AppWorx, Dollar Universe and Sysload Community

anyone attempt to upgrade java to 8u201 yet? I have on a few servers and workstations and after doing so those users were unable to login to the program. it was throwing an rmi server error.

I have downgraded some of them to 8u191 and they were able to get in. 191 was starting to prompt to be updated else I would of left it as is for the time being.

thank you!

Hi ChrisFonger611023,

It look like other users have also reported this to support, seem like the 201 update of Java have some new configuration change in which it is not supported with Applications Manager.

It look like beside "downgrading" java there is one other workaround, mentioned in this Knowledge Article: Applications Manager connection error after instal - CA Knowledge 

Luu,

I looked at that knowledge article that referenced " jdk.tls " Java security variable.  Reviewed it on client PC and remote agent server and saw no reference to the "NULL"/"anon" parameter values but we still had to roll back our JAVA versions as indicated.  Please advise.

Thank you.

Clifford Dawkins

Hi Clifford,

Within the Java.security file, there is a section call:   "Jdk.tls.disableAlgorithms" what you are looking at is the "jdk,tls.lagacyAlgorithms" from the screenshot.

If you look at the "jdk.tls.diabledAlgorithms" section in the java.security file there will be reference about what was mention in the KE.

The AM technician here had upgraded their Java and a comparison of the old version and new, this was one of the changed we had noticed.  Other customer who has experience this, has removed those two parameter mentioned/highlighted and have reported it working.  Let us know if you are not able to find the jdk.tls.disabledalgorithms  section on your java security file (on the java 8_201 you upgraded to).

Thanks for responding Luu,

I will have an admin review but we'll likely just "roll back" Java till

AM 9.3 available. 

Clifford

Yeah, we had one server get updated to 201 last night during regular patching and services would not come back up. We eventually traced it back to 201, and rolled back to 192 to fix. I let our server guys know not to push 201 out to any of our other servers.

We are on AM 9.1.3 and just encountered the same issue with java 8u202.  It was just on our client workstations, though.  We had to roll back to the previous version we were on.  The error message referenced cipher suites and we could not log into the client. 

Thank you,

Dominic

Hi DominicAloi607137,

Yes, this is a known issues as Oracle Java had made changes for version 8_201, 8_202... The only options currently available at the moment is to rollback the Java upgrade or used what was discussed in the Knowledge article regardign the jdk.tls.disableAlgorithms (link below):

Applications Manager connection error after instal - CA Knowledge 

Could you clarify a little on the reason that the software is incompatible with the security changes in Java 8 update 201? Does this mean that the software is always talking with either the anon or null cipher suite in Java? From a security perspective, these are considered weak/broken cipher suites and these are generally disabled by default in most web solutions (which is why Java is now disabling them as well). Is there a timeframe for when the next release will be available that will support proper encryption and allow us to apply this new version of Java without a workaround to re-enable these weak ciphers?

Hi Kevin,

This does not mean that the software is always talking with either anon or null cipher suites. It's more likely that it is used at some point during the handshake or partially for communication. However, because the problem has only been brought to our attention recently with the new Java update, our team is still reviewing the issue for an RCA and solution. The specifics and time frame for a fix will be provided as soon as our review is complete.

Regards,

Phearith Mao

Is there a plan/date for a patch/release to resolve this issue ?

Thanks.

Hi ChristopherJ.Mills609947 

Currently look to be projected with the upcoming 9.3 release in March. 

I was told that the release of 9.3 is tentative for the 22nd of March.  The release will have a documentation update but no change to fix this.  So basically you will have 2 workarounds and 1 solution.

Workaround 1 = don't upgrade java.

Workaround 2 = modify the java.security file on each client machine.

or

Solution = create a user_kesystore and user_keystore_config file and copy both files to the master, all agents and all client machines.

None of these fixes are ideal.

I was told earlier this week that 9.3 would be coming out today 3/14.   When did you get your information?

Tech support told me 2 days ago on the 12th.

The release date for version 9.3 is sometime around March 22 at this point.

The main take away that I got is that the issue is not being fixed.  We are being provided with 3 workarounds with one of them being called a solution.