Cannot start Mobile Access Portal Agent. Installation aborted.

[karpovichyan]

Hi, there. Running step by step by your instruction, but i have some error. After running this -> wget -q -O cshell_install.sh https://vpn.fct.unl.pt/sslvpn/SNX/INSTALL/cshell_install.sh --no-check-certificate && chmod +x ./cshell_install.sh && sudo ./cshell_install.sh

I have this: Start Check Point Mobile Access Portal Agent installation Extracting Mobile Access Portal Agent... Done Installing Mobile Access Portal Agent... Done Installing certificate... Done Starting Mobile Access Portal Agent... Cannot start Mobile Access Portal Agent. Installation aborted.

And as result i can't connect.

I'll try to run CShell.java from /usr/bin/cshell, but i have an exception

Exception after sudo java -jar CShell.jar:

user.user@user:/usr/bin/cshell$ sudo java -jar CShell.jar 02/07/2021 00:01:27 INFO [global] (Log log) [CShell] Loaded successfully 02/07/2021 00:01:27 INFO [global] (Log log) [CShell] is_admin=1 is_protected_mode=0 02/07/2021 00:01:27 INFO [global] (Log log) [Launcher] Launching /bin/sh -c who | head -n 1 | awk '{print $1}' 02/07/2021 00:01:27 INFO [global] (Log log) [Launcher] Launching /bin/sh -c echo $( getent passwd "user.user" | cut -d: -f6 ) 02/07/2021 00:01:27 INFO [ServerMain] (ServerMain getPwd) CShellKey is "ynU2Q+vhxGW2luir" 02/07/2021 00:01:27 WARNING [ServerMain] (ServerMain loadKeystore) Failed to load keystore. java.io.IOException: keystore password was incorrect at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2068) at java.security.KeyStore.load(KeyStore.java:1445) at ServerMain.loadKeystore(ServerMain.java:504) at ServerMain.startJetty(ServerMain.java:91) at ServerMain.main(ServerMain.java:61) Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption. ... 5 more

02/07/2021 00:01:27 WARNING [ServerMain] (ServerMain startJetty) Temp password is not valid 02/07/2021 00:01:27 INFO [global] (Log log) [Launcher] Launching /bin/sh -c who | head -n 1 | awk '{print $1}' 02/07/2021 00:01:27 INFO [global] (Log log) [Launcher] Launching /bin/sh -c echo $( getent passwd "user.user" | cut -d: -f6 ) 02/07/2021 00:01:27 INFO [global] (Log log) [Launcher] Launching /bin/sh -c who | head -n 1 | awk '{print $1}' 02/07/2021 00:01:27 INFO [global] (Log log) [Launcher] Launching /bin/sh -c echo $( getent passwd "user.user" | cut -d: -f6 ) 02/07/2021 00:01:27 INFO [global] (Log log) [Launcher] Launching /bin/sh -c who | head -n 1 | awk '{print $1}' 02/07/2021 00:01:27 INFO [global] (Log log) [Launcher] Launching /bin/sh -c echo $( getent passwd "user.user" | cut -d: -f6 ) 02/07/2021 00:01:27 WARNING [ServerMain] (ServerMain loadKeystore) Failed to load keystore. java.io.IOException: keystore password was incorrect at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2068) at java.security.KeyStore.load(KeyStore.java:1445) at ServerMain.loadKeystore(ServerMain.java:504) at ServerMain.startJetty(ServerMain.java:103) at ServerMain.main(ServerMain.java:61) Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption. ... 5 more

02/07/2021 00:01:27 SEVERE [ServerMain] (ServerMain main) Failed to start SSL Web Server. Keystore was not loaded. java.lang.RuntimeException: Keystore was not loaded. at ServerMain.startJetty(ServerMain.java:104) at ServerMain.main(ServerMain.java:61)

