7 Replies Latest reply on Apr 12, 2019 9:23 PM by lake

    java security warning

    lake

      I installed forms 12.2.1.3 with a very recent version of java 8 (220) so on the test form it got stopped for a java security problem.

      forms/frmservlet?config=webstart

      Why would this be happening? I did not deploy any jars much less something self-signed. I should hope that oracle signed the forms

      stuff appropriately.

       

      This is referring to 32 bit 8u202 (but I should've used 8u201).

      Ok it helps to run 32 bit and not 64 bit. I find the following on windows:

      chrome 73 comes up with 2 security blocks on the extreme bottom left of the screen and it never gets over it, and will not remember the url either. Chrome is not usable for webstart.

      Firefox 66 comes up with a security block but it will get over it if one checks that box. It will not remember the url however.

      IE 11 comes up with a security block but it will get over it and remembers the whole url. So I'd say IE is the browser to use.

       

      These are problems with the browser blocking webstart and not problems with java blocking itself.

        • 1. Re: java security warning
          Michael Ferrante-Oracle

          Please confirm the Java version, as there is no public facing 8u220.  Also, did you install 32bit or 64?  If 64, uninstall and install 32bit.

           

          Exactly what is the security problem?  Share the complete error message.  A screen shot might be best.

          • 2. Re: java security warning
            vansul

            The issue is with the java installed on the client machine.  You may open the java console and then start the application,  the java log console will exactly point the issue or re install the java will absolutely solve the issue.

            1 person found this helpful
            • 3. Re: java security warning
              lake

              Oh oh. I was running the 64 bit java. Ok starting over....

              I need to figure this out to install java on all the clients.

               

              https://www.oracle.com/technetwork/java/javase/overview/index.html

              "Oracle will not post further updates of Java SE 8 to its public download sites for commercial use after January 2019"

               

              So this is not going to work. The employer checks network traffic like a hawk to detect out of date versions of java.

              Thus trying to run jre 8 is a real hassle where we have to convince them that jre 8 is not completely dead and that it has

              had security updates we got from the vendor despite their not being publicly available. That means we have to come up with

              jre's that are numbered higher than the last versions (8u201 and 8u202).

               

              www.oracle.com/technetwork/java/javase/downloads/jre8-downloads-2133155.html it lists 8u201 and 8u202.   Those are terminal apparently.

               

              I go to 1439822.1

              immediately I am confused. What does "public" mean? If it can only be downloaded from oracle support what is public about it?

              it says in there:

              "

              Auto Update (AU) is a feature available only for Windows 32-bit platform builds. It is not available for any other platforms/OSes, including Windows 64-bit.

              All Public Updates for all Java versions, i.e. those marked (Public) in the below list, have Auto Update turned on by default (for Windows 32-bit).

              Non-Public Java 8 releases have Auto Update turned on by default."

               

              Now look oracle support. If the current version is 12 and the customer is wanting to download 8, it can easily be surmised that they

              do not want that software to decide tomorrow to update to 12.  Most users will click on "update". You have little chance to stop them.

              There is a strong hint here that the customer wants 8 because that is the version that works and that's why they are downloading 8 and not something else. So

              seriously is there no way to have this not configured to update?  This shows such a lack of understanding on the part of the vendor it really rubs my fur the

              wrong way. But knowing this vendor I am not winning that argument. So going on:

              What version of 32 bit version 8 java do I need to deploy on the client? Public or not-public?

              How do I get a distribution for the clients that they can download and install and it is already configured to NOT autoupdate.  (Having said that if it was going to autoupdate to

              another version of 8 that might be ok but I seriously doubt that's what it would do and it would have to login to oracle support to do that. I'm guessing that updates will have to be

              handled rather manually to keep it from updating to a version that is not compatible with the forms and weblogic software.)

               

              NB there are other software distributions that use java and they do not have these problems. The way they do it is they have their own versions distributed with the program and they are named differently so that they are not flagged by ocd security programs.

              • 4. Re: java security warning
                Michael Ferrante-Oracle

                There is a difference between a "public" web site and one that requires special access.  If you have access to MOS (http://support.oracle.com) then you are an Oracle Customer and don't necessarily fall into the "public" category.  If you are an Oracle Customer, you will continue to have access to Java 8 updates, regardless of what is or is not exposed on the "public" web pages (e.g. OTN).  Java 8 will continue to be supported for customers using licensed and still supported Oracle products that are dependent on Java 8

                 

                Refer to the top of this page to get a better understanding of the different user types.

                 

                https://www.oracle.com/technetwork/java/java-se-support-roadmap.html

                 

                Refer to the bottom of this page to find information about how these changes impact Oracle customers.

                 

                https://www.oracle.com/technetwork/java/javaseproducts/overview/javasesubscriptionfaq-4891443.html

                As a generalization, the license changes should have no impact to Oracle customers using a licensed and still supported Oracle product that is dependent on Java.  These changes mostly target those who are not Oracle customers.
                Regarding auto-update, this feature is planned to continue being available for some time.  However, the exact message will differ depending on from where you downloaded the software.  For Oracle customers, the latest Java 8 version can be downloaded from MOS using Patch 18143322
                • 5. Re: java security warning
                  lake

                  Ok I now see that the vendor is going to continue putting out public versions of java 8 for a while:

                  I also see that downloading jre-8u202 like I just did was not a good plan because what I should be getting is 8u211 or 8u212 which will be released April 16.  (why are there 2 versions like 211 and 212? I forgot the reason. The endless complications here are giving me a headache.)

                   

                  https://blogs.oracle.com/java-platform-group/oracle-java-se-releases-faq

                  Q3: What does "free for personal use" mean?

                  Previous “End of Public Updates” transitions (Java 5 in 2009, Java 6 in 2013 and Java 7 in 2015) took place on a fixed date, for all types of users, at the same time.

                  As announced last year, Oracle extended public updates for Java 8 from September 2018 to January 2019.  Oracle also further extended free public updates of Java 8 for personal, individual desktop or laptop use until at least the end of 2020.  This provides free updates for individuals using any “B2C” type applications that may still be using legacy Java 8 Applets, Web Start, and JavaFX features (which were removed in Java 9 or later versions).  More information on this topic was published last year.  This means individuals who rely on Java 8 for games, personal banking, or other individual consumer type activities on their desktop or laptop computers will continue to get free updates through at least 2020.

                  ...

                  "The January 15th, 2019 scheduled Critical Patch Update of Java 8 (8u201, and the related 8u202 Patch Set Update) are the last update available under the BCL license which is generally free for general purpose desktop and server use, and has been the Oracle JDK license for several years.  The following update of Java 8, scheduled for April 16, 2019 (8u211 and the related 8u212 Patch Set Update), will be made available under a new license which will be free for personal individual desktop use, and free for development, testing, prototyping and demonstration purposes.

                  The most recent Java releases remain free and under an open source license, from jdk.java.net, or free for development, testing, prototyping and demonstrating license from OTNJava SE Subscriptions are available for those who wish to continue to use Java 8 updates made available as of April 16th, 2019 for commercial or production purposes.  The Java SE Subscription FAQ has additional information including pricing."

                  • 6. Re: java security warning
                    Michael Ferrante-Oracle

                    why are there 2 versions like 211 and 212?

                     

                    The odd version (211) is the CPU (the one that contains the latest security updates) and the even one (212) is the one that contains security updates plus non-security updates.

                    • 7. Re: java security warning
                      lake

                      Ok I was wrong. This message attached IS coming from javaws.  TGIF!

                      but that is a cool feature to be able to do on the command line:

                      javaws http://SERVER:9001/forms/frmservlet?config=webstart