No more Java 6 updates for BCeSIS

[Robert Arkiletian]

Feb 2013 is EOL for Java 6 from Oracle. OpenJDK-1.6 has already gone
EOL. Wondering what plans districts have to keep supporting BCeSIS
considering Java 7 doesn't work with BCeSIS. The probability of a
security exploit surfacing from Feb to June may be low but some
districts are planning to use BCeSIS for 2013/2014 also. Can't imagine
a sys admin feeling good about that from a security standpoint.

http://www.oracle.com/technetwork/java/eol-135779.html

--
Robert Arkiletian
Eric Hamber Secondary, Vancouver, Canada

[Manfred Moser]

This controlled EOL of Java 6 was originally planned for September and has
been extended to next Feb. Not having planned towards that as
administrator for a Java application is appalling imho to say the least.

In any case though what makes you think that it does not actually work
with Java 7. Has this been tested? It might just work ... lots of
applications actually work fine with the Java 7 runtime..

And if all else fails and you are stuck with Java 7 there will still be
security updates.. Oracle will just hold their hand open for it.

manfred
http://www.vijug.org

> --
> You received this message because you are subscribed to the Google Groups
> "British Columbia Free Open Source Software in Schools" group.
> To post to this group, send email to bcf...@googlegroups.com.
> To unsubscribe from this group, send email to
> bcfosss+u...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/bcfosss?hl=en.
>

[Robert Arkiletian]

On Tue, Dec 4, 2012 at 8:57 PM, Manfred Moser <man...@mosabuam.com> wrote:
> This controlled EOL of Java 6 was originally planned for September and has
> been extended to next Feb. Not having planned towards that as
> administrator for a Java application is appalling imho to say the least.
>

Planning doesn't help if your district mandates BCeSIS. Problem is
BCeSIS is also scheduled for EOL (not sure of the date) so I doubt the
vendor (I think it's Pearson now) is concerned about it. Basically it
leaves us with potentially vulnerable systems. Unless someone has a
solution or work around.

I know you can install openjdk-1.6 and 1.7 side by side. Any way to
only allow BCeSIS site to use 1.6 and everything else use 1.7?

> In any case though what makes you think that it does not actually work
> with Java 7. Has this been tested? It might just work ... lots of
> applications actually work fine with the Java 7 runtime..

http://bcsupportonline.com/common-bcesis-questions/java-error/

>
> And if all else fails and you are stuck with Java 7 there will still be
> security updates.. Oracle will just hold their hand open for it.

I assume you meant "stuck with Java 6". I'm aware of the commercial
support option. But that's not a feasible option.

[DeanMontgomery]

SD73 currently offers 2 browsers:
1) Firefox (Main Browser Desktop link) - with stable & tested plugins that work with all district/work-realted sites.
2) Google Chrome (in the application menu) - with frequent browser and plugin updates.  For the small few that want bleeding edge.

This way we please both crowds and when someone complains that it doesn't work in Firefox we just tell them to try it in Chrome.

If needs be we, could create a "BCeSIS-Only-Browser" that only launches BCeSIS.  This browser would not be used for any other websites.  So far there has been no need for this yet.



Whenever I upgrade Firefox I must run a battery of tests to ensure it runs core web applications (BCeSIS, Library System, District Zimbra Mail, Websharp Report Cards, Moodle, Mahara, Wordpress, GoogleDocs, Youtube, CBC accounting/hr, assets,  etc).  I also throw a bunch of downloads at it to ensure urls and mimes are handled correctly (mailto: PDF, SMART Notebook, zip, docx, odt, etc)  With our last upgrade I could not use Firefox 17 because of a bug in Moodle/Mahara and settled with 16.0.2.

[Manfred Moser]

On Tue, December 4, 2012 9:31 pm, Robert Arkiletian wrote:
> On Tue, Dec 4, 2012 at 8:57 PM, Manfred Moser <man...@mosabuam.com>
> wrote:
>> This controlled EOL of Java 6 was originally planned for September and
>> has
>> been extended to next Feb. Not having planned towards that as
>> administrator for a Java application is appalling imho to say the least.
>>
>
> Planning doesn't help if your district mandates BCeSIS. Problem is
> BCeSIS is also scheduled for EOL (not sure of the date) so I doubt the
> vendor (I think it's Pearson now) is concerned about it. Basically it
> leaves us with potentially vulnerable systems. Unless someone has a
> solution or work around.

That would mean bad planning on the district side of things I guess.

> I know you can install openjdk-1.6 and 1.7 side by side. Any way to
> only allow BCeSIS site to use 1.6 and everything else use 1.7?

That will probably depend on the operating system. E.g. on the mac I use
for development here I have Java 6 from Apple, Java 7 from Oracle, and
OpenJDK 7 and 8 installed.

However the browser plugin is only the one from Oracle Java 7...

>> In any case though what makes you think that it does not actually work
>> with Java 7. Has this been tested? It might just work ... lots of
>> applications actually work fine with the Java 7 runtime..
>
> http://bcsupportonline.com/common-bcesis-questions/java-error/

Darn Oracle forms... that must be an old version because all current
software from Oracle uses Java 7.

>> And if all else fails and you are stuck with Java 7 there will still be
>> security updates.. Oracle will just hold their hand open for it.
>
> I assume you meant "stuck with Java 6". I'm aware of the commercial
> support option. But that's not a feasible option.

Yes I did... if that is not feasible you will have to live with not
updating and the security risks associated...

Good luck

manfred

[Ryan Tandy]

On Tue, Dec 04, 2012 at 07:23:23PM -0800, Robert Arkiletian wrote:
>Wondering what plans districts have to keep supporting BCeSIS
>considering Java 7 doesn't work with BCeSIS.

BCeSIS appears to work under Java 7. I successfully completed an extract
just a few minutes ago.

If you tried it before you might have received a version error about
JInitiator. It's because Java 7 changed the vendor string from Sun to
Oracle. The workaround is to change it back, by adding a parameter to
the JRE command line.

For GUI users... Open up the Java Control Panel, go to the Java tab,
click View. In the Runtime Parameters (see attached screenshot), add:

-Djava.vendor="Sun Microsystems Inc."

For a system-wide configuration, you can configure the global
deployment.properties file:

deployment.javaws.jre.0.registered=true
deployment.javaws.jre.0.platform=1.7
deployment.javaws.jre.0.osname=Linux
deployment.javaws.jre.0.path=/usr/lib/jvm/java-7-oracle-1.7.0.9/jre/bin/java
deployment.javaws.jre.0.product=1.7.0_09
deployment.javaws.jre.0.osarch=amd64
deployment.javaws.jre.0.location=http\://java.sun.com/products/autodl/j2se
deployment.javaws.jre.0.enabled=true
deployment.javaws.jre.0.args=-Djava.vendor\="Sun Microsystems Inc."

Some of those fields (e.g. path) will probably be different on your
system [1]. If you go through the GUI method, the user's
~/.java/deployment/deployment.properties will contain the appropriate
configuration and you can copy that to the system configuration. The
minimum properties that need to be configured appear to be path,
product, enabled, and args.

I have only just begun testing this and haven't pushed it out to any
thin clients yet, but it's looking promising. Ideally I want to find a
way to set that parameter only for BCeSIS since I don't know what effect
it might have on other programs. On the other hand AFAIK the parameter
only affects webstart, so there probably isn't a lot of impact.

Hope that helps!

[1] My Java packages come from https://github.com/rraptorr/oracle-java7
for Java 7 and https://github.com/rraptorr/sun-java6 for Java 6.

--
Ryan Tandy - Programmer/Analyst rta...@sd63.bc.ca
School District 63 (Saanich) +1 250 652 7385

[Freddie Cash]

Wow!  Nice detective work.  :)

I can confirm that Oracle Java 1.7 update 9 works with BCeSIS on Windows XP using the java.vendor fix.

One other thing to note:  if you have multiple versions of Java installed, for example 1.6 and 1.7, you need to disable all the older versions (remove the check under Enabled in the Java control panel applet).  Otherwise, you still get the "You are running too old of a version, install JInitiator 1.1.8" errors.

Or, add the same string to both versions.  That seems to also work.

We're starting to run into issues where stenos need Java 7 in order to access some websites, but Java 6 in order to run BCeSIS.  Currently, we're just telling them to update to Java 7, access the website, then remove Java 7.  This could be a much nicer fix.

Thanks for the info!

--
Freddie Cash
fjw...@gmail.com

[Freddie Cash]

On Thu, Dec 6, 2012 at 10:29 AM, Freddie Cash <fjw...@gmail.com> wrote:

Wow!  Nice detective work.  :)

I can confirm that Oracle Java 1.7 update 9 works with BCeSIS on Windows XP using the java.vendor fix.

One other thing to note:  if you have multiple versions of Java installed, for example 1.6 and 1.7, you need to disable all the older versions (remove the check under Enabled in the Java control panel applet).  Otherwise, you still get the "You are running too old of a version, install JInitiator 1.1.8" errors.

Or, add the same string to both versions.  That seems to also work.

Nevermind, ignore that.  It would help if I paid attention to which row I'm in.  I added the java.vendor string to the 1.6 field the first time I tested it.

Adding the string to only the 1.7 field works correctly.

--
Freddie Cash
fjw...@gmail.com

[Manfred Moser]

On Thu, December 6, 2012 10:29 am, Freddie Cash wrote:
> Wow! Nice detective work. :)

Totally agree ++

> One other thing to note: if you have multiple versions of Java installed,
> for example 1.6 and 1.7, you need to disable all the older versions
> (remove
> the check under Enabled in the Java control panel applet). Otherwise, you
> still get the "You are running too old of a version, install JInitiator
> 1.1.8" errors.

Removing old versions is a good idea in general..

manfred

[Freddie Cash]

On Thu, Dec 6, 2012 at 9:37 AM, Ryan Tandy <rta...@sd63.bc.ca> wrote:

BCeSIS appears to work under Java 7. I successfully completed an extract just a few minutes ago.

If you tried it before you might have received a version error about JInitiator. It's because Java 7 changed the vendor string from Sun to Oracle. The workaround is to change it back, by adding a parameter to the JRE command line.

Do you have/know the full Oracle vendor string for Java 7?

Perhaps if a bunch of us put in HEAT tickets asking for the login page to be updated to include this as a valid version of Java, it'll get fixed properly.  As in, update the one BCeSIS Java applet instead of everyone changing their vendor strings locally.

--
Freddie Cash
fjw...@gmail.com

[Ryan Tandy]

On Thu, Dec 06, 2012 at 10:58:49AM -0800, Freddie Cash wrote:
>Do you have/know the full Oracle vendor string for Java 7?

According to [1]:

Area: Runtime
Synopsis: Rebranding System Properties
Description: The vendor properties in the Java console that listed "Sun
Microsystems, Inc" have been rebranded to Oracle. The values of the
following properties have changed from:
java.vendor = Sun Microsystems Inc.
java.vendor.url = http://oracle.com/technetwork/java/
java.vm.vendor = Sun Microsystems Inc.
java.specification.vendor = Sun Microsystems Inc.
java.vm.specification.vendor = Sun Microsystems Inc.
to:
java.vendor = Oracle Corporation
java.vendor.url = http://java.oracle.com/
java.vm.vendor = Oracle Corporation
java.specification.vendor = Oracle Corporation
java.vm.specification.vendor = Oracle Corporation
Nature of Incompatibility: behavioral

[1] http://www.oracle.com/technetwork/java/javase/compatibility-417013.html

>Perhaps if a bunch of us put in HEAT tickets asking for the login page to
>be updated to include this as a valid version of Java, it'll get fixed
>properly. As in, update the one BCeSIS Java applet instead of everyone
>changing their vendor strings locally.

The bug is in Oracle Forms 10 [2], which checks the vendor string in a
way that reminds me (in a rather unpleasant way) of websites that look
at the browser's User-Agent.

Forms 10 is EOL and so won't be updated. I wouldn't hold my breath for
eSIS to be updated to Forms 11 either. Maybe the hack mentioned in the
blog post is a possibility but it doesn't seem like a really good idea
to me.

I wonder whether it could be fixed by modifying the JNLP for eSIS. IIRC
some JNLP-launched programs are able to specify some runtime parameters
such as memory limits. Not sure whether the vendor string could be
changed the same way.

[2] http://www.ora600.be/FRM-92095%3A+Oracle+Jnitiator+version+too+low+-+please+install+version+1.1.8.2+or+higher

[Freddie Cash]

Yeah, I highly doubt BCeSIS will be updated in any major fashion, since it's out-of-support by Pearson, and the Ministry is moving away from it in 2014.  But, we should be able to get the Level 2+ (or even Pearson) people to write a simple wrapper applet to set the java.vendor back to "Sun" before loading the actual BCeSIS applet (as detailed in the blog post).

I'll put in a HEAT ticket and see what they say.  :)

[Ryan Tandy]

On Thu, Dec 06, 2012 at 11:19:41AM -0800, Freddie Cash wrote:
>I'll put in a HEAT ticket and see what they say. :)

Sounds good, keep us posted :)

[Robert Arkiletian]

On Thu, Dec 6, 2012 at 9:37 AM, Ryan Tandy <rta...@sd63.bc.ca> wrote:
>

> -Djava.vendor="Sun Microsystems Inc."
>
> For a system-wide configuration, you can configure the global
> deployment.properties file:
>
> deployment.javaws.jre.0.registered=true
> deployment.javaws.jre.0.platform=1.7
> deployment.javaws.jre.0.osname=Linux
> deployment.javaws.jre.0.path=/usr/lib/jvm/java-7-oracle-1.7.0.9/jre/bin/java
> deployment.javaws.jre.0.product=1.7.0_09
> deployment.javaws.jre.0.osarch=amd64
> deployment.javaws.jre.0.location=http\://java.sun.com/products/autodl/j2se
> deployment.javaws.jre.0.enabled=true
> deployment.javaws.jre.0.args=-Djava.vendor\="Sun Microsystems Inc."
>

Fantastic! Well done Ryan. :)

[jim.c.chr...@gmail.com]

Hello Everyone.  I've stayed away from the BCeSIS button on my browser bar for a while but with the new school year almost here ...  well, I discovered that I can't load BCeSIS again.  I'm using my same Linux workstation with the vendor id fix.  I haven't made any changes to my java setup.  Has anyone else discovered Java 7 and bcesis not working again?  Thanks,  Jim

[Ryan Tandy]

Hi Jim,

On 13-08-21 10:38 AM, jim.c.chr...@gmail.com wrote:
> I'm using my same Linux workstation with the vendor id fix. I
> haven't made any changes to my java setup.

If you applied the fix in the Java control panel, is it possible that
your JRE was updated since then? As I understand it those settings are
specific to JRE versions, so if you updated (for example) from 7u21 to
7u25 that could explain it.

The solution I use is to skip the Java control panel completely and add
the JRE argument in an environment variable:

JAVA_TOOL_OPTIONS='-Djava.vendor="Sun Microsystems Inc."'

On recent Ubuntu releases, ~/.pam_environment is a good place to put
that so that it's added to your environment when you log in. I don't
know whether other distros enable pam_env(8) by default.

If that's not the problem, can you provide any more detailed information?