Support Center > Search Results > SecureKnowledge Details
Mobile Access SSL Network Extender, Compliance Scan and Secure Workspace do not work after installing or upgrading Java on the endpoint PC to Java 8 update 131
Symptoms
  • SSL Network Extender, Compliance Scan and Secure Workspace are stuck on initializing after installing/upgrading to Java SE 8 update 131.
Cause

Refer to https://java.com/en/download/faq/release_changes.xml:

Java 8 Update 131 (8u131)

Release Highlights

  • MD5 added to jdk.jar.disabledAlgorithms Security property

    This JDK release introduces a new restriction on how MD5 signed JAR files are verified. If the signed JAR file uses MD5, signature verification operations will ignore the signature and treat the JAR as if it were unsigned.

The Mobile Access Portal's Deployment Agent, which invokes the on-demand client technologies, including SSL Network Extender, Compliance Scan and Secure Workspace, uses MD5 in its digital signature.

As a result, the on-demand clients fail to be invoked.


Solution

Contact Check Point Support to get a Hotfix for this issue.
A Support Engineer will make sure the Hotfix is compatible with your environment before providing the Hotfix.
For faster resolution and verification please collect CPinfo files from the Security Management and Security Gateways involved in the case.

Hotfix installation instructions:

  1. Hotfix has to be installed on Mobile Access Gateway.

    Note: In cluster environment, this procedure must be performed on all members of the cluster.
  2. Procedure:

    • Using CPUSE - On Mobile Access Gateway running Gaia OS R75.40 and above:

      Make sure to install the latest build of the CPUSE Agent.

      Refer to sk92449: CPUSE - Gaia Software Updates (including Gaia Software Updates Agent):

      • Section "(4-A-c)" / "(4-A-d)" - refer to import instructions for Offline procedure
      • Section "(4-B-a)" - refer to installation instructions for Hotfixes

      You can also use the sk111158 - Central Deployment Tool (CDT) to install these hotfixes on Security Gateways.

      Note: Reboot is required.

    • Using Legacy CLI - On VSX Gateway running Gaia OS R75.40VS and above; On Mobile Access Gateway running SecurePlatform/XOS/IPSO OS:

      Note: You must be connected over Console, or LOM card (SSH session will be disconnected).

      1. Transfer the two hotfix packages to the machine into two separate directories:

        • FW1 package (fw1_wrapper_<HOTFIX_NAME>.tgz) into e.g., /path_to_FW1_fix/
        • Mobile Access package (cvpn_<HOTFIX_NAME>.tgz) into e.g., /path_to_cvpn_fix/
      2. Unpack and install the FW1 hotfix package:

        [Expert@HostName]# cd /path_to_FW1_fix/
        [Expert@HostName]# tar -zxvf fw1_wrapper_<HOTFIX_NAME>.tgz
        [Expert@HostName]# ./fw1_wrapper_<HOTFIX_NAME>

        Note: The script will stop all of Check Point services (cpstop) - read the output on the screen.
      3. Do NOT reboot yet.

      4. Unpack and install the Mobile Access CVPN hotfix:

        [Expert@HostName]# cd /path_to_cvpn_fix/
        [Expert@HostName]# tar -zxvf cvpn_<HOTFIX_NAME>.tgz
        [Expert@HostName]# ./cvpn_<HOTFIX_NAME>

        Note: The script will stop all of Check Point services (cpstop) - read the output on the screen.
      5. Reboot the machine.

 

If after installing the fix, this issue is not resolved on Mac clients:

  1. Delete the CSHELL.JAR file from the cache in the Java Control panel.
  2. Connect to the SNX Gateway again to force a redownload of the SNX client

 

As an immediate workaround:

  1. Uninstall the current Java on the Endpoint PC. 
  2. Install the Java SE Runtime Environment 8u121 on the Endpoint PC.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment