Java Security Guide for Oracle Agile PLM

Coffee-Tan-LapMuch has been written about the security of Java and its place in the world. However, the reality is that when working in Oracle Agile PLM, Java is at least a necessary evil.

Java on the server

It is constructive here to separate the use of Java on the server and Java on the desktop. At the server, Java is the core of Agile PLM. Agile runs within a Java virtual machine (JVM) hosted by WebLogic or Oracle Application Server. With the release of Agile 9.3.2 we were allowed to easily use 64 bit JVM’s and all of the resources that came with those. Fortunately, running the latest version of Java on the server is easy (in the case of Agile PLM) and transparent. There is no reason I yet know of NOT to use the latest version of JAVA on your Agile application server. The exception is that some of the Agile PLM tools still require older versions of Java in the user workspace to function. Hopefully, Oracle will be addressing these exceptions in future releases.

Java on the desktop

The desktop is the area where all of the Java vulnerabilities come to light and that is where Agile PLM administrators face the greatest challenges. Running the latest Java 1.7.X may not be compatible with older software or as mentioned above, work with all of the Agile administrative utilities and tools. Perhaps more obnoxious is the barriers presented by Java itself with the latest release of 1.7_51 which imposed a more strict security model on Java applications and the user’s ability to run downloaded code such as that of the Agile Java Client. Agile has made progress by changing file upload functionality in the web client to HTML5 from Java. Java Version 7 Update 51 imposes the following restrictions that conflict with current Agile PLM code: * All RIA jars have to be signed using a certificate from a signing authority * The “Permissions” attribute in RIA Manifest must be present. Agile’s Java Client code does not currently include either of these requirements.

What to do

Fortunately, there are some fixes available to stay within the new Java security framework while enabling our users to access the tools and applications they need to get the work done. Individual users can mitigate these barriers with the following process: * Upgrade to JRE 7u51 * Open the Java Control Panel ** On the * Security * tab * Under * Exception Site List * click the * Edit Site List * button and add the AutoVue server and Java Client URL’s to the list. If this seems to difficult or still too restrictive, you can set the * Security Level * slider to ** Medium *.

Administrator actions

As of this writing there is also a patch available from OTN (Oracle Technology Network) for Agile 9.3.3, identified as: * Patch 9.3.3.0.7 for Oracle Agile PLM Release 9.3.3 ** from ** Bug ID 18017614: JRE 7 U51 UPTAKE *

Overall

The new security requirements of Java 7_51 are a welcome addition to securing the Java universe and the existing inconveniences will be short lived as administrators and users learn to adapt and conform to a more secure Java execution environment.

Links

http://www.java.com/en/download/help/java_blocked.xml

Share this on . . .
linkedinfacebooktwitterlinkedinfacebooktwitter

Comments

  1. Thanks for continuing the discussion on this challenging topic. We also released a patch for 9.3.2 (9.3.2.0 hf 72 Patch 18017607 ). Earlier releases only supported Java 6 on the client side. The instructions in this article are accurate, and for customers who want to to review the Oracle instructions, read My Oracle Support KB articles Agile PLM 1615015.1 and AutoVue 1615032.1.

Speak Your Mind

*


four × = 16

© Copyright 2014 Zero Wait-State · All Rights Reserved · Terms of Use · Privacy Policy