openjdk 1.8 Cannot grant permissions to unsigned jars.

Ahoj,

Snažím se připojit k dell drac konzoli, pomocí jnlp souboru, ale narážím security problém javy který neumím obejít. Nastavil jsem java.security podle doporučení.

Nastavil jsem povolení nepodepsaných appletů: do ~/.config/icedtea-web/deployment.properties

deployment.security.level=ALLOW_UNSIGNED

výsledkem ovšem je pouze tato java chyba:

net.sourceforge.jnlp.LaunchException: Fatal: Initialization Error: Could not initialize application. The application has not been initialized, for more information execute javaws from the command line.     
  at net.sourceforge.jnlp.Launcher.createApplication(Launcher.java:822)
  at net.sourceforge.jnlp.Launcher.launchApplication(Launcher.java:531) 
  at net.sourceforge.jnlp.Launcher$TgThread.run(Launcher.java:945) 
Caused by: net.sourceforge.jnlp.LaunchException: Fatal: Application Error: Cannot grant permissions to unsigned jars. Application requested security permissions, but jars are not signed.
  at net.sourceforge.jnlp.runtime.JNLPClassLoader$SecurityDelegateImpl.getClassLoaderSecurity(JNLPClassLoader.java:2481)     
  at net.sourceforge.jnlp.runtime.JNLPClassLoader.setSecurity(JNLPClassLoader.java:385)     
  at net.sourceforge.jnlp.runtime.JNLPClassLoader.initializeResources(JNLPClassLoader.java:806)     
  at net.sourceforge.jnlp.runtime.JNLPClassLoader.<>(JNLPClassLoader.java:338)     
  at net.sourceforge.jnlp.runtime.JNLPClassLoader.createInstance(JNLPClassLoader.java:421)     
  at net.sourceforge.jnlp.runtime.JNLPClassLoader.getInstance(JNLPClassLoader.java:495)     
  at net.sourceforge.jnlp.runtime.JNLPClassLoader.getInstance(JNLPClassLoader.java:468)     
  at net.sourceforge.jnlp.Launcher.createApplication(Launcher.java:814)     ... 2 more 
net.sourceforge.jnlp.LaunchException: Fatal: Initialization Error: Could not initialize application. The application has not been initialized, for more information execute javaws from the command line.     
  at net.sourceforge.jnlp.Launcher.createApplication(Launcher.java:822)     
  at net.sourceforge.jnlp.Launcher.launchApplication(Launcher.java:531)     
  at net.sourceforge.jnlp.Launcher$TgThread.run(Launcher.java:945) 
Caused by: net.sourceforge.jnlp.LaunchException: Fatal: Application Error: Cannot grant permissions to unsigned jars. Application requested security permissions, but jars are not signed.     
  at net.sourceforge.jnlp.runtime.JNLPClassLoader$SecurityDelegateImpl.getClassLoaderSecurity(JNLPClassLoader.java:2481)    
  at net.sourceforge.jnlp.runtime.JNLPClassLoader.setSecurity(JNLPClassLoader.java:385)   
  at net.sourceforge.jnlp.runtime.JNLPClassLoader.initializeResources(JNLPClassLoader.java:806)   
  at net.sourceforge.jnlp.runtime.JNLPClassLoader.<>(JNLPClassLoader.java:338)    
  at net.sourceforge.jnlp.runtime.JNLPClassLoader.createInstance(JNLPClassLoader.java:421)    
  at net.sourceforge.jnlp.runtime.JNLPClassLoader.getInstance(JNLPClassLoader.java:495)   
  at net.sourceforge.jnlp.runtime.JNLPClassLoader.getInstance(JNLPClassLoader.java:468)   
  at net.sourceforge.jnlp.Launcher.createApplication(Launcher.java:814) 
... 2 more

Nevěděli byste někdo co s tím? Zkoušel jsem ještě nastavit /etc/java-8-openjdk/security/java.policy

permission java.net.SocketPermission "localhost:443", "connect,resolve";
permission java.net.SocketPermission "localhost:5900", "connect,resolve";
permission java.net.SocketPermission "localhost:5901", "connect,resolve";

Ale zřejmě to není to samé co java exceptions na windows.

starsi/jinej prohlizec(pripadne do jnlp (vzdy po prihlaseni) ulozit na disk a pustit rucne a/nebo javu a/nebo od oracle ;-)

mel sem podobnej problem se starym Dell KVM, s openjdk se nedarilo, ale s oracle java6 jo (s oracle java8 ne)...

porad nemam telo, ale uz mam hlavu... nobody

28.5.2019 08:59 majales | skóre: 29 | blog: Majales
Rozbalit Rozbalit vše Re: openjdk 1.8 Cannot grant permissions to unsigned jars.

