Much has been written about the security of Java and its place in the world. However, the reality is that when working in Oracle Agile PLM, Java is at least a necessary evil.
Java on the server
It is constructive here to separate the use of Java on the server and Java on the desktop. At the server, Java is the core of Agile PLM. Agile runs within a Java virtual machine (JVM) hosted by WebLogic or Oracle Application Server. With the release of Agile 9.3.2 we were allowed to easily use 64 bit JVM’s and all of the resources that came with those. Fortunately, running the latest version of Java on the server is easy (in the case of Agile PLM) and transparent. There is no reason I yet know of NOT to use the latest version of JAVA on your Agile application server. The exception is that some of the Agile PLM tools still require older versions of Java in the user workspace to function. Hopefully, Oracle will be addressing these exceptions in future releases.
Java on the desktop
The desktop is the area where all of the Java vulnerabilities come to light and that is where Agile PLM administrators face the greatest challenges. Running the latest Java 1.7.X may not be compatible with older software or as mentioned above, work with all of the Agile administrative utilities and tools. Perhaps more obnoxious is the barriers presented by Java itself with the latest release of 1.7_51 which imposed a more strict security model on Java applications and the user’s ability to run downloaded code such as that of the Agile Java Client. Agile has made progress by changing file upload functionality in the web client to HTML5 from Java. Java Version 7 Update 51 imposes the following restrictions that conflict with current Agile PLM code: * All RIA jars have to be signed using a certificate from a signing authority * The “Permissions” attribute in RIA Manifest must be present. Agile’s Java Client code does not currently include either of these requirements.
What to do
Fortunately, there are some fixes available to stay within the new Java security framework while enabling our users to access the tools and applications they need to get the work done. Individual users can mitigate these barriers with the following process: * Upgrade to JRE 7u51 * Open the Java Control Panel ** On the * Security * tab * Under * Exception Site List * click the * Edit Site List * button and add the AutoVue server and Java Client URL’s to the list. If this seems to difficult or still too restrictive, you can set the * Security Level * slider to ** Medium *.
As of this writing there is also a patch available from OTN (Oracle Technology Network) for Agile 9.3.3, identified as: * Patch 188.8.131.52.7 for Oracle Agile PLM Release 9.3.3 ** from ** Bug ID 18017614: JRE 7 U51 UPTAKE *
The new security requirements of Java 7_51 are a welcome addition to securing the Java universe and the existing inconveniences will be short lived as administrators and users learn to adapt and conform to a more secure Java execution environment.