Sonicwall DPI SSL stops Java to work

Hi
I'm deploying sonicwall cert from a firewall to all my windows clients.
The certificate has been distributed by GPO.
I'm having a problem with java apps (idrack) which can't connect.
I've imported this to my java store but the same issue appeared.
Eventually I will need to distribute this to all my Win and Mac clients.
LVL 1
wannabecraigAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

CEHJCommented:
Very tricky to say without seeing it. Out of interest, which version iDRAC?
0
J SpoorTMECommented:
Sounds like the java code can't handle the resigned certificate....

Go the DPI-SSL Client Settings
Switch to the common name Exclusions / inclusions
There's a "Show Connection Failures" button

From there you can exclude the connection from DPI-SSL
0
wannabecraigAuthor Commented:
I'm using Idrac9 and can connect to it but when I try to open a virtual console after untrusted connection warning I click on run and the applet is trying to connect for a couple of minutes but then I get the following error : "The viewer was unable to reconnect with the server Launch the console again".
0
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

J SpoorTMECommented:
Java uses it's own CA store.

Either create an exclusion, as I stated earlier
or
Add the DPI-SSL cert to Java's CA store
https://superuser.com/questions/55470/which-trusted-root-certificates-are-included-in-java
https://connect2id.com/blog/importing-ca-root-cert-into-jvm-trust-store
1
Blue Street TechLast KnightCommented:
Hi wannabecraig,

Java has been historically riddled with bugs & security flaws, is a huge vulnerability/liability & attack vector on any network, and should be used only when absolutely necessary. I don't know what your iDRAC version is but they have a native option for connecting and newer versions have an HTML5 version. I'd recommend using HTML5 for security reasons if possible and then the native version in the event HTML5 is unavailable (as your iDRAC version is dependent to the hardware meaning you can't take a DELL 2003 server and upgrade it to iDRAC8). So update the iDRAC to the latest available release.

If you must use Java, because HTML5 is unavailable or the native approach is not working; @J Spoor's comment has laid out all your options!

Eventually I will need to distribute this to all my Win and Mac clients.
I'm not sure I follow. From a security standpoint, the iDRAC should only be accessed by local authorized management segment in a management VLAN...certainly not by ALL user clients.
0
wannabecraigAuthor Commented:
Idrack is accessed just from a management subnet but my users use other java application which I can't change to HTML 5.
Is there any way how to force java to use  computer cert store  and if so how to push the change by gpo to Win and how to install it to MACs
0
J SpoorTMECommented:
from: https://stackoverflow.com/questions/34166304/accessing-windows-certificate-store-certs-via-java 

Windows certificate store is accessible only via CryptoAPI native functions which are not support by Java default installation. If you can use JNA, then you can use various Certificate and Certificate Store Functions in crypt32.dll to enumerate certificates and perform signing operations
0
J SpoorTMECommented:
I think making a CN name exception in DPI-SSL is your best solution.
You actually don't need to SSL decrypt the iDrac session, the risk of those is as good as non existent.
0
wannabecraigAuthor Commented:
I've used idrac just for testing of DPI SSL. A company which is implementing this is using some intranet sites with java so I need to distribute it to the whole domain which includes macs and pcs. IS there any way how to pust setting for java to accept self assigned cert. or is there a way how to distribute it to all users ?
0
J SpoorTMECommented:
unfortunately there seems to be no way to distribute this to the java store on-mass...
not sure why the iDrac behaves like that, normally sites with Java Scripts do not make calls directly...

Is the intranet site still using java applets? Even though no browser supports this any more?

You have two options
1) role them out manually
2) use CN Name Exceptions in DPI-SSL
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
wannabecraigAuthor Commented:
I've set up exclusions for all java aps
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Java

From novice to tech pro — start learning today.