Documentation

 

 

Introduction
This article discusses the supported Java versions for SecureAuth IdP and basic troubleshooting techniques to resolve Java-related issues.
Applies to
SecureAuth IdP VersionOS VersionJava Version
6.x+
  • Windows Server 2008
  • Windows Server 2008 R2
  • Windows Server 2012
  • Windows Server 2012 R2
Java 7+

Disclaimer

Any link to third-party software available on this page is provided "as is" without warranty of any kind, either expressed or implied. Information about products not made by SecureAuth Corporation is provided for information purposes only and does not constitute SecureAuth Corporation's recommendation or endorsement.

Discussion
JRE Version Support

SecureAuth IdP supports Java 8 for SecureAuth IdP, starting with Java 8u25

If the appliance is running SecureAuth IdP 8.0.1 or later, then full support for Java 8 is and available and no further actions are needed

If the appliance is running SecureAuth IdP 8.0.0 or earlier, then the Java Applet Updater needs to be applied to properly support Java 8

If the appliance is running SecureAuth IdP 5.x – which does not support Java 8 – and Java capabilities are required, then contact support about upgrading the SecureAuth IdP appliance

NOTE: See the Java section of the SecureAuth Compatibility Guide for more information about supported SecureAuth IdP versions of Java

The latest supported version of Java is always the recommended version as it contains feature updates, vulnerability fixes and performance improvements to previous versions

As of October 2016, SecureAuth IdP supports Java SE 8 Update 111 (Java 8u111)

NOTE : If the Java Applet Updater needs to be installed in the SecureAuth IdP environment, contact SecureAuth Support to schedule an appointment with a representative to apply the update

If the appliance is running SecureAuth IdP RADIUS service

 Questions about compatibility with Java and 64-bit Windows systems, are addressed in the Oracle document Which Java download should I choose for my 64-bit Windows operating system?

Browser Support

Google Chrome™ has stopped supporting Java (and other NPAPI Plugins) since September 2015

See the SecureAuth support document Google Chrome Support for Java Enabled SecureAuth IdP Realms for further information on this change

Known Issues
Java 7 Issues
  • Users on Java 7u55 and later receive a security warning when visiting a SecureAuth IdP realm "Allow access to the following application from this web site"

See the support document Java Security Warning: Allow access to the following application from this web site? for further information about this issue

  •  Users on Java 7u25, 7u40 and 7u45 may have issues running the SecureAuth IdP applet after the release of Java 7u51

See the article Issues with SecureAuth IdP Java Applets Running 7u25, 7u40, 7u45 for more information

Java Upgrade Issues
  • Users are prompted to upgrade their version of Java to version 8 when accessing a SecureAuth IdP realm

Starting on or after March 18th, 2014 users report that SecureAuth IdP is asking them to upgrade their Java installation to version 8

The upgrade request is being generated by the Java Deployment Toolkit add-on distributed by Oracle

To resolve this issue, SecureAuth recommends disabling or removing the add-on since it is not required for the normal operation of Java

  • Users are prompted to upgrade their version of Java when accessing a SecureAuth IdP realm

See support document Users are Being Prompted for a Java Update for further information

  •  Users are prompted to install an outdated version of Java when they visit a SecureAuth IdP realm

See the support document Windows JRE Download Configuration Guide for more information

Other Java Issues
  •  Users are redirected to the java.com website when accessing a SecureAuth IdP realm

See the Oracle support document Why do I see the Java Update Needed messages: Your Java version is out of date or Your Java version is insecure? for more information

  • On SecureAuth IdP realms not configured for a Java workflow, and Java Runtime Environment (JRE) is still running when users visit the realm, execute the following steps

     1. Disable Java Detection
    SecureAuth IdP Configuration Steps

     

    1. Go to the System Info tab

    2. In the Plugin Info section, select False from the Java Detection dropdown

    Click Save once the configuration has been completed and before leaving the System Info page to avoid losing changes

     2. Apply the Java Applet Updater 2.1 or greater to resolve the issue

    Contact SecureAuth Support to arrange for this updater to be applied

Troubleshooting

Use these methods to resolve issues with the Java client and SecureAuth IdP

Use the Cleancert utility to clear existing certificates

1. Access the cleancert page (https://<appliance IP or FQDN>/<realm number>/cleancert.aspx

e.g. https://company.secureauth.com/SecureAuth0/cleancert.aspx

2. Click Delete All SecureAuth Certs and Delete All Security Files
 

 See sample cleancert.aspx page...

 

Verify multiple Java versions are not present on the impacted workstation

Verify the impacted workstation does not have multiple versions of Java installed (Java Control Panel → Java Tab → View)

If multiple Java versions are present, remove outdated versions

64-bit Java

If running the 64-bit version of Java, try using the 32-bit version instead

There have been cases in which issues were found using the 64-bit version which were not found in the 32-bit JRE

The 32-bit version can be run on a 64-bit operating system without issue

Re-install Java Runtime Environment (JRE)

Under certain circumstances, the Java Runtime Environment (JRE) can become corrupted and must be re-installed

To properly re-install the JRE

1. Uninstall Java from the impacted workstation (Windows) (Mac OS X)

2. Reboot the workstation

3. Install Java on the impacted workstation 

If using the online Java installer causes issues, or if the Java installer is inaccessible it due to security restrictions on the network, then download a manual installer from the Offline Installation site provided by Oracle

Verify the Java Applet Updater has been applied

If running a SecureAuth IdP version prior to 7.4, verify the Java Applet Updater has been applied to all appliances in the environment

Contact SecureAuth Support if unsure whether this patch has been applied or if it needs to be installed on SecureAuth IdP appliance(s)

IIS Binding Cert / SSL Termination Point Error

If Java is unable to properly validate the IIS binding certificate, then a Java error appears

Follow these steps to ensure certificate validation is working properly

Step 1: Verify the IIS binding certificate has not expired

1. Open the IIS Manager

a. Click Start, then click Control Panel, then System and Security, and then Administrative Tools

b. In the Administrative Tools window, double-click Internet Information Services (IIS) Manager

2. Verify the certificate

a. In the Connections pane, expand the Sites node in the tree, and then click the Default Web Site node

b. In the Actions pane, click Bindings

c. Find the https entry and click it, then click Edit...

d. In the Edit Site Binding window, click View...

e. In the Certificate window, under the General tab locate the Valid From section

Verify the certificate is still valid – if invalid, the certificate must be replaced

Step 2: Check the load balancer

If a load balancer is in use, then ensure intermediate certificates for the IIS Binding certificate are installed and current on the device  

Step 3: Verify the SSL termination point configuration

Verify the SSL Termination point configuration for the realm(s) is impacted by following the instructions in the technical document Configure SSL Termination Point Functionality