AppWorx, Dollar Universe and Sysload Community

Applications Manager v8

 

Applications Manager v9

 

Applications Manager v9.1

 

Applications Manager v9.2

 

Hi Cory,    I have a couple of screen shots below that shows the current state of our Applications Manager.   I was wondering if you could advise us as to which version we would upgrade to in order to avoid the Java certificate issue in June.   Whichever version would be the least complicated would be appreciated.  Let me know when you can  please.  Thanks so much for your help.                   Sue [cid:image001.png@01D2AEDE.BB033CD0] [cid:image002.png@01D2AEDE.BB033CD0] Sue Chartrand Applications Specialist Your Neighbourhood Credit Union Ltd 38 Executive Place Kitchener ON N2P 2N4 519-804-9190 ext 617 519-896-4676 Fax schartrand@yncu.com<mailto> Your Neighbourhood Credit Union, Member-Owned, Community-Focused www.yncu.com<http></http> [logo] From: Cory Hankemeier [mailto:automicsoftware+d9319-s5019921@email.vanillaforums.com] Sent: Wednesday, April 5, 2017 7:37 PM To: Sue Chartrand <schartrand> Subject: [Automic Community] 2017 Expiring Java Certificates [Automic Community]<https></https> ________________________________ Cory Hankemeier started a new discussion: 2017 Expiring Java Certificates The Java client certificate for Applications Manager v8.0 Service Pack 15 Hotfix 1, and v9.0.1 was released in July, 2015. The certificate is valid for 2 years and is set to expire in June 2017. If using a release of Java 7 update 51 and later, Java will not allow Applications Manager to launch with an expired certificate. Applications Manager 9.2.0, 9.1.3 and 8.0.17 HF1 will all contain the updated Java Certificates. Further information about this topic can be found in our Knowledge Base here: 2017 Expiring Java Certificates.</schartrand></mailto>

Hi Sue_Chartrand_6605,

It looks like you've replied to this community post via email. It seems the pictures did not attach to the post within community.
Please login to community and either edit your post and dd the pictures, or create another post within this thread with the screenshots attached.

Hi Cory, I have attached the screen shots showing our current version of Applications Manager and the current Java version.   Please let me know.  Thanks for your help!           Sue

Hello Sue,

From the information that you provided, the Automation Engine is running against Java 7 update 45 and the workstation against Java 6 update 45.  Java client certificates are checked by the Java installed on the workstation (client machine) only. Certificate checking occurs on Java 7 update 51 or above.  Since you are running Java 6 update 45 on this particular workstation used to launch the Applications Manager client, the certificate expiration will not effect you. Please keep in mind that this is workstation specific and you may need to verify the version of Java installed on each workstation to make sure you don't run into any issues this coming June.

Regard,
Phearith Mao

Thanks for reply Phearith, I still need some clarification.   If the Application Manager Agents are running Java 7 update 51 will I have issues in June?  Thanks so much for your help.               Sue

Hello Sue,

Thanks for the update. Certificate checking does not occur on Applications Manager Agents, so you can run Java 7 update 51 on Agents without issue.

Regards,
Phearith Mao

Hi Phearith,

Will the Java Certification expire on June 1 or June 30th?  We are planning to patch our Prod environment (master and all agents) to v9.1.3 on June 10th in conjunction with other company maintenances (and will upgrade our DEV and UAT envrs in May shortly after 9.1.3 is released).   

If the Java cert expiration is June 1 and we are forced to patch PROD earlier than planned, would it be ok if we just patched the Master and do the agents at a later date?

Thanks,

Carmen Gonzalez

Hello Carmen,

Taking a look at the Java certificate’s validity period shows the certificate is expiring “Thu Jun 08 16:59:59 PDT 2017”, so please plan accordingly.

As you already know, having mismatched versions between the master and remote agents is not supported and can cause a number of issues to occur. The issue seen the most is Agents dropping in and out of service down status. While it may be possible that you do not run into any issues upgrading only the master, it is best that you test this configuration in your DEV environment.

Please let me know if you have any follow up questions.

Regards,

Phearith Mao

Hi Phearith,

I believe I found my answer: 
Java Control Panel > Security > Manage Certificates > Select a Certificate (if more than 1 displays) and Click on the Details button then view the date range for the 'Validity' Field row.

The date range I see is from:  Jun 8, 2015 17:00 to Jun 08, 2017 16:59.  

In that case we will reschedule our PROD upgrade to 9.1.3 to Sat. June 3. 

Do we have a final date about when V8.0 Patch 17 is going to be released ?

Hi Sourabh_Shri_Shrimal_6423

It look like there was a v8.0 SP17 HF1 that release just a few minute ago that address the Java certificate issue.
https://us.v-cdn.net/5019921/uploads/editor/ci/7voxb75k0chy.png" width="905">

Yes , I can see now...Thanks Luu Le for quick response :) :)

We have applied 9.1.3 to our development environment. If we forward date our date/time settings on the client to a date after 6/8/2017, we get "Failed to validate certificate". This is on machines with Java clients later than 7u51. In the Java control panel, we have seen workstations with two Java certs (the old and the new), with no certs, and just the new cert. We have tried uninstalling the Java shortcuts, deleting the old Java cert, clearing the cache, etc. Setting a future date does not work.

Hello,

I wouldn't recommend setting your client PC to a future date (month in advance) as a valid test. The reason for this is exactly as you described. Based on your error, it sounds like you have the recommended Online Certificate Status Protocol (OCSP) validation enabled in Advanced Java settings. What this means is that Java Webstart on your PC will send a request to the OCSP server for certificate validation. I have seen odd errors when there is a wide range in dates between the the local client and OCSP. This does not mean the certificate is invalid, but rather that the online verification failed due to the date/time. You could try using the older Certificate Revocation List (CRLs) check, however I'm not sure if that would help.

If you've already applied 9.1.3 and have seen no errors, then that's the first step in validating that you have new signed jar files. If you would like to take that a step further, you can investigate the validity of any signed jar by using either of the following commands below. These commands can be run for any jar file, just replace 'AppWorx.jar' with the name of the file.

keytool -printcert -jarfile AppWorx.jar
jarsigner -verify AppWorx.jar

You can add the -verbose -certs flags to jarsigner for even more details.
Note: These tools (keytool, jarsigner) come with JDK, not JRE versions, so you must have that in your path.

You will want to look specifically for the validity lines which indicate a date range.

Sample keytool output:
Signature:

Owner: CN=Automic Software GmbH, OU=Secure Application Development, O=Automic Software GmbH, L=Vienna, ST=Vienna, C=AT
Issuer: CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US
Serial number: 17a64f4c199768ae0da4a1ff279c96d1
Valid from: Tue Mar 21 17:00:00 PDT 2017 until: Sat Jun 08 16:59:59 PDT 2019
Certificate fingerprints:
         MD5:  38:91:C7:2B:85:D3:2C:74:2F:79:75:4D:0C:C8:A8:FC
         SHA1: 91:E0:E0:92:E8:14:55:07:C9:41:9D:96:E1:C1:C2:66:B0:78:96:8C
         SHA256: F3:EB:28:B1:CC:D3:84:87:93:C5:EC:CC:8E:4F:5E:87:C8:44:86:92:A4:CA:62:FB:A4:4B:7B:50:EA:E9:73:49
         Signature algorithm name: SHA256withRSA
         Version: 3


I hope this helps!

Best Regards,
Kristen

That helped. I'm trying to wrap my head around this to make sure we won't have issues on June 9. Sounds like we'll be okay. Thanks!