Rainer Brandl

Java Update 1.7_45 and IBM Sametime Meetings

http://www-01.ibm.com/support/docview.wss?uid=swg21654503

After upgrading Java to 1.7_45 users are seeing new security warnings, for instance when trying to attend a Classic Meeting.


In Websphere Meetings
Java 7u45 – Changes were made to client applets to address the recent security changes/additions made by Oracle in Java 7 Update 45. Specifically the addition of the “Caller-Allowable-Codebase” manifest attribute and the increase of the “Java Security Baseline” to Java 7 Update 45.

More details can be found here:
http://www.oracle.com/technetwork/java/javase/7u45-relnotes-2016950.html http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/manifest.html https://blogs.oracle.com/java-platform-group/entry/updated_security_baseline_7u45_impacts
 
FireFox 26 – Changes were made to the Java detection code in the Sametime web app to address new security changes being introduced in FireFox 26.

Java Detection – Changes were made to increase the “timeout” value of the Java detection code in the Sametime web app to address slow Java VM load times introduced as a result of recent security additions by Oracle. Specifically the enabling by default of online Certificate Revocation List checking in Java 7 Update 25. More details can be found here:
http://java.com/en/download/help/revocation_options.xml


Symptom

This occurs due to new security requirements within Java.


Resolving the problem

The re-signed applets for the following Sametime classic server versions are now available on Fix Central at the links below.

Note that earlier versions of Java are not aware of the new Caller-Allowable-Codebase attribute. Therefore when those versions are set to High security (the default) they will block these applets from running. Users must upgrade to Java 7 update 45 or lower their security if they run into this issue.

Sametime 8.5.2 IFR1 server fix
Sametime 8.5.1 / 8.5.1.1 server fix
Sametime 8.0.2 server fix
Sametime 8.0.1 server fix
Install instructions:
1) Unzip the hotfix and extract the files and folders under the …data\domino\html\sametime\ directory.
Example:
2) Place those files and folders into the …data\domino\html\sametime\ directory of the Sametime Community Server, overwriting the existing files and folders.
You do not need to stop the Sametime Community Server when performing this operation. It is recommended that you stop the HTTP task for this procedure and reload it once completed. 
If you are using stlinks (for instance with iNotes) see the FAQ below for additional instructions. Note that Internet Explorer may have issues loading Java if the steps in Sametime Classic Meeting Server: Java Applet won’t load in IE after upgrading to Java 7 have not been followed. The fix for the Websphere Meeting server is being delivered as part of the cumulative hotfix for the 8.5.2 IFR1 meetings server Sametime 8.5.2 IFR1 Server Fix

This fix should be installed by following the same documented instructions that apply to installing the 8.5.2 IFR1 hotfix:
http://www-10.lotus.com/ldd/stwiki.nsf/dx/Installing_a_meeting_server_on_AIX_Linux_Solaris_or_Windows_st852ifr1
http://www-10.lotus.com/ldd/stwiki.nsf/dx/Updating_Sametime_8.5.2_on_AIX_Linux_Solaris_or_Windows_st852ifr1
http://www-10.lotus.com/ldd/stwiki.nsf/dx/Installing_Sametime_8.5.2_Interim_Feature_Release_1_st852ifr1
http://www-10.lotus.com/ldd/stwiki.nsf/dx/Installing_Sametime_8.5.2_Interim_Feature_Release_1_on_servers_running_on_WebSphere_Application_Server_st852ifr1


Frequently asked questions:
Q: What is the STComm.jar file? Why don’t I see it on my server?
A: This JAR file is only included in the Sametime SDK. It is not deployed to a Sametime server by default. The toolkit, and this file, are typically used only by customers running Lotus Quickr or those application developers that have built their own Sametime components by using the SDK. This file is only used in Sametime 8.0.x.

Q: I see two stlinks.jar files on my server? Why is that, and which do I replace?
A: Sametime provides two stlinks.jar files, one unsigned (in \stlinks), and one signed (in stlinks\signed). Only the signed stlinks.jar file is included in the fixes. It is recommended to use the signed applet. Therefore you will need to copy the stlinks.jar file from the stlinks\signed directory to the stlinks directory.
If you use stlinks with iNotes then you will also need to replace the existing stlinks.jar file on all iNotes servers with this new one.
Q: Will my users see a prompt stating “The application will run with unrestricted access which may put your computer and personal information at risk. Run this application only if you trust the publisher.”
A: This prompt is a one-time confirmation, which is not an indication of any problem. Users must accept this prompt to trust the applet signer (International Business Machines Corporation). This is a property common of any signed applet and not something that IBM can prevent. The prompt is as shown in the following screen capture:


Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s