Cisco ASDM does not work with OpenJDK 8 (deploy.jar missing)

[le-jawa]

Windows, Linux & Mac:

x64:

Not sure if this is a problem for Cisco or OpenJDK; it depends on where the actual problem is. ASDM requires Java 8, but does not work with OpenJDK 8. If the libraries required for ASDM are not intended to be there (ie, Oracle intentionally did not include them), then oh well I guess. Hopefully we can convince Cisco to support OpenJDK if that's the case. However, if this is something that should be there now, or in the near future, then yes, a lot of system/network admins out there would love to see this fixed.

I've attached the console log with the stack trace from ASDM.

ASDM-java-log.txt

[karianna]

@le-jawa Which version of OpenJDK are you using? Is it AdoptOpenJDK's binary? If so can you also try with an alternative provider (e.g. Azul's Zulu) and see if you get the same error?

[le-jawa]

Martin, Thanks for getting back with me. Yes, it was AdoptOpenJDK’s build of Java 8; I even tried both VMs and both the JRE and JDK packages. All had the same problem.

I’ve seen some of the builds from other providers; I’ll give those a try and put the results here.

Sent from my iPhone

On May 31, 2019, at 07:43, Martijn Verburg notifications@github.com wrote:

Which version of OpenJDK are you using? Is it AdoptOpenJDK's binary? If so can you also try with an alternative provider (e.g. Azul's Zulu) and see if you get the same error?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.

[le-jawa]

karianna, Sorry to be so long getting back.

I tried out Zulu, Corretto (Amazon) and Liberica (Bell SW). Zulu and Corretto behaved exactly as AdoptOpenJDK's build (The login screen showed, then when I tried to login, I got an error box stating that the device can't be reached.) Liberica wouldn't even run ASDM at all.

[karianna]

@le-jawa, Hmm, interesting - is there a ${java.home}/lib/deploy.jar file in the AdoptOpenJDK installation? Is there one in the Oracle one?

[le-jawa]

@karianna It is in the Oracle installation (both JRE and JDK), but is neither in AdoptOpenJDK JRE nor JDK.

[le-jawa]

Hey guys, This bug is still labelled "Waiting on OP". Was there something else you needed from me?

[karianna]

My bad - I've removed that label. I'll ping the build channel to see if anyone has any insights.

[le-jawa]

@karianna Thanks for all the work on this so far. Is there any news?

[karianna]

Nothing so far but I've put the July Milestone on so we keep it close to the top

[nvaert1986]

I've got the exact same error. I've tried using Cisco ASDM 9.12.2 with both the openjdk and regular variant of ASDM (as there are 2 versions now), but both throw the same error. I've also tried the 9.10 and 9.8 versions, but those throw the same exception too.

I'm running on Gentoo BTW and I'm using the portage version of the package, which is the HotSpot version and it throws the exception below.

P.S.: I've got the exact same error with the icedtea-jre-bin and icedtea-jdk-bin versions, which oracle-jre-bin works just fine.

java.lang.ClassNotFoundException: com.sun.deploy.trace.Trace at net.sourceforge.jnlp.runtime.JNLPClassLoader.loadClass(JNLPClassLoader.java:1562) at java.lang.Class.forName0(Native Method) at java.lang.Class.forName(Class.java:264) at com.cisco.launcher.i.a(Unknown Source) at com.cisco.launcher.i.if(Unknown Source) at com.cisco.launcher.i.a(Unknown Source) at com.cisco.launcher.s.if(Unknown Source) at com.cisco.launcher.Launcher.main(Unknown Source) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at net.sourceforge.jnlp.Launcher.launchApplication(Launcher.java:574) at net.sourceforge.jnlp.Launcher$TgThread.run(Launcher.java:936)

P.S.: I've also filed a comment on a bug report in Gentoo's bugzilla: https://bugs.gentoo.org/681828

[nvaert1986]

Is there any update on this? Is there any way I can provide more useful / debugging information or assist?

[karianna]

Is there any update on this? Is there any way I can provide more useful / debugging information or assist?

I've pinged the build channel again - this does seem to be a wider OpenJDK challenge though (since all providers are impacted)

[le-jawa]

@karianna Since this is such a broad issue, is there someplace else where we should report this? (I didn't see a public bug report page for OpenJDK itself, but perhaps I missed something.)

[karianna]

You can try on the openjdk mailing lists openjdk.java.net has a link to those. Actually this looks a lot like a Java Web Start concern so I'll try the ITW channel.

[hendrikebbers]

Did some research in this area. When starting a JNLP application (with Oracle WebStart, IcedTeaWeb or OpenWebStart) a Jar will be injected in the class path of the application. This jar does several things:

• Provide a specific Classloader for the App (to support lazy download of resources)
• Provide Proxy Settings for the app as defined in the Config Dialog
• Provides Security Manager for the app
• Provides implementation of the JNLP API (like DownloadService...)

The JNLP spec does not say anything about such JAR. Only the interfaces for the JNLP API and the functionality for lazy download (and some minor other points) are defined by the spec.

It looks like the deploy.jar that Oracle provides with old JREs / JDKs is exactly the Jar that is injected to an application. For ITW/OWS we have the icedteaweb JAR that is injected. Both handle the public APIs the same way but private APIs and internals are completely different. I assume that oracle uses the com.sun.deploy package as a basic package for all classes that are part of the deploy.jar. The Cisco application now access some of this classes. Such behaviour is quite bad since not even Oracle gave a guaranty about such classes. They could have been changed between 2 Oracle releases.

I found an unknown state of the Oracle classes here: https://github.com/barchart/barchart-oracle-study/tree/master/oracle-jdk-7.21-deploy/src/main/java/com/sun/deploy Based on licences I assume that we do not have a chance to integrate anything into ITW.

From my point of view Cisco must refactor its application to support the public definition of WebStart and do not depend on Oracle internal classes anymore.

[hendrikebbers]

Cisco reacted on this issue and has provided an alternative version of ASDM that does not need Oracle JRE. The release notes mentions a bundled OpenJRE (whatever that exactly is). You can find the release notes here: https://www.cisco.com/c/en/us/td/docs/security/asdm/7_12/release/notes/rn712.html#id_25472

[nvaert1986]

For those interested, you can actually get this to work:

1. Make sure the asdm-openjre-version.bin is installed on the ASA
2. Use a browser with a user agent switch and make sure you set it to Microsoft Windows with any browser
3. Download the dm-launcher.msi
4. Install using wine (works with wine-staging-5.22)
5. Copy the .wine/drive_c/Program Files (x86)/Cisco/ASDM folder to ~/ASDM
6. Run a chmod +x on all the jar files in there
7. Make sure the latest AdoptOpenJDK 8.0 release is installed
8. Run java -jar asdm-launcher.jar in the ASDM folder
9. Optional make a shortcut on the desktop if desired with this command

This way it launches just fine and can connect to any ASA using OpenJDK on Linux. The .bin doest just not include a Linux installer file, but the jar files work fine when extracted and ran manually. Tested using asdm-openjre-7151.bin