.SecurityException: Missing required Permissions manifest attribute in main jar: https://dm-launcher.jar
    at com.sun.deploy.security.DeployManifestChecker.verifyMainJar(Unknown Source)
    at com.sun.deploy.security.DeployManifestChecker.verifyMainJar(Unknown Source)
    at com.sun.javaws.Launcher.doLaunchApp(Unknown Source)
    at com.sun.javaws.Launcher.run(Unknown Source)
    at java.lang.Thread.run(Unknown Source)

and:

javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Java couldn't trust Server
    at sun.security.ssl.Alerts.getSSLException(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
    at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
    at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
    at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
    at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)

Little bit of googling revealed Issues Accessing ASDM at Cisco's learning network and Cisco ASDM blocked by Java? at spiceworks.com. So I wasn't alone with the problem. Oracle's release notes for update 51 revealed a number of changes to earlier versions. Java is still piece of shit, but they're trying to fix it. Too little, too late. It is very unfortunate that I have to have Java Runtime installed and use it for a number of important applications. Now Oracle is making radical changes to JRE to improve its flaky security and these customer companies like Cisco cannot keep up with the changes.

Anyway, enough rant, here is how to fix it. The idea is to take the self-signed certificate from the Cisco firewall and import it for Java. This is yet another nice feature of a Windows-computer. There needs to be separate a separate certificate store for operating system, browser and Java.

First go to web-interface of the Cisco appliance. Internet Explorer cannot export a certificate from a web site, so use a Firefox or Chrome or pretty much any other browser. Save the certificate to a file. Like this:

When you have the file, go to Control Panel on Windows:

Select Java and Security-tab:

From there you can find Manage Certificates. Import the certificate-file from there:

It is very, very important that you first select Certificate Type: Secure Site. Any other certificate type won't fix the problem.

On the security-tab there is an exception list for certificates. Adding an exception won't fix this, since the problem is with the fact that the certificate is self-signed.

Now login works again.
When I first encountered this issue, I asked help from couple of guys who are very familiar with Cisco IOS (not Apple iOS). The initial response was "What is ASDM?" :-) Apparently the GUI is not the expert's way to go.

by Jari Turkia in Software at 21:17 | Comments (27) | Share in LinkedIn

Comments
Display comments as (Linear | Threaded)

Jingyao Huang on :

Thanks a lot. You make my life easier.
Comment (1)

Jari Turkia on :

You're most welcome. It took me quite a while to figure all that out.

But I share, because I care.
Comments (13)

Monk on :

Awesome, worked like a charm, made my day easier today :-)

Nice explanation.

Do you permit a repost with backlink to here ?
Comment (1)

Jari Turkia on :

You're most welcome. Since I spend most of my time hacking anyway, I don't mind sharing the findings with you and everybody else.

Feel free to repost. All I'm asking is to properly credit me as an author. A link to the original would also be appreciated, but is not a requirement.

On weekly basis I find my articles copy/pasted to discussion forums etc. without any credits at all. Not nice. :-(
Comments (13)

M.Ezzat on :

Thanks alot
Comment (1)

Jari Turkia on :

You're welcome. I share, because I care.
Comments (13)

Susanna Y on :

Kiitos!
Comment (1)

Jari Turkia on :

Ole hyvä!

I share because I care.
Comments (13)

Jack on :

Isn't the "web-interface of the Cisco appliance" the very ASDM that I am unable to connect to? How do I do this id Java is broken and I can't run asdm?
Comments (5)

Jari Turkia on :

By web interface I mean the literal https://your.firewall's.IP.address/ that you would put into your favorite web browser's address bar.

If you have never attempted that, then you should. If you have blocked the HTTPS-interface of your firewall management, then your job just turned couple of notches more difficult.
Comments (13)

Jack on :

Well, I have the same problem trying to connect via the http://asa-ip-address as I do with the asdm; i.e., the asa device is rejecting the ssl connection. That is why I was seeking to gain the certificate to match up things.
Comments (5)

Jari Turkia on :

Just a very important note: HTTPS to be specific. You need to get the certificate from https://asa-ip-address

And since the access to there is managed by your web browser, the only thing that can go wrong is that you blocked your access there.

In general, the idea is just to retrieve the self-signed certificate and there are a number of options for doing that. On a Linux prompt you can do that with:
openssl s_client -connect asa-ip-address:443
command, or something similar.
Comments (13)

Jack on :

Yes, now I have it! Chrome wasn't showing me the cert error msg, but IE did, and once I selected it I was able to get the cert and store it in the Trusted Root Certificate Authority store. So now it all launches.
Thanks much.
Jack
Comments (5)

Jari Turkia on :

Excellent!

Its nice to hear that you figured that out. :-)
Comments (13)

Jack on :

Well, the issue at the heart of my troubles seems to be that when I attempt to launch the ASDM on a different ASA, "some" Java cache is remembering the IP address of the previous ASA that I pulled the certs from. If I try to import the certs from the different ASA, they don't seem to have any effect. So Java will give me the"unable to launch application" screen msg, and if I click on the details tab, I see the 1st line that states it is "unable to find the resources at the IP_addess of the previous ASA! I have looked all over for that Java cache, and was able to delete some temporary internet files. But, nothing I deleted would remove that IP-address from the Java cache that apparently is consulted with each Java launch. My only "fix" was to uninstall all the Java from my laptop and start all over. So, does this sound familiar, and if so, is there a definite way to delete the cache w/o uninstalling Java completely?

Thanks much - again!
Jack
Comments (5)

Jari Turkia on :

No that does not sound familiar to me.

My only advice would be something that you tried already. In Java Control Panel's General tab sheet, there is the Temporary Internet Files. Typically removing all temp files will result in better functionality. You didn't specify if you erased temp files from your browser or from Java, but that's pretty much the only thing you can do besides reinstalling the JRE.
Comments (13)

Jack on :

Ok, thanks for feedback. I'm not sure if I went into browser cache as well and deleted those temp files. Something to keep in mind next time around.
Comments (5)

Joel Cesar Zamboni on :

Worked perfect on a Windows 8.1 with the latest Java. Thank you!
Comment (1)

Jari Turkia on :

Nice to hear. You're welcome!
Comments (13)

dixit on :

thank its work
after i have been searching for 2days.
Comment (1)

Jari Turkia on :

You're welcome. Glad to be of some help. :-)
Comments (13)

"DR" "UNK" on :

Great info, but I am still having issues.....

Can you give a cook book style explanation on obtaining the Certificates. I believe this is my hurdle right now.

I have inherited a freaking mess here and I been working on trying to get this right for days......

Many Many Many THANKS in advance.....
Comment (1)

Jari Turkia on :

I'm sorry about your inherited mess, but you're obviously way over your head with that one.

All the information is in the original blog post. You need to access the firewall's management console with your favorite web browser and export the cert.

Knowing the address of your firewall should be the biggest hurdle. Exporting the certs is easy, you can practice that with any site using one.
Comments (13)

Jari Turkia on :

I know this is too little, too late, but go see: https://blog.hqcodeshop.fi/archives/251-Exporting-a-website-certificate.html
Comments (13)

bw on :

Thanks, worked great!
Comment (1)

raja on :

Erreur about CIsco ASDm idm launcher 5520 in windows 10
wind10 pro
java 7
gns3 2.1.8
asdm647
asa842
tftp32
Comment (1)

Jari Turkia on :

Would you like to elaborate on the problem itself. It would help troubleshoot the issue.
Comments (13)

Add Comment
E-Mail addresses will not be displayed and will only be used for E-Mail notifications.
Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.

Submitted comments will be subject to moderation before being displayed.

Calendar

Mon Tue Wed Thu Fri Sat Sun
Back November '24 Forward
        1 2 3
4 5 6 7 8 9 10
11 12 13 14 15 16 17
18 19 20 21 22 23 24
25 26 27 28 29 30  

Quicksearch

Archives

Categories

RSS feeds of this Blog

Blog Administration

Open login screen

Powered by

Parts of this serendipity template are by Abdussamad Abdurrazzaq and Jari Turkia. License