Sonicwall DPI SSL stops Java to work

Hi
I'm deploying sonicwall cert from a firewall to all my windows clients.
The certificate has been distributed by GPO.
I'm having a problem with java apps (idrack) which can't connect.
I've imported this to my java store but the same issue appeared.
Eventually I will need to distribute this to all my Win and Mac clients.
LVL 1
wannabecraigAsked:
Who is Participating?
 
J SpoorConnect With a Mentor TMECommented:
unfortunately there seems to be no way to distribute this to the java store on-mass...
not sure why the iDrac behaves like that, normally sites with Java Scripts do not make calls directly...

Is the intranet site still using java applets? Even though no browser supports this any more?

You have two options
1) role them out manually
2) use CN Name Exceptions in DPI-SSL
0
 
CEHJCommented:
Very tricky to say without seeing it. Out of interest, which version iDRAC?
0
 
J SpoorConnect With a Mentor TMECommented:
Sounds like the java code can't handle the resigned certificate....

Go the DPI-SSL Client Settings
Switch to the common name Exclusions / inclusions
There's a "Show Connection Failures" button

From there you can exclude the connection from DPI-SSL
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
wannabecraigAuthor Commented:
I'm using Idrac9 and can connect to it but when I try to open a virtual console after untrusted connection warning I click on run and the applet is trying to connect for a couple of minutes but then I get the following error : "The viewer was unable to reconnect with the server Launch the console again".
0
 
J SpoorConnect With a Mentor TMECommented:
Java uses it's own CA store.

Either create an exclusion, as I stated earlier
or
Add the DPI-SSL cert to Java's CA store
https://superuser.com/questions/55470/which-trusted-root-certificates-are-included-in-java
https://connect2id.com/blog/importing-ca-root-cert-into-jvm-trust-store
1
 
Blue Street TechLast KnightCommented:
Hi wannabecraig,

Java has been historically riddled with bugs & security flaws, is a huge vulnerability/liability & attack vector on any network, and should be used only when absolutely necessary. I don't know what your iDRAC version is but they have a native option for connecting and newer versions have an HTML5 version. I'd recommend using HTML5 for security reasons if possible and then the native version in the event HTML5 is unavailable (as your iDRAC version is dependent to the hardware meaning you can't take a DELL 2003 server and upgrade it to iDRAC8). So update the iDRAC to the latest available release.

If you must use Java, because HTML5 is unavailable or the native approach is not working; @J Spoor's comment has laid out all your options!

Eventually I will need to distribute this to all my Win and Mac clients.
I'm not sure I follow. From a security standpoint, the iDRAC should only be accessed by local authorized management segment in a management VLAN...certainly not by ALL user clients.
0
 
wannabecraigAuthor Commented:
Idrack is accessed just from a management subnet but my users use other java application which I can't change to HTML 5.
Is there any way how to force java to use  computer cert store  and if so how to push the change by gpo to Win and how to install it to MACs
0
 
J SpoorTMECommented:
from: https://stackoverflow.com/questions/34166304/accessing-windows-certificate-store-certs-via-java 

Windows certificate store is accessible only via CryptoAPI native functions which are not support by Java default installation. If you can use JNA, then you can use various Certificate and Certificate Store Functions in crypt32.dll to enumerate certificates and perform signing operations
0
 
J SpoorConnect With a Mentor TMECommented:
I think making a CN name exception in DPI-SSL is your best solution.
You actually don't need to SSL decrypt the iDrac session, the risk of those is as good as non existent.
0
 
wannabecraigAuthor Commented:
I've used idrac just for testing of DPI SSL. A company which is implementing this is using some intranet sites with java so I need to distribute it to the whole domain which includes macs and pcs. IS there any way how to pust setting for java to accept self assigned cert. or is there a way how to distribute it to all users ?
0
 
wannabecraigAuthor Commented:
I've set up exclusions for all java aps
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.