Java JRE 1.6 B20
I've been tasked with deploying the latest version of Sun Java JRE to all computers due to a new web application we are releasing. Easy, right? I extracted out the MSI from the setup executable and when I fire the command line logged in as myself: works great. When I try firing it from SCCM 2007 under the localsystem account, I get two prompts:
"Revocation information for the security certificate for this site is not available. Do you want to proceed?". The options are Yes, No, View Certificate. It wants to access the Internet to check the CRL status of each certificate and obviously it won't have access under localsystem through the proxy. Searching around, I can only find one article that describes certificate checks during the JRE installation: http://marc.info/?l=patchmanagement&m=127016211327097. The solution they give is to install the Java certificates before deployment.
I went ahead and re-fired the install, this time doing a "View Certificate", "Details", "Copy to file" and exporting the certificate as a CER file. I copied the necessary files from a Windows 2003 server for certutil and then did a "certutil -f -addstore ROOT VersignJavaCert.cer". The blasted thing still comes up with the prompt and MSIEXEC won't continue on until it's clicked (I want it completely silent).
"Revocation information for the security certificate for this site is not available. Do you want to proceed?". The options are Yes, No, View Certificate. It wants to access the Internet to check the CRL status of each certificate and obviously it won't have access under localsystem through the proxy. Searching around, I can only find one article that describes certificate checks during the JRE installation: http://marc.info/?l=patchmanagement&m=127016211327097. The solution they give is to install the Java certificates before deployment.
I went ahead and re-fired the install, this time doing a "View Certificate", "Details", "Copy to file" and exporting the certificate as a CER file. I copied the necessary files from a Windows 2003 server for certutil and then did a "certutil -f -addstore ROOT VersignJavaCert.cer". The blasted thing still comes up with the prompt and MSIEXEC won't continue on until it's clicked (I want it completely silent).
0 Comments
[ + ] Show comments
Answers (12)
Please log in to answer
Posted by:
Lucid
14 years ago
Just some quick questions...
1. When you downloaded the .EXE did you Unblock it (right-click the .EXE and select Properties)?
2. When you extracted the .MSI, did you grab the other files that are in the temp folder with it?
3. What OS are you deploying this to?
I'm deploying the 32-bit and 64-bit using a VBScript that uses this switch: /quiet /norestart ADDLOCAL=ALL IEXPLORER=1 NETSCAPE=1 MOZILLA=1 REBOOT=Suppress JAVAUPDATE=0 SYSTRAY=0
1. When you downloaded the .EXE did you Unblock it (right-click the .EXE and select Properties)?
2. When you extracted the .MSI, did you grab the other files that are in the temp folder with it?
3. What OS are you deploying this to?
I'm deploying the 32-bit and 64-bit using a VBScript that uses this switch: /quiet /norestart ADDLOCAL=ALL IEXPLORER=1 NETSCAPE=1 MOZILLA=1 REBOOT=Suppress JAVAUPDATE=0 SYSTRAY=0
Posted by:
anonymous_9363
14 years ago
Posted by:
aleinss
14 years ago
My command line is: msiexec /i jre1.6.0_20.msi /quiet /norestart ADDLOCAL=ALL IEXPLORER=1 REBOOT=Suppress JAVAUPDATE=0
To answer the above:
1. I did not unblock the EXE per se because I extracted all the files from it.
2. I did grab all the other files, including the cab
3. I am deploying to Windows XP SP3
To answer the above:
1. I did not unblock the EXE per se because I extracted all the files from it.
2. I did grab all the other files, including the cab
3. I am deploying to Windows XP SP3
Posted by:
aleinss
14 years ago
Well, here's the "funny part"...you can still be logged in as a domain user and still not get access to the Internet. We use something called IPRISM. Unless the user hits an external web site through Internet Explorer, they don't have access to the Internet. This shows up in their Outlook....someone sends them an e-mail with pictures linked to the Internet and they show up with red X's. If I have them open IE and hit google.com, then open Outlook, all the pictures show up.
I suppose I could pass my own credentials somehow and have part of the script access the Internet...but that makes me nervous.
I suppose I could pass my own credentials somehow and have part of the script access the Internet...but that makes me nervous.
Posted by:
pjgeutjens
14 years ago
My command line is: msiexec /i jre1.6.0_20.msi /quiet /norestart ADDLOCAL=ALL IEXPLORER=1 REBOOT=Suppress JAVAUPDATE=0
this looks to me like a mix between msi and exe command line parameters. Try
msiexec /i jre1.6.0_20.msi /qn ADDLOCAL=ALL IEXPLORER=1 REBOOT=ReallySuppress JAVAUPDATE=0
or if you want something to look at
msiexec /i jre1.6.0_20.msi /qb! ADDLOCAL=ALL IEXPLORER=1 REBOOT=ReallySuppress JAVAUPDATE=0
PJ
Posted by:
aleinss
14 years ago
Posted by:
anonymous_9363
14 years ago
The command line you're using is irrelevant to the problem. All that's happening is that the install is checking with an https site, presumably at sun.com and presumably for an update of some description and that site's security certificate is viewed by your machine as being expired.
There are many ways around the problem, the simplest of which is to turn off IE's checking for certificate revokation. Longer term, you should install an up-to-date certificate.
There are many ways around the problem, the simplest of which is to turn off IE's checking for certificate revokation. Longer term, you should install an up-to-date certificate.
Posted by:
adavid
14 years ago
A late post to this thread, but I thought I'd add a solution for the next person who has this problem.
The problem (for me) turned out to be that iPrism is blocking the CRL. How? Why? Who knows. They not only block it, they then fail to log the fact that they blocked it, making diagnosis that much harder.
I resolved the problem by adding a "No authentication" exception for the range 199.7.48.0 - 199.7.63.255.
The problem (for me) turned out to be that iPrism is blocking the CRL. How? Why? Who knows. They not only block it, they then fail to log the fact that they blocked it, making diagnosis that much harder.
I resolved the problem by adding a "No authentication" exception for the range 199.7.48.0 - 199.7.63.255.
Posted by:
aleinss
14 years ago
I didn't even think of a pass-through rule from the IPRISM side. Then again, I don't have any control over that system. I just came in on the weekend and did it manually with my supervisor. Later on, we found out that this web application was built on Sun Java R18 and there are new security changes in R19/R20 that break the file transfer feature. Thankfully, not many people use that feature, so I only had to backrev a few people back to R18.
However, R19/R20 seems to check for Java updates (even if you tell it not to from the Control Panel) and causes an error "crash" message if the user doesn't have administrator rights. You actually have to go in and take out jusched.exe from the Run key and then it finally stops checking for updates for good.
Sun should offer a truly "offline installation" and not one that whines when not being able to get to the Internet.
However, R19/R20 seems to check for Java updates (even if you tell it not to from the Control Panel) and causes an error "crash" message if the user doesn't have administrator rights. You actually have to go in and take out jusched.exe from the Run key and then it finally stops checking for updates for good.
Sun should offer a truly "offline installation" and not one that whines when not being able to get to the Internet.
Posted by:
adavid
14 years ago
To be fair to Sun, I think you are actually seeing 2 different problems here.
1) Java autoupdates - Definitely a hassle. While Java used to have a command line option on installs to disable this, they have instead moved configuration files (discussed here: http://download.oracle.com/javase/6/docs/technotes/guides/deployment/deployment-guide/properties.html). I ended up creating a vbscript that I deploy with the Java installs that creates these files, munges the registry keys, etc. However, that doesn't remove the prompt you described above.
2) Certificate validation - The addresses I opened in iPrism are NOT Sun/Java. They are VeriSign. With that in mind, are we sure this is a Java popup? Who really performs the certificate validation? I can certainly picture Java calling a Windows ValidateCertificate() function that checks everything about the cert, including the CRLs. In which case, the failure to correctly handle proxies would be an MS bug, not a Sun one.
Although it's not an issue for me, I certainly understand the desire for a fully offline install. However, if the installer wants to make sure this is a valid, unmodified version of the real Java, it needs to check the signature the file was signed with to a) make sure it is from a known signing authority and b) make sure it wasn't signed with a certificate that has since been compromised. While it can do (a) by just looking at the certificates installed on your computer, not sure how it can do (b) without the internet. And it does seem like a legitimate question about what a program should do if it can't contact the location where revocations are stored. Fail silently? Sorta defeats the purpose. Prompt? Mucks with automated installs and confuses users.
You said you were running XP sp3. Do these machines have IE8?
1) Java autoupdates - Definitely a hassle. While Java used to have a command line option on installs to disable this, they have instead moved configuration files (discussed here: http://download.oracle.com/javase/6/docs/technotes/guides/deployment/deployment-guide/properties.html). I ended up creating a vbscript that I deploy with the Java installs that creates these files, munges the registry keys, etc. However, that doesn't remove the prompt you described above.
2) Certificate validation - The addresses I opened in iPrism are NOT Sun/Java. They are VeriSign. With that in mind, are we sure this is a Java popup? Who really performs the certificate validation? I can certainly picture Java calling a Windows ValidateCertificate() function that checks everything about the cert, including the CRLs. In which case, the failure to correctly handle proxies would be an MS bug, not a Sun one.