Ovšem jak spustit ručně? a který z nich? když to zkusím z cache, kde jsem ho podepsal tak řve že nemám jnlp soubor..

28.5.2019 09:06 R
Rozbalit Rozbalit vše Re: openjdk 1.8 Cannot grant permissions to unsigned jars.

Kokotina. DRAC5 (aj DRAC4) normalne funguje s OpenJDK 8. Len treba povolit tie "nebezpecne" algoritmy, aby java videla podpisy. Z browsera sa to spusta cez Java Web Start (javaws), ktory je asociovany so subormi jnlp, takze vysledok je uplne rovnaky ako pri rucnom spusteni.

28.5.2019 09:32 majales | skóre: 29 | blog: Majales
Rozbalit Rozbalit vše Re: openjdk 1.8 Cannot grant permissions to unsigned jars.

Ale to jsem zkoušel a nefunguje..

cat /etc/java-8-openjdk/security/java.security |grep "jdk.certpath.disabledAlgorithms=\|jdk.jar.disabledAlgorithms=\|jdk.tls.disabledAlgorithms="
#   jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
#jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
#jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024
#   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
#jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
#jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024
#jdk.tls.disabledAlgorithms=DH keySize < 768
#jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768, \ EC keySize < 224

a výsledek je:

javaws  /home/username/Downloads/vkvm.jnlp
selected jre: /usr/lib/jvm/default-java
WARNING: package javax.jnlp not in java.desktop
Unable to use Firefox's proxy settings. Using "DIRECT" as proxy type.
netx: Initialization Error: Could not initialize application. (Fatal: Application Error: Cannot grant permissions to unsigned jars. Application requested security permissions, but jars are not signed.)
net.sourceforge.jnlp.LaunchException: Fatal: Initialization Error: Could not initialize application. The application has not been initialized, for more information execute javaws from the command line.
	at net.sourceforge.jnlp.Launcher.createApplication(Launcher.java:822)
	at net.sourceforge.jnlp.Launcher.launchApplication(Launcher.java:531)
	at net.sourceforge.jnlp.Launcher$TgThread.run(Launcher.java:945)
Caused by: net.sourceforge.jnlp.LaunchException: Fatal: Application Error: Cannot grant permissions to unsigned jars. Application requested security permissions, but jars are not signed.
	at net.sourceforge.jnlp.runtime.JNLPClassLoader$SecurityDelegateImpl.getClassLoaderSecurity(JNLPClassLoader.java:2481)
	at net.sourceforge.jnlp.runtime.JNLPClassLoader.setSecurity(JNLPClassLoader.java:385)
	at net.sourceforge.jnlp.runtime.JNLPClassLoader.initializeResources(JNLPClassLoader.java:806)
	at net.sourceforge.jnlp.runtime.JNLPClassLoader.<\init>(JNLPClassLoader.java:338)
	at net.sourceforge.jnlp.runtime.JNLPClassLoader.createInstance(JNLPClassLoader.java:421)
	at net.sourceforge.jnlp.runtime.JNLPClassLoader.getInstance(JNLPClassLoader.java:495)
	at net.sourceforge.jnlp.runtime.JNLPClassLoader.getInstance(JNLPClassLoader.java:468)
	at net.sourceforge.jnlp.Launcher.createApplication(Launcher.java:814)
	... 2 more

Oni jsou podepsané, ale platnost podpisu končí cca 2013..

java -version
openjdk version "1.8.0_212"
OpenJDK Runtime Environment (build 1.8.0_212-8u212-b03-0ubuntu1.18.04.1-b03)
OpenJDK 64-Bit Server VM (build 25.212-b03, mixed mode)

28.5.2019 10:44 R
Rozbalit Rozbalit vše Re: openjdk 1.8 Cannot grant permissions to unsigned jars.

Aku verziu firmware ma DRAC?

$ javaws /tmp/mozilla_blabla0/vkvm.jnlp
java.security.AccessControlException: access denied ("java.io.FilePermission" "/usr/bin/xprop" "execute")
        at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
        at java.security.AccessController.checkPermission(AccessController.java:884)
        at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
        at java.lang.SecurityManager.checkExec(SecurityManager.java:796)
        at java.lang.ProcessBuilder.start(ProcessBuilder.java:1018)
        at java.lang.Runtime.exec(Runtime.java:620)
        at java.lang.Runtime.exec(Runtime.java:450)
        at java.lang.Runtime.exec(Runtime.java:347)
        at org.GNOME.Accessibility.AtkWrapper.<clinit>(AtkWrapper.java:34)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
        at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
        at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
        at java.lang.Class.newInstance(Class.java:442)
        at java.awt.Toolkit.loadAssistiveTechnologies(Toolkit.java:805)
        at java.awt.Toolkit.getDefaultToolkit(Toolkit.java:886)
        at javax.swing.UIManager.getSystemLookAndFeelClassName(UIManager.java:611)
        at net.sourceforge.jnlp.runtime.JNLPRuntime.initialize(JNLPRuntime.java:218)
        at net.sourceforge.jnlp.runtime.Boot.init(Boot.java:326)
        at net.sourceforge.jnlp.runtime.JnlpBoot.run(JnlpBoot.java:58)
        at net.sourceforge.jnlp.runtime.Boot.run(Boot.java:245)
        at net.sourceforge.jnlp.runtime.Boot.run(Boot.java:63)
        at java.security.AccessController.doPrivileged(Native Method)
        at net.sourceforge.jnlp.runtime.Boot.main(Boot.java:195)
This application does not specify a Codebase in its manifest. Please verify with the applet's vendor. Continuing. See: http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/security/no_redeploy.html for details.
This application does not specify a Codebase in its manifest. Please verify with the applet's vendor. Continuing. See: http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/security/no_redeploy.html for details.
Application title was not found in manifest. Check with application vendor
Application title was not found in manifest. Check with application vendor
Application title was not found in manifest. Check with application vendor
Application title was not found in manifest. Check with application vendor
Application title was not found in manifest. Check with application vendor
Application title was not found in manifest. Check with application vendor
Application title was not found in manifest. Check with application vendor
Application title was not found in manifest. Check with application vendor
Application title was not found in manifest. Check with application vendor
Application title was not found in manifest. Check with application vendor
Application title was not found in manifest. Check with application vendor
Application title was not found in manifest. Check with application vendor
Application title was not found in manifest. Check with application vendor
Application title was not found in manifest. Check with application vendor
Application title was not found in manifest. Check with application vendor
Application title was not found in manifest. Check with application vendor
Application title was not found in manifest. Check with application vendor
Application title was not found in manifest. Check with application vendor
 Packet log written to: /home/blabla/c:\javaViewer.log
==== propertyChange: (SESSION_STATE):CONNECTING====
05/28/2019 10:33:45:595:  SSL: context protocol = SSLv3
05/28/2019 10:33:45:726:    SSLv2Hello
05/28/2019 10:33:45:752:    SSLv3
05/28/2019 10:33:45:770:    TLSv1
05/28/2019 10:33:45:791:    TLSv1.1
05/28/2019 10:33:45:800:    TLSv1.2
05/28/2019 10:33:45:834:  ======connectToPort======
05/28/2019 10:33:46:003: User Login Request: 0x100
05/28/2019 10:33:46:082:  ======connectToPort - sendRequest======
05/28/2019 10:33:46:108: packet type( 0x100)
05/28/2019 10:33:46:091:  SSL: checkServerTrusted() called.
05/28/2019 10:33:46:190:  SSL: getAcceptedIssuers() called. Sending packet: com.avocent.kvm.e.a.bf@96a35c (8, 208).
...

$ java -version
openjdk version "1.8.0_212"
OpenJDK Runtime Environment (build 1.8.0_212-8u212-b01-1~deb9u1-b01)
OpenJDK Server VM (build 25.212-b01, mixed mode)

$ jarsigner -verify -verbose avctDRAC5Viewer.jar | tail -n 1
The signer certificate expired on 2013-08-31. However, the JAR will be valid until the timestamp expires on 2024-03-03.

28.5.2019 10:55 majales | skóre: 29 | blog: Majales
Rozbalit Rozbalit vše Re: openjdk 1.8 Cannot grant permissions to unsigned jars.

RAC Information
	Name	DRAC 5
	Product Information	Dell Remote Access Controller 5
	Hardware Version	A00
	Firmware Version	1.60 (11.03.03)
	Firmware Updated	Wed Nov 13 15:09:04 2013
	RAC Time	Tue May 28 10:02:09 2019

28.5.2019 11:15 majales | skóre: 29 | blog: Majales
Rozbalit Rozbalit vše Re: openjdk 1.8 Cannot grant permissions to unsigned jars.

Když to zkuším přímo z Firefoxu.. tak nevím proč mi píše:

java.vm.version: 11.0.3+7-Ubuntu-1ubuntu218.04.1

přitom je nastavená java 8 pomocí sudo update-alternatives --config java

28.5.2019 12:24 R
Rozbalit Rozbalit vše Re: openjdk 1.8 Cannot grant permissions to unsigned jars.

Skus upgradovat na poslednu 1.65:

https://www.dell.com/support/home/us/en/04/drivers/driversdetails?driverid=7mdxw

28.5.2019 12:55 majales | skóre: 29 | blog: Majales
Rozbalit Rozbalit vše Re: openjdk 1.8 Cannot grant permissions to unsigned jars.

Bohužel na tom serveru jede produkce, a záložní momentálně není.. takže upgradovat jentak nemůžu... :-(

28.5.2019 13:08 j
Rozbalit Rozbalit vše Re: openjdk 1.8 Cannot grant permissions to unsigned jars.

Draca muzes vpohode za chodu, system jako takovej to nijak neovlivnuje, restartne se to ale jen ten drac. V nejhorsim ti pojde prave a jen drac, ostatne proto to tam je.

Kazdopadne starsi java (6/7) by fungovala IMO lip. Kvuli temhle vyfikundacim (uzasne bezpecny browsery bez podpory rc4, web start ...) mam uz nekolik virtualnich stroju, se starejma verzema javy a browseru (ruzny verze javy se totiz nesnesou i vzajemne ...). A bude to jen horsi a horsi.

28.5.2019 14:32 majales | skóre: 29 | blog: Majales
Rozbalit Rozbalit vše Re: openjdk 1.8 Cannot grant permissions to unsigned jars.

To si právě nemůžu dovolit.. server mám ve správě už asi 4 roky, ale ještě jsem ho neviděl, do serverovny nemám přístup. Nejblíže jsem byl od serverovny asi 2km když jsem jel po dálnici. Konzole moc často není potřeba, ale někdy se hodí, třeba pro změnu IP stroje.. Na starém nb s windows mi to chodí, ale instalovat kvůli tomu win do virtuálu mi přijde jako overkill.. zkusím ubuntu virtuál s javou 6 nebo 7.

28.5.2019 16:48 kolega
Rozbalit Rozbalit vše Re: openjdk 1.8 Cannot grant permissions to unsigned jars.

takhle to taky resim, ubuntu 12 lxde s openjdk

28.5.2019 20:26 R
Rozbalit Rozbalit vše Re: openjdk 1.8 Cannot grant permissions to unsigned jars.

Presne tak, DRACy aj iLO upgradujem pocas beznej prevadzky a nikdy sa nic nestalo.

Kvoli DRAC4 mam v home rozbaleny Firefox 45.9 (a k nemu samostatny profil). Z Javy som rozchodil vsetko aj v OpenJDK 8 (DRAC, EMC NaviSphere/UniSphere, Brocade). Akurat teraz z Debianu 9 odstranili icedtea-plugin, tak som si z poslednej verzie balika skopiroval IcedTeaPlugin.so do profilu toho stareho Firefoxu (adresar plugins/) a funguje mi to nadalej.

Dotaz: openjdk 1.8 Cannot grant permissions to unsigned jars.

Odpovědi