The security certificate “America Online Root Certification Authority 2″ has a public key of length greater than 2048 bit.

Posted: October 15th, 2009 | Author: Graham | Filed under: random | Tags: , , , , | 1 Comment »

I’m doing a bit of work for a client and they run this crazy Citrix Metaframe thing, which I’ve heard of but never used before. It’s like a remote access tool / website wrapped in java applets and special clients and all sorts of other whizbangerry.

But I had a problem connecting to it. It would load a java applet and then Java would die when initializing with the following error. I’m running the latest Sun Java 6 u16.

A local security certificate could not be loaded. (error code: 7)
    at com.citrix.sdk.security.ssl.ConnectionModel.addCACertificate(ConnectionModel.java)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:597)
    at com.citrix.client.io.net.ip.m.h(Unknown Source)
    at com.citrix.client.io.net.ip.proxy.i.(Unknown Source)
    at com.citrix.client.io.net.ip.g.a(Unknown Source)
    at com.citrix.client.io.net.ip.o.a(Unknown Source)
    at com.citrix.client.module.td.tcp.TCPTransportDriver.t(Unknown Source)
    at com.citrix.client.module.td.TransportDriver.run(Unknown Source)
    at java.lang.Thread.run(Thread.java:619)
Caused by: The SSL cryptography library failed. The security certificate "America Online Root Certification Authority 2" has a public key of length greater than 2048 bit.
    at com.citrix.sdk.security.certificate.X509CertificateLoader.loadCertificates(X509CertificateLoader.java)

It’s about identical to this unsolved post at Ubuntu launchpad too. The certificates for a simple client JRE are stored in the cacerts file which lives in jre/lib/security/cacerts . It looks as if the root certificate for AOL is too long or recently updated or something and it’s not playing nicely with MetaFrame. So somehow we have to ditch that root cert. It would only really be a problem if we are unlucky enough to have our certificate signed by that root CA.

I assumed that MetaFrame worked on older jres and that the problem is that I am using a brand new one. So luckily Sun keep an archive of old JDKs and JREs here. So it is quite simple, download an install an old JRE (I got 5u1) and rip the cacerts file out of there and dump it into your new JRE’s directory and try it again. Worked like a charm for me. You probably don’t want to do this permanently (I guess they updated the cacerts file for a reason?) but if you really need to log into MetaFrame, it’ll do.

Eclipse + flash drive = IDE anywhere

Posted: March 3rd, 2009 | Author: Graham | Filed under: tip | Tags: , , | No Comments »

I’m taking a introduction to Java course at night school at the moment.  I’ve bought so many ‘Learn Java in 15 minutes’ books and they just sit on the shelf and get dusty. So the class is supposed to make me work at it.

In the class we all are giving nice little windows PCs, and they all have NetBeans 6.5 installed on them. Nothing against NetBeans, but everyone at work uses Eclipse, and I’ve played with Eclipse quite a bit so I didn’t really want to learn NetBeans.

Since the course is held in one of the most treacherous IT environments imaginable (a school!) with every wiseass trying to hack the machines, they are locked down pretty tight. So I didn’t imagine I’d be able to install Eclipse. Also, since you weren’t assigned a specific computer for each session, installing it each time on a different machine wasn’t going to be an option.

I guess you read the title, so know what’s going to come next. I dumped a build of Ganymede onto a crappy flash drive at home and took it to class. Eclipse ran just great off the drive. The particular flash drive has terrible r/w speeds too. I really thought it wouldn’t work well at all. Just make sure you create your workspace on the flash drive too (duh). Now I can work from the same development environment where ever I am. The only caveat I guess is that it has to be the same OS (Wndows, in my case). I’m sure there is some way to launch a Windows build of Eclipse on Linux, but it would be hard to figure out. Too much mucking around with the classpath.