IBM Support

Sun Java 1.6.0_19 and higher is causing a security warning for WebSphere/Rational Host On-Demand clients

Troubleshooting


Problem

When downloading IBM WebSphere/Rational Host On-Demand clients with Sun Java 1.6.0_19 and higher, a pop up security warning states: Java has discovered application components that could indicate a security concern.

Symptom

With Sun Java 1.6.0_19 and higher, if the application or applet being downloaded has both signed and unsigned components, the following warning dialog is displayed:


    Java has discovered application components that could indicate a security concern.

Cause

Sun java 1.6.0_19 and higher detects whether components of an application or applet are signed or unsigned.

The Host On Demand cached client or Webstart client at 10.0.6.0 and higher are not affected as they do not have mixed code in the applet. Prior to Host On-Demand 10.0.6.0, Java 1.6.0_19 and higher might detect mixed code in the cached client and Webstart client.

In a download client (all levels of Host On-Demand), the components are downloaded to the workstation's hard disk at the time referenced and leaves the caching decisions to browser settings. This involves mixed code and java will throw a warning.

During the download Java detects certain file types and the warning is displayed. The types we know about for Host On-Demand detected are:

  • .class
  • .fnt
  • .gif
  • .cf
The types that are allowed and do not cause the warning are
  • .p12
  • .properties
  • .txt
  • .obj
Once the warning has been displayed, the chosen response is used for any further file detections, so the warning is only displayed once for the current browser instance.

If the client includes Additional Archives which are unsigned, Java will also detect these files regardless of Host On-Demand level and client type.

This is not a bug in Host On-Demand, but development is currently working on a solution to put the components in a signed jar file. Target for the update is unknown at this time.

Resolving The Problem

Following are several different options to handle the prompt or prevent the prompt from displaying:

  1. For Host On-Demand to appear as before, the user should click No on the above pop up.

    If you select Yes, Host On-Demand might continue to work and any other detected files will be blocked. Buttons and descriptors will have string text instead of the correct text similar to the following for the logon prompt::


  2. To prevent the warning during the download of the client, and the client is created with the Deployment Wizard you can select a specific language instead of using the default of 'Use the system locale' option. Select Advanced Options button on the Additional Options page. Expand Other on the left, then select Languages. Select the appropriate language for your clients. This will not prevent the warning if other file types are detected.


  3. To prevent this pop up from appearing every time the Host On-Demand download client or Administration Utility is accessed, you can change the value of the mixed mode security verification in the Java control panel.

    For Windows platform, open the Java control panel (Start ->Control Panel->Java), select the Advanced tab, expand Security, then "Mixed code security verification" and select the second option: "Enable - hide warning and run with protections".




    For Linux platform, first cd to <Java home>/bin directory and enter ./ControlPanel. Once in the Control Panel, click on Advanced tab, then expand Security. Then select either Enable - hide warning and run with protections or Disable Verification.

    Making this selection is the same as selecting No on the pop up panel. Be aware this will affect all Java applications and applets that execute on the client machine
  4. If the clients are restricted to change the Java control panel, a system wide deployment property can be set and deployed to the client machines to avoid the warning message from being displayed.
    1. For the Microsoft Windows platforms:

      Add deployment.config file (if it does not already exist) in either C:\Windows\Sun\Java\Deployment

      or

      C:\Program Files\Java\jre6\lib

      The contents of deployment.config file should be:
      deployment.system.config=file:\C:/deploy/deployment.properties
      deployment.system.config.mandatory=false

      For the Linux platform,

      deployment.config file needs to be placed in:

      /etc/.java/deployment/deployment.config

      or

      ${deployment.java.home}/lib/deployment.config where ${deployment.java.home} is the location of the JRE from which the deployment products are run.

    2. Add deployment.properties to the URL specified in deployment.config file
      deployment.properties file, in this example is located at C:/deploy and contains the following.
      deployment.security.mixcode=HIDE_RUN

      OR

      deployment.security.mixcode=DISABLE

      The administrator could then distribute these two files to the client machines to prevent the warning message every time Host On-Demand is accessed.

      The following link provides more information about the deployment.property file and deployment.config file.
      http://java.sun.com/j2se/1.5.0/docs/guide/deployment/deployment-guide/properties.html

For further information about the warning dialog, refer to Sun technote:


NOTE: The Host On-Demand development team is repackaging the clients to avoid this issue and is scheduled to be available 10.0.9.0. This is now available in HOD 11.0.3. Refer to the follow for details to download: 4028826: IBM Rational Host On-Demand V11.0.3.0 Manufacturing Refresh.

[{"Product":{"code":"SSS9FA","label":"IBM Host On-Demand"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":"General","Platform":[{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"10.0;11.0","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}]

Document Information

Modified date:
19 April 2021

UID

swg21427068

Page Feedback