Operational Defect Database
BugZero found this defect 2298 days ago.
Data sources
All data on this page is proprietary to BugZero® or gathered from public sources
Hewlett Packard Enterprise | a00039785en_us
Advisory: HPE StoreFabric B-Series Switches - On 18 February 2018, Web Tools And HPE Network Advisor Remote Client Access Will Be Blocked On Affected Software Versions
Last update date:
2/28/2024
Affected products:
Brocade 16Gb Fibre Channel SAN Switch for HPE Synergy
Brocade 16Gb SAN Switch for HPE BladeSystem c-Class
Brocade 8Gb SAN Switch for HPE BladeSystem c-Class
HPE 1606 Extension SAN Switch
HPE 8/24 SAN Switch
HPE 8/40 SAN Switch
HPE 8/8 SAN Switch
HPE 8/80 SAN Switch
HPE B-series SAN Network Advisor Software
HPE B-series SN6000B Fibre Channel Switch
HPE B-series SN6500B Fibre Channel Switch
HPE Encryption SAN Switch
Affected releases:
No affected releases provided.
Fixed releases:
No fixed releases provided.
Description:
Info
Document Version Release Date Details 2 2 February 2018 Updated technical details in Description, Resolution version and workaround 1 12 January 2018 Original Document Release Beginning on 18 February 2018, when attempting to launch Web Tools, either directly from the switch using a Web browser or via an Element Manager in HPE Network Advisor, the Web Tools session will be blocked by Java security when running a version of HPE StoreFabric B-series Fabric OS (FOS) that contains an expired Java code-signing certificate. Also, beginning on 18 February 2018, HPE Network Advisor remote client launch will be blocked by Java security, if using a version of HPE Network Advisor that contains an expired Java code-signing certificate. HPE Network Advisor and Web Tools jar files are signed by a code-signing certificate to protect against illegal tampering. This certificate is validated by Java before launching the Java Client. When the Java code signing certificate expires, the following operations will fail due to being blocked by the Java security code: Launching Web Tools from a browser to access switches will fail to start if the certificate in FOS is expired Launching Element Manager in any HPE Network Advisor client session to access switches will fail to start if the certificate in FOS is expired Launching remote HPE Network Advisor client sessions to HPE Network Advisor servers will fail to connect if the certificate in HPE Network Advisor is expired Due to the separate and independent Java certificates in HPE Network Advisor and FOS, using a version of FOS with an updated certificate will not address the HPE Network Advisor remote client launch issue, and using a version of HPE Network Advisor with an updated certificate will not address the issue with direct or HPE Network Advisor Element Manager launch of FOS Web Tools. HPE StoreFabric B-Series switches will continue to operate without failure. There is no interruption to traffic or any other operation of the switch. Switches can continue to be managed by CLI via SSH, Telnet, and other interfaces. Switches can also be managed by HPE Network Advisor if the selected operations do not require the launching of Web Tools via an Element Manager interface. Only Web Tools and Element Manager access to a switch will be blocked if the Java certificate has expired. Affected versions of HPE Network Advisor will continue to operate. Remote client connections to an affected HPE Network Advisor server with an expired Java certificate will fail. Local client sessions can be opened, as this does not require a signed code certification check. Using a remote desktop session to access a client running locally on the HPE Network Advisor server will continue to work, even if the HPE Network Advisor server’s Java certificate has expired; however, launching Web Tools via an Element Manager via this remote desktop accessible local client will still fail when managing a switch with a version of FOS that has an expired Java certificate.
Scope
This issue affects all HPE StoreFabric B-series switches with FOS and HPE Network Advisor versions released before the fixed versions. Versions released before the fixed versions listed in the Resolution contain a Java code signing certificate that will expire on 18 February 2018. Once this certificate expires, Web Tools and HPE Network Advisor remote client launches will be blocked by Java security.
Resolution
To address this issue, a new Java code-signing certificate must be installed by upgrading to the HPE StoreFabric B-series FOS and HPE Network Advisor versions below. The HPE StoreFabric B-series FOS and HPE Network Advisor Java code-signing certificates are independent of each other. In order to address the issue of launching Web Tools from a browser or launching the Element Manager in any HPE Network Advisor client session, the HPE StoreFabric B-series FOS will need to be upgraded. To address the issue of launching remote HPE Network Advisor client sessions to an HPE Network Advisor server, HPE Network Advisor will need to be upgraded. Depending on your usage, both the HPE StoreFabric B-series FOS and HPE Network Advisor may need to be upgraded. HPE Network Advisor 14.4.1 and later (HPE Network Advisor 14.4.1 expected on 9 February 2018) HPE Network Advisor 14.2.2 FOS 8.2.0 and later (expected in March 2018) FOS 8.1.2a and later FOS 8.0.2d and later FOS 7.4.2c and later FOS 7.4.1f and later NOTE: It is not possible to update the Java code-signing certificate in other released versions of HPE StoreFabric B-Series FOS or HPE Network Advisor. After upgrading, a new, valid certificate will be in use, and the launching of Web Tools or an HPE Network Advisor remote client will not be blocked by Java security. Workaround Users who wish to continue using Web Tools on a switch with an expired certificate or users who wish to continue using HPE Network Advisor with an expired certificate in remote client mode can perform the following workaround: Disable signed code certificate revocation checks in the system Java Control Panel (see example below). NOTE : This will disable checks for browsers attempting to directly launch a Web Tools session and also for launching remote HPE Network Advisor clients. Add URLs to the Exception Site List under the Security tab of the Java Control Panel (see example, below). The exception URLs that need to be added and the correct Java Control Panel to add them to depend on how Web Tools or BNA are used. For launching Web Tools from a browser: from system Java Control Panel (access via Start > Control Panel > Java ), add Web Tools URLs for all switches to be managed to the exception URL list. For example, https://switch-ipaddress/ . For launching remote client session to a HPE Network Advisor server or launching Element Manager on a remote HPE Network Advisor client: from system Java Control Panel (access via Start > Control Panel > Java ), add the HPE Network Advisor server URL For launching Element Manager on a local HPE Network Advisor client: from HPE Network Advisor server embedded Java Control Panel (access via HPE Network Advisor, install folder\jre64\bin\javacpl.exe ), add the HPE Network Advisor server URL: NOTE: The HPE Network Advisor server URL that needs to be entered in the exception list in Step 2 above is either https://network-ipaddress/ or https://localhost/ . The HPE Network Advisor client login dialog box indicates the network IP address used by the client to contact the HPE Network Advisor server. By default, localhost is used, as shown in the following example: Both of these workaround steps must be performed to prevent the Java client launch from being blocked by the Java security code. See the following website for additional information on configuring the Exception Site List: https://www.java.com/en/download/faq/exception_sitelist.xml Users running remote HPE Network Advisor clients may alternatively establish a remote desktop session with a HPE Network Advisor server with an expired Java certificate and launch a local HPE Network Advisor client through this Remote Desktop session; however, launching Web Tools for a switch via Element Manager through this local client will still fail if the switch has an expired Java certificate. Users with Java 7 environment, which is supported with Web Tools in Fabric OS versions 7.4 or earlier and HPE Network Advisor versions 12.4 or earlier, and use the following alternative workaround (only applicable for Java 7 environments): Go to the Security tab under the Java Control Panel. Change the security level to Medium : RECEIVE PROACTIVE UPDATES : Receive support alerts (such as Customer Advisories), as well as updates on drivers, software, firmware, and customer replaceable components, proactively in your e-mail through HPE Subscriber's Choice. Sign up for Subscriber's Choice at the following URL: Proactive Updates Subscription Form
