Thanks for the summary. I've had to walk through that with a client on an old server. FileMaker is not planning on support 10.6 in the future nor is it supporting Java 6. Java 7 will not run on 10.6. This would be a good time for the client to look at upgrading to Mountain Lion and FMS 12. Expect 10.6 with FMS 11 to become more problematic as time goes. And be aware that Java 6 is basically unprotected and can be hacked with tools available in the public domain. So it will never be a secure server if you have Java 6 running. Just some things to consider. I know budgets can be tight, but you can get a pretty cheap Mac Mini Server with a Pegasus RAID for under $2500 plus your upgrade cost to FMS 12. This is pretty inexpensive as far as servers go. I know we all end up having to support clients with old versions. My terms with clients are that I will only work on old versions to work to bring them current and I only do development in the current version. I do not support old versions of the OS and FMS due to issues like this plus the big security issue.
Best of luck and thanks for sharing!
When you restored your machine, did you run the Java Update 16 from Apple that has caused the Admin Console not to load in some machines?
I have one iMac running 10.6.8 that was updated with this with no ill effect and a mac-Mini that was updated and now the Admin Console won't load. I am afraid to update any of my other machines now.
Note that all of these Java vulnerabilities require some action on the user's part to execute a Java applet downloaded from the internet. They do not leave an open hole on a server for an external attacker to be able to actively get in. In the situation of a server, the odds of the user running some malicious applet is very slim.
In other words, all they have to do is go to a web site that has the java code in it. And it can even be a legit web site that itself has been hacked. You just don't know. The vulnerability is mainly being made by exploit packs inserted into web pages. For this reason some servers security plans do not allow the use of browsers. But then how do you get updates like for Java 7 or other software you need to download. The reality is that even a server occasionally needs a web browser even if it is not very often. Hoping you don't go to the wrong site or even a correct site that has been inefected is a very poor security control. If you absolultely have to stay on Java 6 for some reason, make sure to turn it on only when you need it and turn it off aftewards.
Java seemed to be installed when the system completed the OS install. Once FMS was installed, I installed all available updates including the latest Java release. Since this is !0.6.8, Java 7 is not an option so I have to use Java 6. The good news is this is an internal development server and does not present an interface to the internet.
I was under the impression that the latest Java 6 update resolved most of the security issues.
If the machine is isolated on a non-public LAN, then you are very safe as long as you don't have users coming in with viruses on thumb drives, etc.
FYI, everything before Java 7 Update 11 is vulnerable according to the National Vulnerability Database. The latest Apple updates of Java did things like not let is run if it is not the latest version and turns it off after 30 days if not used, requiring authorizing to start back up. But those are just work arounds to minimize exposure. For more information, you can start with the article in the National Vulernability Database under the National Cyber Awareness System Vulnerability Summary CVE-2013-0422 at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0422
I guess the question is what benefit do you have for staying on 10.6.8? Mountain Lion can be bought for $20 and for another $30 upgraded to the Server version. So for $50, you would have the latest OS level security. If my Server isn't worth spending $50, then I really don't have valuable data on it and would not be concerned about hackers. There is also the question of whether the hardware can run Mountain Lion.
I only see entries in that database for Java 6 update 45 and earlier. The latest 10.6 Java 6 update brings it to update 51. Why would Apple bother continuning to update Java 6 if it wasn't to eliminate these vulnerabilities?
There are numerous reasons users either don't want to or can't upgrade past 10.6. Some machines will only run up to 10.6. After Snow Leopard Server, the Server Admin application was done away with, which included a lot more in-depth GUI of server processes than the new Server.app of 10.7 and 10.8 (though Server.app is catching up). There are also labor costs involved in upgrading a system.
Update to the latest Java 6 patch and disable Java in your web browser and you're perfectly fine. I would, however, recommend Mountain Lion Server, Java 7 and FileMaker Server 12 for all new installations (and we do to our clients).
Remember that Apple is not updating Java, Oracle is. Apple did some work arounds, but even Oracle says Java 6 is not to be used. Go to the Javea SE 6 downloads page and read the warning that says that the Java 6 is only for developers to debug older systems and is not to be used in live production systems. That says all I need to know about it from the actual developer of Java.
I agree there are numerous reasons not to upgrade including the hardware or an app that only won't work in newer versions of the Mac OS. Those are all understandable reasons for a client machine. This is a server machine and most server machines serve up valuable data where security is important and FMS works well with the newer versions of the OS. And FileMaker has said they are deprecating support for 10.6.8.
I find most people that find themselves in this situation are in it because they started a server years ago and never updated it and now find themselves in this situation now. I take on quite a few new clients this way. I tell them that if they want my help, they need to come current on hardware, OS, and FMS. Invariable if they won't spend the money on those things, they are not wanting to pay a developer's consulting fee and their data probably isn't all that valuable to them. Of course once hacked and info is stolen, they sometimes change their minds. But until then, if they don't see the value of computer security, they are at risk. It is like parking your car in downtown Detroit and leave the windows down and the key in the ignition. Maybe it won't get stolen.... but why take the risk. For this reason, if you have a server, you need a Server Admin that will run patches and updates regularly. A server is not a maintenance free tool. It is like a car that requires oil changes and tire changes and battery changes, etc. And we haven't even touched on backups, but I have rambled on - my apologies.
At least the situation described here is on a private LAN that doesn't touch the internet. But I would still recommend upgrading it if it were my client.
Thanks for the response.
Thank God for Technet. Filemaker and Apple are basically silent on this problem with Java, which is frustrating.
Anyway, I finally gave in yesterday and upgraded to Lion (I have the version of Server 11 that runs on Lion), dowloaded both Java 6 and Java 7 (there was something on the FMP site that said that this version needed both Java 6 and 7, so that's what I did).
I was able to finally get the Admin Console created and partly functioning (we need to fix the config files, etc.), which is a major step beyond where we ever got to with 10.6.8.