This document describes how to troubleshoot Java security warnings on the Cisco Unified Contact Center Express (UCCX) Cisco Agent Desktop (CAD) Agent Email, as well as on the Cisco Agent Desktop Browser Edition (CAD-BE).
The UCCX CAD Agent Email and the CAD-BE rely on Java (and Java Applets) in order to function.
Changes in Java security rules and architecture in the versions of Java that are supported by some of the UCCX CAD Agent Email and CAD-BE versions produce user-visible security warnings or cause the features to function improperly or not at all.
When you run Agent Email or CAD-BE in a browser, the you receive a new security warning that appears similar to this:
When you click the More Information... link, this message appears:
If you choose the Block option, the application does not run properly (or a complete failure of the application occurs), and the entire browser might lock up. Even if you choose the Don't block and No options, Java still restricts operations and might cause runtime issues.
These Java releases have the aforementioned change:
- Java Release 1.7.0, Updates 21 and later
- Java Release 1.6.0, Updates 45 and later
This section describes possible workarounds for the problem that is described in the previous section.
This section describes how to troubleshoot security pop-up warnings for each UCCX version.
UCCX Versions Prior to Version 9.0(2)SU1
The UCCX versions prior to Version 9.0(2)SU1 only support Java versions up to Version 1.6.0, Update 31, so installations that currently run the affected Java versions use an unsupported version of Java.
In order to workaround this issue, you can uninstall Java from the machine completely. When you log into the CAD, CSD, or CAD-BE, the correct version of Java will then be installed. After the supported Java version is installed, the security pop-up warnings should not appear.
UCCX Version 9.0(2)SU1
The UCCX Version 9.0(2)SU1 supports Java Version 1.6.0, Update 45 and contains the fix for Cisco bug ID CSCug80029.
No security pop-up warnings should appear, provided the PC runs Java Version 1.6.0, Update 45, and Agent Email should function normally.
UCCX Version 10.0(1)
The UCCX Version 10.0(1) supports Java Version 1.7.0, Update 45. Recently, Java Version 1.7.0, Update 51 was released. At that time, Oracle increased the security baseline to Update 51, which left Update 45 categorized as insecure. If you run UCCX Version 10.0(1) and Java Version 1.7.0, Update 45, a security pop-up warning appears when you log into Agent Email.
In order to workaround this issue, you must lower the security slider to Medium within the browser and click Don't Block each time you receive the message so that Agent Email works properly. You can also upgrade to Java Version 1.7.0, Update 51 in order to resolve this issue. The fix that is described in Oracle bug ID JDK-8027405, which is included in Update 51, should prevent future occurrences of this issue.
Agent Email Logging
After Java Version 1.7.0, Update 45 was integrated into the CAD for UCCX Version 10.0, the issue described in Cisco bug ID CSCum00334 was found due to changes in the JRE from Oracle. This created an issue where the Agent Email client-side logging (EEMUi*.log) is disabled by default.
Here is a summary of the issue:
- In Release 7u21, the JRE required the use of a Trusted-Library manifest attribute in order to prevent the occurrence of the security pop-up warnings. Internal CAD development successfully used this attribute in order to mitigate issue.
- In Release 7u45, the JRE also required use of a Caller-Allowable-Codebase manifest attribute in order to prevent the occurrence of a new security pop-up warning.
- The Oracle JDK bugs describe an issue where JRE Release 7u45 does not allow the Trusted-Library and Caller-Allowable-Codebase manifest attributes to coexist. If they do, the latter attribute is ignored.
- The Oracle workaround was to use only the Caller-Allowable-Codebase manifest attribute, which should have prevented the occurrence of both security pop-up warnings. However, when this workaround is implemented, the first security pop-up warning is triggered for EemUi when you attempt to access the .jar manifest files, which are required in order to initialize the logging subsystem.
Oracle has tracked this issue in bug ID JDK-8026347 with plans to resolve it.
When bug ID JDK-8026228 is fixed, it should allow the CAD to use both the Trusted-Library and Caller-Allowable-Codebase manifest attributes simultaneously, which should prevent the first security pop-up warning when the logging subsystem is used (since this security pop-up warning was successfully mitigated with the addition of the Trusted-Library manifest attribute for JRE Version 7u21).