Java Console Incorrectly Reports SGD Client Archive Signing Certificates have Expired

(Doc ID 2338526.1)

Last updated on DECEMBER 14, 2017

Applies to:

Oracle Secure Global Desktop - Version 4.63 to 5.3 [Release 4.0 to 5.0]
Information in this document applies to any platform.

Symptoms

Users connecting to a valid Secure Global Desktop (SGD) server with verbose Java logging enabled may observe misleading messages regarding the signing certificates written to the Java Console upon their successful connection.

The following example was captured on a SGD 5.3 server, patched to the October 2017 PSU, 5.3p2.   All certificates in the client archive signing chain are valid at the time this message is displayed.

...
security: The certificate has expired, need to check timestamping info
security: Timestamping info is available
security: The certificate has expired, and is timestamped in valid period
security: The certificate has expired, but is timestamped in valid period and TSA is valid
...

However, further review of the certificates used to sign the SGD client archives will show that no certificates in the archive signing chain have yet expired.

Tip: for guidance on how to review the certificates used to sign SGD Client archives, as well as an index of known expiration dates, please see the following document: <Document 2328375.1> - Understanding Secure Global Desktop Client Java Archive Signing 

The user will be able to continue to successfully connect, but may be curious regarding the origin of these inquiries.

Changes

The user has recently updated the client-side Java from version 8u131.

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms