Troubleshoot CAD Java Security Warnings

Introduction

This document describes how to troubleshoot Java security warnings on the Cisco Unified Contact Center Express (UCCX) Cisco Agent Desktop (CAD) Agent Email, as well as on the Cisco Agent Desktop Browser Edition (CAD-BE).

Background Information

The UCCX CAD Agent Email and the CAD-BE rely on Java (and Java Applets) in order to function.

Changes in Java security rules and architecture in the versions of Java that are supported by some of the UCCX CAD Agent Email and CAD-BE versions produce user-visible security warnings or cause the features to function improperly or not at all.

Problem

When you run Agent Email or CAD-BE in a browser, the you receive a new security warning that appears similar to this:

When you click the More Information... link, this message appears:

If you choose the Block option, the application does not run properly (or a complete failure of the application occurs), and the entire browser might lock up. Even if you choose the Don't block and No options, Java still restricts operations and might cause runtime issues.

Conditions

The latest Java releases treat JavaScript-to-Applet communication as unsigned code. This causes the CAD to have a mixed signed/unsigned Java Applet, which creates a security warning where you are required to choose either the Block or Unblock option. This impacts any signed Java Applet where there is JavaScript-to-Applet communication.

These Java releases have the aforementioned change:

• Java Release 1.7.0, Updates 21 and later
• Java Release 1.6.0, Updates 45 and later

Note: The CAD uses a Java Runtime Environment (JRE) for the Agent Email, Cisco Supervisor Desktop (CSD), and CAD-BE.

Solution

This section describes possible workarounds for the problem that is described in the previous section.

Security Warnings

This section describes how to troubleshoot security pop-up warnings for each UCCX version.

UCCX Versions Prior to Version 9.0(2)SU1

The UCCX versions prior to Version 9.0(2)SU1 only support Java versions up to Version 1.6.0, Update 31, so installations that currently run the affected Java versions use an unsupported version of Java.

In order to workaround this issue, you can uninstall Java from the machine completely. When you log into the CAD, CSD, or CAD-BE, the correct version of Java will then be installed. After the supported Java version is installed, the security pop-up warnings should not appear.

Note: If a machine is directly updated to the latest Java versions (without a Java uninstall), the pop-up issues might still occur, and Agent Email might not function as intended.

UCCX Version 9.0(2)SU1

The UCCX Version 9.0(2)SU1 supports Java Version 1.6.0, Update 45 and contains the fix for Cisco bug ID CSCug80029.

No security pop-up warnings should appear, provided the PC runs Java Version 1.6.0, Update 45, and Agent Email should function normally.

UCCX Version 10.0(1)

The UCCX Version 10.0(1) supports Java Version 1.7.0, Update 45. Recently, Java Version 1.7.0, Update 51 was released. At that time, Oracle increased the security baseline to Update 51, which left Update 45 categorized as insecure. If you run UCCX Version 10.0(1) and Java Version 1.7.0, Update 45, a security pop-up warning appears when you log into Agent Email.

In order to workaround this issue, you must lower the security slider to Medium within the browser and click Don't Block each time you receive the message so that Agent Email works properly. You can also upgrade to Java Version 1.7.0, Update 51 in order to resolve this issue. The fix that is described in Oracle bug ID JDK-8027405, which is included in Update 51, should prevent future occurrences of this issue.

Tip: Refer to Cisco bug ID CSCum69044 for additional information.

Agent Email Logging

After Java Version 1.7.0, Update 45 was integrated into the CAD for UCCX Version 10.0, the issue described in Cisco bug ID CSCum00334 was found due to changes in the JRE from Oracle. This created an issue where the Agent Email client-side logging (EEMUi*.log) is disabled by default.

Here is a summary of the issue:

• In Release 7u21, the JRE required the use of a Trusted-Library manifest attribute in order to prevent the occurrence of the security pop-up warnings. Internal CAD development successfully used this attribute in order to mitigate issue.
  
  
• In Release 7u45, the JRE also required use of a Caller-Allowable-Codebase manifest attribute in order to prevent the occurrence of a new security pop-up warning.
  
  
• The Oracle JDK bugs describe an issue where JRE Release 7u45 does not allow the Trusted-Library and Caller-Allowable-Codebase manifest attributes to coexist. If they do, the latter attribute is ignored.
  
  
• The Oracle workaround was to use only the Caller-Allowable-Codebase manifest attribute, which should have prevented the occurrence of both security pop-up warnings. However, when this workaround is implemented, the first security pop-up warning is triggered for EemUi when you attempt to access the .jar manifest files, which are required in order to initialize the logging subsystem.

Tip: Refer to the Java Platform Group, Product Management Blog for a more detailed description of this issue.

Oracle has tracked this issue in bug ID JDK-8026347 with plans to resolve it.

Note: This bug is a duplicate for bug ID JDK-8026228; however, this bug is not publicly viewable without proper registration.

When bug ID JDK-8026228 is fixed, it should allow the CAD to use both the Trusted-Library and Caller-Allowable-Codebase manifest attributes simultaneously, which should prevent the first security pop-up warning when the logging subsystem is used (since this security pop-up warning was successfully mitigated with the addition of the Trusted-Library manifest attribute for JRE Version 7u21).

Tip: If UCCX Version 10.0 is used with the CAD Agent Email and client-side debugging is required, refer to Cisco bug ID CSCum00334.

Revision History