Although it's not an issue for me, I certainly understand the desire for a fully offline install. However, if the installer wants to make sure this is a valid, unmodified version of the real Java, it needs to check the signature the file was signed with to a) make sure it is from a known signing authority and b) make sure it wasn't signed with a certificate that has since been compromised. While it can do (a) by just looking at the certificates installed on your computer, not sure how it can do (b) without the internet. And it does seem like a legitimate question about what a program should do if it can't contact the location where revocations are stored. Fail silently? Sorta defeats the purpose. Prompt? Mucks with automated installs and confuses users.
You said you were running XP sp3. Do these machines have IE8?
Posted by:
aleinss
14 years ago
They are all running IE7. I understand why a CRL check is done (if my certificate is revoked, don't use it), but there should be an option such as /nonetcheck during the install to surpress the need to get on the Internet. Once installed and the user is logged in, it can check the Internet all it wants. I always run programs using the local SYSTEM account which has no Internet access and this is the first program I've ever encountered that demands Internet access during the install.
When I deploy Smartdraw, it requires activiation over the Internet, but it does this after the install process and the user can do this activiation themselves without administrator rights.
When I deploy Smartdraw, it requires activiation over the Internet, but it does this after the install process and the user can do this activiation themselves without administrator rights.
Posted by:
adavid
14 years ago
But checking *after* the software is installed is too late. If a certificate is compromised (meaning the contents of the file are suspect), wouldn't that be something you would want to know *before* executing the code?
That said, I believe there may be an option to turn off CRL checking. If I change iPrism to block that range instead of opening it, I can easily get the popup from Java. However, if I go to Control Panel/Internet Options/Advanced/Security/ and clear the box for "Check for Server Certificate Revocation," the popup is gone.
I suspect that playing with the registry key [HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\State] using the appropriate values (maybe 0x00023e00?) defined on this page http://msdn.microsoft.com/en-us/library/aa388201%28VS.85%29.aspx, you can turn off CRL checking for the system account. You can see the numeric values for the constants described on that page in WinTrust.h:
[font="courier new"]
#define WTPF_TRUSTTEST 0x00000020 // trust any "TEST" certificate
#define WTPF_TESTCANBEVALID 0x00000080
#define WTPF_IGNOREEXPIRATION 0x00000100 // Use expiration date
#define WTPF_IGNOREREVOKATION 0x00000200 // Do revocation check
#define WTPF_OFFLINEOK_IND 0x00000400 // off-line is ok individual certs
#define WTPF_OFFLINEOK_COM 0x00000800 // off-line is ok commercial certs
#define WTPF_OFFLINEOKNBU_IND 0x00001000 // off-line is ok individual certs, no bad ui
#define WTPF_OFFLINEOKNBU_COM 0x00002000 // off-line is ok commercial certs, no bad ui
#define WTPF_VERIFY_V1_OFF 0x00010000 // turn verify of v1 certs off
#define WTPF_IGNOREREVOCATIONONTS 0x00020000 // ignore TimeStamp revocation checks
#define WTPF_ALLOWONLYPERTRUST 0x00040000 // allow only items in personal trust db.
Google also shows some discussions about this key.
That said, I believe there may be an option to turn off CRL checking. If I change iPrism to block that range instead of opening it, I can easily get the popup from Java. However, if I go to Control Panel/Internet Options/Advanced/Security/ and clear the box for "Check for Server Certificate Revocation," the popup is gone.
I suspect that playing with the registry key [HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\State] using the appropriate values (maybe 0x00023e00?) defined on this page http://msdn.microsoft.com/en-us/library/aa388201%28VS.85%29.aspx, you can turn off CRL checking for the system account. You can see the numeric values for the constants described on that page in WinTrust.h:
[font="courier new"]
#define WTPF_TRUSTTEST 0x00000020 // trust any "TEST" certificate
#define WTPF_TESTCANBEVALID 0x00000080
#define WTPF_IGNOREEXPIRATION 0x00000100 // Use expiration date
#define WTPF_IGNOREREVOKATION 0x00000200 // Do revocation check
#define WTPF_OFFLINEOK_IND 0x00000400 // off-line is ok individual certs
#define WTPF_OFFLINEOK_COM 0x00000800 // off-line is ok commercial certs
#define WTPF_OFFLINEOKNBU_IND 0x00001000 // off-line is ok individual certs, no bad ui
#define WTPF_OFFLINEOKNBU_COM 0x00002000 // off-line is ok commercial certs, no bad ui
#define WTPF_VERIFY_V1_OFF 0x00010000 // turn verify of v1 certs off
#define WTPF_IGNOREREVOCATIONONTS 0x00020000 // ignore TimeStamp revocation checks
#define WTPF_ALLOWONLYPERTRUST 0x00040000 // allow only items in personal trust db.
Google also shows some discussions about this key.
Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.
so that the conversation will remain readable.