Skip to main content

Workaround for Java 8u131 “attempted to open sandboxed jar xxxxx as a Trusted-Library” error

A recent Java update to Java 8 build 131 changed what Java would accept as a “signed” JAR app. Specifically, any JAR signed with an MD5 hash will no longer be considered trusted, as the MD5 hash is now considered to be weak.

This change results in applications refusing to run with an error message like:
preloader: Delivering: ErrorEvent[url=https://XXXXX label=attempted to open sandboxed jar https://XXXXX/.jar as a Trusted-Library cause=attempted to open sandboxed jar https://XXXXX/.jar as a Trusted-Library

This occurs when the site delivering the applet is signing it with an MD5 hash. I’ve seen reports of the PulseSecure PCS and Cisco ASA doing this with the HOBsoft HOBlink Java RDP client, meaning that users are unable to securely access systems behind these devices.

PulseSecure have a workaround for their PCS –https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB40580.

Cisco do not currently have a solution.

The simplest workarounds are:
a) downgrade to an earlier release of Java, or
b) re-enable MD5 hash as an acceptable cipher.

Here’s how to do the latter on Windows and macOS (OS X). It involves editing the “java.security” config file which the Java Virtual Machine uses.

Windows (tested on Windows 10)

You will need local administrator access for this.
Close browsers and any Java apps

Open CMD as Administrator

cd "C:\Program Files (x86)\Java\jre1.8.0_131\lib\security"
notepad java.security

(The path may be C:\Program Files\Java\jre1.8.0_131\lib\security if you run the 64-bit Java)

Current Line:

jdk.jar.disabledAlgorithms=MD2, MD5,  RSA keySize < 1024

Change this to:

jdk.jar.disabledAlgorithms=MD2,  RSA keySize < 1024

(i.e. remove the “MD5,”)

Save the file

macOS Sierra (Mac OSX)

cd /Library/Internet\ Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/lib/security
sudo vi java.security

Enter your password at the prompt so that you can edit the protected file.
Type “/jdk.jar.disabledAlg” to find the relevant line.

Current Line:

jdk.jar.disabledAlgorithms=MD2, MD5,  RSA keySize < 1024

Change this to:

jdk.jar.disabledAlgorithms=MD2,  RSA keySize < 1024

(i.e. remove the “MD5,” – use the cursor keys to move to the “MD5,” and press “x” to delete each character)
Save the file by holding down SHIFT and pressing “Z” twice.

Caveat: This workaround is disabling a security measure within Java, so should be considered a risk. However, the risk is only the same as the previous version of Java, and I would assume vendors will eventually update their systems so that they sign Java applets in a secure fashion.

This works with later versions of Java as well. I’ve tried it up to Java 8 Build 161. You do have to repeat the change after each upgrade though as it restores the MD5 text.

Oracle Secure Global Desktop (SGD) fails on MacOS Sierra

I’ve recently been struggling to get the Oracle SGD desktop client working on macOS Sierra (10.12.3, specifically).

I’d installed Java, Firefox and XQuartz but kept getting a Java error saying “Failed to install SGD client”.

Here’s what I found I needed:

  • Java – because it’s a Java app
  • Mozilla Firefox – easiest way to run Java web apps on a Mac
  • XQuartz – the open source replacement for the Apple X11.app which used to be included with OS X.
  • The Oracle SGD Desktop client, usually available from the logon page for your SGD service.

If you have XQuartz 2.7.10 or later you will also need to run the following commands in Terminal:

sudo mv /opt/X11/lib/libXt.6.dylib{,.bak}
sudo cp /opt/X11/lib{/flat_namespace,}/libXt.6.dylib

My thanks to this Harris Geospatial web page for pointing me in the direction for that fix.

Some people may find it necessary to move the “Oracle Secure Global Desktop Client” from the main /Applications folder to your local user ~/Applications folder.

 

Cisco WebEx stuck at 98% when joining meeting using Mac client

I recently hit a problem on my MacBook Air when trying to use Cisco WebEx. The Mac is running OS X 10.11 El Capitan.

The WebEx client installed without an issue, but when I tried to join a meeting the connection would hang at 98%. I had to use Force Quit to kill the client.

The solution to the problem was to change the proxy settings in Network Preferences. I’m not using a proxy but WebEx seems to have difficulties with the default setting.

Open “System Preferences” then select the “Network” icon.

Now select your current network connection from the left-hand panel (in my case this was Wi-Fi). Click the “Advanced…” button on the lower right of the panel.

Click the “Proxies” tab and the proxy settings are on the left. I’m not using a proxy but the default setting is “Auto Proxy Discovery”. Untick that, click “OK” and then “Apply” and WebEx would connect without any further problem.

System PreferencesScreenSnapz001

Canon PIXMA MP600R on Mac OS X 10.5 Leopard

When Mac OS X 10.5 (Leopard) was released, I upgraded my Macbook. Only a few weeks later when I came to use my printer at home did I find that I couldn’t print or scan using my network-connected Canon MP600R.

All attempts to connect to the printer using the “System Preferences… > Print & Fax” setup failed. I could ping and reach the web interface of the printer, but the network drivers just couldn’t see it.

I went to the Canon downloads site and downloaded all the latest drivers, MP Navigator etc and installed them. The installation of the printer driver is pretty tedious, as you have to manually remove the old drivers, reboot, install the new drivers and reboot again. And then do the same for the scanner driver. There aren’t many Mac programs these days which insist on rebooting your machine, so Canon need to sort that out.

And after all that, it still didn’t work!

Next step was some intensive Googling to find people with similar problems. The closest I could find was a thread on the Apple Support Discussion boards about the Canon MX700.

The messages suggested that the problem was the new Leopard firewall. By setting the firewall to “Set access for specific services and applications” and adding the various Canon printing and scanning utilities to allow incoming connections, the networked printer could be added in the “Print and Fax” settings.

Picture 1.png

Wireless Mighty Mouse scroll ball problem

Wireless Mighty Mouse, originally uploaded by Lazyllama.

I’ve got a wireless Mighty Mouse for use with my Macs. Very nice it is too.

After 3 months of use the scroll ball on top stopped detecting upward movements so I could scroll down pages but not scroll back up.

Blowing in to the hole didn’t fix it, but pushing hard on the ball while rolling the ball around fixed it.

MacBook died again

Last Monday, while I was at work, performing a network-based backup using Mistral Backup my MacBook stopped responding.

I powered it off and when powered back on just got the dreaded Question Mark Folder. I went through the usual diagnostic steps, resetting PMU and PRAM, reseating RAM and hard drive, but I knew the hard disk was dead. When the power was first applied it made 4 clicking noises and didn’t spin up.

I called Apple Support as the machine is still only a few months old and well within warranty. They agreed that the drive was dead and that I would need to take it to either an Apple Store or a local Authorised Apple Service Provider. I called a couple of local service providers but none of them had the 80GB 2.5in SATA drive in stock, so I decided to take the machine to the Apple Store on Regent Street.

Now the Apple Stores run a “Genius Bar” system where you can get tech support, but it runs on a strictly appointment-only system. You have to book appointments online, on the Apple website. I checked and there were no appointments available that day.

I check the next morning, and once again there were no appointments available. I resolved to take the machine along to the Apple Store and see whether they’d take it in after I’d finished work.

On arriving at the Apple Store, there was quite a long queue at the Genius Bar. A store employee walked along the line to see whether he could weed any people out. When he reached me, I explained that my MacBook had died, that I’d spoken to the the support line and that the drive wasn’t working. They guy asked whether I had an appointment, to which I pointed out that asking people to make an appointment online to get their computer repaired was a little illogical (“Computer no work – must use computer to get it repaired…. hmmmm….”). He said that there was no way I’d get to see anyone that night, but he booked me an appointment for the following night. I’ve no idea why they couldn’t just check it in for repair, I’d had i diagnosed by the support line who had taken the serial number, so they knew it wasn’t a simple user problem.

The next evening, Wednesday, I took the machine in, got it booked in, they had no drives in stock either so might have to wait the standard 7-10 days, though the guy said that it’d probably be fixed sooner.

On Saturday afternoon I got a call to say that the machine was fixed, picked it up and started rebuilding it.

I’d lost all the data on the hard drive, but within 24 hours had virtually everything I needed back in place. I did a restore over my home ADSL line from the Mistral Backup server which got me most of my “Documents” folder back, and most of the other applications I use are available for download. My email is all stored on my IMAP server with Exonetric at Telehouse so I could access my license keys etc.

Getting the machine in for repair was a pain, but at least it didn’t take very long when they did take it in. The actual repair was a simple replacement of the hard drive, which is a 3 minute job (remove battery, loosen 3 screws, remove L-plate, pull hard drive tab, then do the same in reverse). The receipt I was given said that if the machine hadn’t been under warranty, it would have cost me £167. The cost of the hard drive is about £70, so they’re charging a fair stack for labour there.

The Mac’s been fine since, fingers crossed for he next few months. I might invest in an Apple Care contract when my warranty nears its end, as I’ve had two repairs since I bought the machine in late July.

MacBook Intermittent Shutdown Problems

About a month ago I bought myself a refurbished black MacBook from the Apple Online Store. Apart from a slight mark on the screen which isn’t noticeable in use it was in fantastic condition. I’ve been using it for the past month without any problems, and it’s been a fabulous machine.

Until Saturday. On Saturday evening, the machine suddenly shutdown. No error message, no kernel panic, it just turned itself off. Hmmmmm… I turned it back on and about 30 minutes later it shutdown again.

Turning to the web I found that I’m not alone. From what I’ve read this problem has been around for a while, and tends to occur when the machine is about a month old, though some people have suffered the problem within days of purchase.

It would appear that the problem is caused by an automatic CPU shutdown due to overheating. I can reproduce the problem by heavily loading both cores by entering “yes > /dev/null &” a couple of times in Terminal and waiting a minute.

The shutdown happens when the machine is heavily loaded and also when the machine is cool, for example after being asleep, and is then given a task which raises the workload rapidly.

The problem happens on battery or main power, it will even happen while running the extended Hardware Diagnostic from the installation DVD, which shows that it’s not an OS or other software problem.

The problem has got worse since Saturday, yesterday the machine shutdown 15 times. I’ve reset the PRAM (power on with Option-Cmd-P-R held down until the machine has chimed 3 or 4 times), reset the PMU (unplug, remove battery, hold power button down for 15 seconds), re-seated the RAM and none of them have helped.

The machine has had the SMC Firmware applied which fixes the fan “mooing” but it didn’t help with this problem.

This morning I called Apple technical Support and after explaining the tests I’d tried etc, the guy agreed that the machine needed a repair. Unfortunately their ticketing system was down so he couldn’t arrange it and I’d have to call back, but he did give me an “Offline” call reference. I called back a few hours later but the young lady who I spoke to could find no information about my previous call and the call reference couldn’t be found. So I went through the whole explanation again. She again agreed that the machine needs a repair and I was put through to a product specialist to arrange the Mail-In repair.

They’re sending a box for the machine which should reach me tomorrow.

From what I’ve read the repair tends to be either a Main Logic Board replacement which sometimes works, or a replacement of both the heat-sink and something called a “lollipop”. My machine is a “Week 21” machine (5th and 6th digits of serial number), but the problem has been reported for most manufacture weeks.

The one workaround that I’ve found is to turn the machine on by holding down the power button until the machine makes a loud, long beep. That starts the machine with the CPU locked to 1GHz (half the maximum speed) which seems to prevent the thermal shutdown until the machine is switched off again.

To give some idea of the scale of the problem, here’s a small sample of the articles relating to this problem:-

There are loads more reports, and the comments on some of the articles indicate that there are hundreds, if not thousands, of people suffering from this problem.

Virtue multiple desktops on OS X

Click for the video of Virtue in action

I’ve found one of the most useful add-ons for my Powerbook.
At work, I’m commonly juggling between Virtual PC, Microsoft Remote Desktop, my mail, a web browser, and maybe an X11 connection to my Linux machine at home.

On a 12″ screen with a resolution of 1024×768 pixels that’s a lot to get in a little space so I’d end up constantly minimising applications and switching windows.

I recently saw a demo of xgl/compiz running on a Linux machine with a groovy ‘cube’ technique of switching between multiple desktops and thought that looked like something I would find useful. Not available for OS X though.

Then I saw a post on The Unofficial Apple Weblog about a video of someone running Linux and Windows XP under Parallels Workstation on an Intel Mac, using Virtue to switch between the various machine desktops.

Virtue is a great open-source virtual desktop manager for OS X which enables you to run multiple desktop displays and switch between them at the press of a key. And even better it uses Quartz transformations to switch the displays including the ‘cube’ rotation (also used by OS X’s user switching). It’s a Universal binary so will run on PowerPC or Intel Macs.

So I can now have one destop displaying Windows XP under Virtual PC in full screen mode, one display with my mail, another for web browsing, one for my X11 display and another for terminals and the like. Ctrl-Shift and an arrow key navigates me between desktops and the screen. You can tie applications to desktops so your email is always in the same desktop, and when you select an app whcih is on another desktop Virtue will switch you automatically to that desktop.

It’s very neat, and I’ve made a short video file of Virtue in action. It’s a Quicktime .MOV file, about 800k in size.

OS X Client on trunked VLAN

The place I’m currently working has an IP telephony system. Each phone has an extra LAN port which you can plug a laptop into.

All very handy, but the port is trunked so plugging my Apple Powerbook 12″ into it doesn’t result in any sort of useful connection.

Googling around indicates that only OS X Server (10.3.3 onwards) has a GUI tool for configuring VLANs on an Ethernet port. The OS X client that you get on your iBook, iMac, Powerbook and PowerMac as standard doesn’t have anything obvious for VLAN support.

Digging further reveals that the standard Terminal ifconfig does support VLAN commands.

sudo ifconfig vlan0 create
sudo ifconfig vlan0 vlan VLAN-TAG vlandev en0
sudo ipconfig set vlan0 DHCP

The first line creates the VLAN pseudo device vlan0, the second line that connects that device to the physical ethernet port (in this case en0) and tells the machine which VLAN tag to use.

You will need to replace VLAN-TAG with the relevant VLAN tag which your network administrator should be able to supply you with.

The third line sets the vlan0 pseudo device to use DHCP. If you need to set up a static IP address use something along the following two lines instead:-

sudo ifconfig vlan0 inet 192.168.0.10 netmask 255.255.255.0

and then

sudo route add default 192.168.0.1

to set your default gateway.

When you've finished with the VLAN connection you can destroy the pseudo-device with:-

sudo ifconfig vlan0 destroy

The Ethernet port in my Powerbook 12" (2005 model) supports VLANs, and I suspect the ports on most recent Macs will be the same.