Support Center > Search Results > SecureKnowledge Details
Some SSL VPN functionality breaks as a result of a Java update to version 7 update 51 (7u51) and above
Symptoms
  • After a Java update to version 7 update 51 (7u51) and above, launch of Check Point Deployment Agent applet fails. As a result, functionality, such as ESOD scan, SNX, Native Application launch, etc., fails.
Cause

Oracle had introduced a change in the security settings, which as a result blocks the Java version of the Check Point Deployment Agent.


Solution

Note: To check your current Java version, go to http://java.com/en/download/installed.jsp

 

Table of Contents:

  1. Hotfix availability
  2. Hotfix installation instructions
  3. Hotfix uninstall instructions
  4. Workarounds

 

(1) Hotfix availability

This problem was fixed. The fix is included in:

Check Point recommends to always upgrade to the most recent version (upgrade Security Gateway / upgrade VSX / upgrade Security Management Server / upgrade Multi-Domain Security Management Server).

 

Note for 600 / 1100 appliances running R75.20.X firmware:

  • For 1100 Centrally Managed appliances, contact Check Point Support to get a Hotfix for Security Management Server.
  • For 600 / 1100 Locally Managed appliances, upgrade to R75.20.50 to resolve the issue.

 

(2) Hotfix installation instructions for Security Gateway R77.10 and lower

  1. Hotfix has to be installed on Security Gateway.

    Note: In cluster environment, this procedure must be performed on all members of the cluster.
  2. Download the two hotfix packages for your version of Security Gateway:

    Note: The "CVPN" part is required only when you are using the Mobile Access Blade.

    Version of
    Security
    Gateway
    Platform Link to
    FW-1 part
    Link to
    CVPN part
    R77.10 (1) Gaia / SecurePlatform OS (TGZ) (TGZ)
    R77 Gaia / SecurePlatform OS (TGZ) (TGZ)
    R76 (2) Gaia / SecurePlatform OS (TGZ) (TGZ)
    R75.47 Gaia / SecurePlatform OS (TGZ) (TGZ)
    R75.46 Gaia / SecurePlatform OS (TGZ) (TGZ)
    R75.45 Gaia / SecurePlatform OS (TGZ) (TGZ)
    R75.40 Gaia / SecurePlatform OS (TGZ) (TGZ)
    R75.30 SecurePlatform OS (TGZ) (TGZ)
    R75.20 SecurePlatform OS (TGZ) (TGZ)
    R71.50 SecurePlatform OS (TGZ) (TGZ)

    Notes:

    1. This fix for R77.10 on Gaia OS (both FW-1 part and CVPN part) is included in sk98285 - Jumbo Hotfix Accumulator for R77.10 (gypsy_hf_base_021) since Take_4 (together with updated SNX client from sk97702).
    2. This fix for R76 on Gaia OS (both FW-1 part and CVPN part) is included in sk96191 - Jumbo Hotfix Accumulator for R76 (gizmo_hf_041_050) since Take_61 (together with updated SNX client from sk97702).
  3. Transfer the two hotfix packages to the Security Gateway into two separate directories:

    • FW1 package (fw1_wrapper_<HOTFIX_NAME>.tgz) into e.g., /path_to_FW1_fix/
    • Mobile Access package (cvpn_<HOTFIX_NAME>.tgz) into e.g., /path_to_cvpn_fix/
  4. Unpack and install the FW1 hotfix package:

    [Expert@HostName]# cd /path_to_FW1_fix/
    [Expert@HostName]# tar -zxvf fw1_wrapper_<HOTFIX_NAME>.tgz
    [Expert@HostName]# ./fw1_wrapper_<HOTFIX_NAME>

    Note: The script will stop all of Check Point services (cpstop) - read the output on the screen.
  5. Do NOT reboot yet.

  6. Unpack and install the Mobile Access CVPN hotfix:

    [Expert@HostName]# cd /path_to_cvpn_fix/
    [Expert@HostName]# tar -zxvf cvpn_<HOTFIX_NAME>.tgz
    [Expert@HostName]# ./cvpn_<HOTFIX_NAME>

    Note: The script will stop all of Check Point services (cpstop) - read the output on the screen.
  7. Reboot the Security Gateway.

