IBM Support

"IBM Tivoli Monitoring Portal changes required for Java 6 and Java 7 security"

Flashes (Alerts)


Abstract

The following java versions require that all jar files used in the Tivoli Enterprise Portal have the permissions attribute set in the jar manifest file. This requirement affects version 6.2.3 and 6.3.0 (all fix pack levels) of the Tivoli Enterprise Portal, both browser and Java Web Start modes:

Oracle Java 7 U51 or higher
Oracle Java 6 u65 or higher
IBM Java 7 SR6 or higher
IBM Java 6 SR15 or higher

The portal client will not run in the new default configuration. This message is displayed when the problem is encountered:

"Application blocked by security settings. The Java security settings have prevented this application from running. You may change this behavior in the Java Control Panel."

The conditions can be relaxed by moving the security slider in the Java Control Panel to Medium (from the default of High).

These java versions also require a provisional fix be applied to your Tivoli Enterprise Portal Server (if not already). The provisional patch fixes problems introduced by new security features in the versions of java mentioned above. Here is the link to the tech Flash which describes the symptom along with links to the provisional patch:

http://www.ibm.com/support/docview.wss?uid=swg21654776

Content

If the required jar file manifest updates have not been added to the portal client jar files, the following pop-up appears when attempting to start the portal client. The portal client does not run after this pop-up is displayed:



You can change the security settings in the Java plug-ins security section as a temporary work around until the proper manifest updates have been added to the portal jar files. The dialog below shows the default settings. Slide the setting to Medium to work around this new behavior.


If this work around is unacceptable, please contact IBM support via PMR. Support will require the jar and zip files from the Tivoli Enterprise Portal Server located here:

UNIX/Linux
<InstallDirectory>/<Architecture>/cw/classes

Windows
%CANDLE_HOME%\CNB\classes


If you are using the portal browser client, you also need to send support the applet.html file located here on the Tivoli Enterprise Portal Server:


UNIX/Linux
<InstallDirectory>/<Architecture>/cw/applet.html

Windows
%CANDLE_HOME%\CNB\applet.html

You may also edit the applet.html file directly.
NOTE: If you are running ITM630FP2 and have already applied provisional fix IV52831, the applet.html changes below are not necessary as they are included in the IV52831.
Search for the string "var parameters" in the applet.html file. You should find the following toward the end of the file:



var parameters = { 'code': 'candle.fw.pres.CMWApplet',
'codebase': 'classes/',
'mayscript': 'true',
'cache_option': 'plugin',
'cache_archive': cache_archive,
'cache_version': cache_version,
'scriptable': 'true',
'java_arguments': javaArgs,
'applet_stop_timeout': '5000',
'kjr.trace.params': 'ERROR',
'kjr.trace.mode': 'LOCAL',
'cnp.publish.url': 'true',
'cnp.publishurl.encryptuid': 'false',
'cnp.window.timeout': '0',
'permissions': 'all-permissions',
'caller-allowable-codebase': '*'
};

Add 'permissions': 'all-permissions', and 'caller-allowable-codebase': '*' to the end of the parameters array. The array above shows an example. Make sure when you add these lines to also add a comma to the end of the previous line to continue the elements in the array. The last line in the
array does not require a comma at the end. The update to applet.html does not require a reconfigure of the Tivoli Enterprise Portal Server. If your browser does not appear to be picking up the newly updated applet.html file, you may have to clear the browser's cache.


IBM will issue a future fix pack for version 6.3.0 and 6.2.3 which contain jar files with the manifest updates. Future fix packs ITM 6.30.03.00 and ITM 6.23.05.00 will address only the ITM infrastructure jar files. Separate fix packs for the application support installed on the Tivoli Enterprise Portal Server must also be applied as they become available. The cinfo command will show what application support is installed on your Tivoli Enterprise Portal Server. Check with IBM on each one of those products for the latest fix packs which contain properly updated application support jar files that fix this issue.

[{"Product":{"code":"SSTFXA","label":"Tivoli Monitoring"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"ITM Tivoli Enterprise Portal V6","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.2.3.1;6.2.3.2;6.2.3.3;6.2.3.4;6.3.0;6.3.0.1;6.3.0.2","Edition":"Edition Independent","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
25 September 2022

UID

swg21659560

Page Feedback