02/07/2021 00:01:27 WARNING [ServerMain] (ServerMain writeLinuxMessage) Couldn't write linux message "Failed to start SSL Web Server. Keystore was not loaded.". Input arguments are empty. user.user@user:/usr/bin/cshell$

Fun fact that in another PC it works perfectly. I mean i have same error "Cannot start Mobile Access Portal Agent. Installation aborted.", but java -jar CShell.jar works fine without exceptions which can stop running this CShell.jar. Can someone help me, pls)

I'm use Ubuntu 20.04.2 LTS FirefoxMozilla Firefox 89.0.2

[GreatDefector]

Same on PopOS 21.04

[karpovichyan]

Same on PopOS 21.04

Any ideas how to fix it?:))

[GreatDefector]

uuuughh ... I finally for Firefox to work using Java 8 (u121) as mentioned here.... https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk117065

java version "1.8.0_121"
Java(TM) SE Runtime Environment (build 1.8.0_121-b13)
Java HotSpot(TM) 64-Bit Server VM (build 25.121-b13, mixed mode)

[ruyrybeyro]

The issue can be of cshell being installed with one user and then activated by another. The installation script and CShell Java agent abuses the "who" command for that.

If the original owner of this script does not mind the intrusion, I wrote a script for creating a chroot for getting around those weird problems. https://github.com/ruyrybeyro/chrootvpn

[ttmx]

The issue can be of cshell being installed with one user and then activated by another. The installation script and CShell Java agent abuses the "who" command for that.

If the original owner of this script does not mind the intrusion, I wrote a script for creating a chroot for getting around those weird problems. https://github.com/ruyrybeyro/chrootvpn

This seems very useful although I do not currently have a good way to try to validate it. Thank you, if you don't mind, I'll link it in the README with proper warnings of me not having ran it.

Regarding the other issues, having to be on Java 8 is good information, but I cannot help with the rest as we only made a wrapper and to be honest know very little about what is happening inside the installer. Using a proprietary VPN solution in 2022 is insane and this project was started simply out of necessity. If I find more information I'll post it, but I'm not working on the scripts actively.

[ruyrybeyro]

Obviously I do not mind you guys mentioning my chroot wrapper, quite by the contrary I would appreciate more people testing my script. I also started working on this script, because I wrote the manual for pre-R80 CheckPoint use at our place, and was asked to help developers of our department using the "new" VPN.

The Java 8 info seems to be outdated, seems they accept Java 11 nowadays according to CheckPoint docs. I have been using the default openjdk jre from Debian 11, which is way more convenient, without any issues.

The CheckPoint installation script and CShell daemon are quite badly behaved. From my work, debugging, logs and script inspection, they abuse the who command to extract the first user logged in, and just assume the daemon will be running under that user. Furthermore, the installation leaves behind cryptographic files in the home of said user, and CShell expects to be launched always with the same user. Also, it expects either Firefox or Java to be installed, and if for some odd reason, is not able to manipulate the said user browser private certificate store, it aborts the CShell daemon installation. To complicate further matters, the profile is also only installed after the first firefox/Chrome use.

As for Firefox, I find it shortsighted manipulating the certificate store for a particular user, and not installing a global policy, which is what I am doing in my wrapper.

In addition, it is also not possible anymore to install the necessary 32-bit libraries for SNX in the latest Centos and RH releases (since 8?). So my security intention of creating a chroot has the unplanned nice collateral effect of allowing installing the agent software for the latest CentOS/Fedora/CentOS versions (tested successfully with CentOS Stream 9).

I might have got a few more pointers, ping me anytime.

Regards

P.S this bug thread should not be a bug open on your script. This is a cshell_install.sh/CShell "feature".

[ttmx]

@ruyrybeyro More pointers would be great, you clearly have investigated the software more than I have, I'd like to have this script finally consistently working for other students.

If you are available, please contact me on discord redacted I would give more options but I don't want to list all my contact information publicly, if that doesn't work, I'll figure something else out.

Regards