 

(3) Hotfix uninstall instructions for Security Gateway R77.10 and lower

  1. Hotfix has to be uninstalled from Security Gateway.

    Note: In cluster environment, this procedure must be performed on all members of the cluster.
  2. Stop all the Check Point services on Security Gateway:

    [Expert@HostName]# cpstop
  3. UnInstall the FW-1 hotfix:

    [Expert@HostName]# cd /opt/CPsuite-<VERSION>/
    [Expert@HostName]# ./uninstall_fw1_wrapper_<HOTFIX_NAME>
    Example for R77 hotfix:
    [Expert@HostName]# cd /opt/CPsuite-R77/
    [Expert@HostName]# ./uninstall_fw1_wrapper_HOTFIX_GULLI_HF_BASE_207
    
  4. Do not reboot yet.

  5. UnInstall the CVPN hotfix (relevant if Mobile Access Blade is used):

    [Expert@HostName]# cd /opt/CPcvpn-<VERSION>/
    [Expert@HostName]# ./uninstall_cvpn_<HOTFIX_NAME>
    Example for R77 hotfix:
    [Expert@HostName]# cd /opt/CPcvpn-R77/
    [Expert@HostName]# ./uninstall_cvpn_HOTFIX_GULLI_HF_BASE_207
    
  6. Reboot the Security Gateway.

 

(4) Workarounds

If you do not wish to upgrade / install a hotfix, then the following workarounds are available:

Show All Workarounds
  • Either lower the Java security settings to "Medium" (applies only to Java 7)

    Related resource: http://www.java.com/en/download/help/jcp_security.xml

    • Instructions for Windows OS
      1. Go to Start menu.

      2. Go to Control Panel.

      3. Click on 'Java'.

      4. Go 'Security' tab.

      5. Move the slider to the bottom ('Medium').

      6. Click on 'OK'.



    • Instructions for Mac OS X
      1. In the upper left corner of the screen, click on 'Apple' icon.

      2. Go to 'System Preferences'.

      3. Click on 'Java'.

      4. Go 'Security' tab.

      5. Move the slider to the bottom ('Medium').

      6. Click on 'OK'.



  • Or add the relevant web site to "Exception Site List" (as of the JDK 7u51 release, and Java 8)

    Related resources: http://java.com/en/download/faq/exception_sitelist.xml and http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/exception_site_list.html#create

    Note: The "Exception Site List" feature is available only since the release of Java 7 Update 51. To check your current Java version, go to http://java.com/en/download/installed.jsp

    • Instructions for Windows OS
      1. Go to Start menu.

      2. Go to Control Panel.

      3. Click on 'Java'.

      4. Go 'Security' tab.

      5. Click on 'Exception Site List...' button:

        Java 7 Java 8
      6. Click on 'Add':

      7. Under 'Location', type the URL into the empty field (https://X.X.X.X):

        Note: If you add an HTTP location, then a warning is presented. Click on 'Continue':

      8. Continue to click on 'Add' and enter URLs until your list is complete.

      9. Click on 'OK' to save the URLs that you entered.

      10. Click on 'OK'.



    • Instructions for Mac OS X
      1. In the upper left corner of the screen, click on 'Apple' icon.

      2. Go to 'System Preferences'.

      3. Click on 'Java'.

      4. Go 'Security' tab.

      5. Click on 'Exception Site List...' button.

      6. Click on 'Add'.

      7. Under 'Location', type the URL into the empty field (https://X.X.X.X).

      8. Continue to click on 'Add' and enter URLs until your list is complete.

      9. Click on 'OK' to save the URLs that you entered.

      10. Click on 'OK'.

This solution is about products that are no longer supported and it will not be updated
Applies To:
  • 01345729 , 01350557 , 01350558 , 01350878 , 01370132 , 01662188

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment