October 2013 Sametime Meeting Server and Classic Meeting Server security updates for Java
After upgrading Java to 1.7 update 45 or above users are seeing new security warnings.
For instance when trying to attend a Classic Meeting:
"Do you want to run this application?"
"Allow access to the following application from this web site?"
These same types of issues occur with the Sametime Meeting Server.
As of Java 7 update 45 the following security changes were made. In Java 7 update 51 and above these are required.
Java 7u45 - Changes were made to client applets to address the recent security changes/additions made by Oracle in Java 7 Update 45. Specifically the addition of the "Caller-Allowable-Codebase" manifest attribute and the increase of the "Java Security Baseline" to Java 7 Update 45.
FireFox 26 - Changes were made to the Java detection code in the Sametime web app to address new security changes being introduced in FireFox 26.
Java Detection - Changes were made to increase the "timeout" value of the Java detection code in the Sametime web app to address slow Java VM load times introduced as a result of recent security additions by Oracle. Specifically the enabling by default of online Certificate Revocation List checking in Java 7 Update 25. More details can be found here:
Note that if Java is below the most current update it will check to see if there is a new version available and throw a warning that it is not at the latest version.
This occurs due to new security requirements within Java.
Resolving the problem
Sametime Meeting Server
For the Sametime Meeting Server running 9.0 this issue is resolved in 9.0 HF1 and later builds. There are additional fixes for potential security vulnerabilities available for 9.0 HF1 as well as 8.5.2 ifr1. In order to receive both fixes for the Java updates as well as the security vulnerabilities the following technote links to the fixes available.
Classic Meeting Server
The re-signed applets for the following Classic Server versions are now available on Fix Central at the links below.
Note that earlier versions of Java are not aware of the new Caller-Allowable-Codebase attribute. Therefore when those versions are set to High security (the default) they will block these applets from running. Users must upgrade to the latest version of Java. The only other option is to lower their security if they run into this issue.
Sametime 8.5.2 IFR1 Classic Meeting Server fix
Sametime 8.5.1 / 22.214.171.124 Classic Meeting Server fix
Sametime 8.0.2 Classic Meeting Server fix
Sametime 8.0.1 Classic Meeting Server fix
Note that the stlinks.jar files in the above hotfixes have been superseded by the following:
1) Unzip the hotfix and extract the files and folders under the ...data\domino\html\sametime\ directory.
2) Place those files and folders into the ...data\domino\html\sametime\ directory of the Sametime Community Server, overwriting the existing files and folders.
You do not need to stop the Sametime Community Server when performing this operation. It is recommended that you stop the HTTP task for this procedure and reload it once completed.
If you are using stlinks (for instance with iNotes) see the FAQ below for additional instructions.
Note that Internet Explorer may have issues loading Java if the steps in Sametime Classic Meeting Server: Java Applet won't load in IE after upgrading to Java 7 have not been followed.
Frequently asked questions:
Q: What is the STComm.jar file? Why don't I see it on my server?
A: This JAR file is only included in the Sametime SDK. It is not deployed to a Sametime server by default. The toolkit, and this file, are typically used only by customers running Lotus Quickr or those application developers that have built their own Sametime components by using the SDK. This file is only used in Sametime 8.0.x.
Q: I see two stlinks.jar files on my server? Why is that, and which do I replace?
A: Sametime provides two stlinks.jar files, one unsigned (in \stlinks), and one signed (in stlinks\signed). Only the signed stlinks.jar file is included in the fix. It is recommended to use the signed applet. Therefore you will need to copy the stlinks.jar file to the stlinks\signed directory and the stlinks directory.
If you use stlinks with iNotes then you will also need to replace the existing stlinks.jar file on all iNotes servers with this new one.
Q: Will my users see a prompt stating "The application will run with unrestricted access which may put your computer and personal information at risk. Run this application only if you trust the publisher."
A: This prompt is a one-time confirmation, which is not an indication of any problem. Users must accept this prompt to trust the applet signer (International Business Machines Corporation). This is a property common of any signed applet and not something that IBM can prevent. The prompt is as shown in the following screen capture:
More support for:
Software version: 8.0.1, 8.0.2, 126.96.36.199, 9.0
Operating system(s): AIX, IBM i, Linux, Solaris, Windows
Reference #: 1654503
Modified date: 27 July 2015