Attempting to log into a Java IPMI console with endless security errors? If you are, this will probably help you. If you aren’t, keep looking.
Over the years, security has evolved and older methods have become obsolete. Algorithms such as SHA-1 have become vulnerable. While Java, via updates, has been able to remove these older security protocols and standards, decade-old hardware, like outdated IPMI, has not. In order to get the Java Virtual Console tools to run under later versions of Java, we need to make changes to security settings to re-enable these obsolete encryption and hashing standards.
Let’s fix the issue now:
For this article, my test setup will be an older Dell PowerEdge with an iDRAC 6. Depending on your target device and setup, you may need to adapt some of these instructions.
The first error you probably might run into is an “Unable to launch the application” error.
The error itself is less than helpful, but if you press the Details button. You can get an idea of what’s causing the issue.
This .jnlp file was signed with the “MD5withRSA” algorithm (highlighted in the image) which Java no longer considers secure.
Editing the security file:
To fix this, open the java.security file, usually within: C:\Program Files (x86)\Java\jre7\lib\security\java.security. The location will differ slightly based on the Java version installed, and may be in C:\Program Files if the 64-bit version is installed.
Use the find feature (Ctrl + F) of your text editor to locate the part of the file where it disables that algorithm.
jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \ EC keySize < 224, 3DES_EDE_CBC, anon, NULL
At line 647 of my java.security file, I found this. By removing “MD5withRSA” from this configuration line, we can re-enable the algorithm in Java. If you’re a lunatic, you can even remove or comment out the line entirely re-enabling the other disabled algorithms. Below is the new line enabling (un-disabling) the algorithm we need.
jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, DH keySize < 1024, \ EC keySize < 224, 3DES_EDE_CBC, anon, NULL
However, if you run the file, you’ll probably get the same error, because “MD5withRSA” also relies on both MD5 and RSA algorithms and those are disabled in a couple others places. By using the wonders of Ctrl + F and the backspace key, we can fix that too.
jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \ RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224
On line 571 for me, I removed the “MD5” and “RSA keySize < 1024”.
jdk.certpath.disabledAlgorithms=MD2, SHA1 jdkCA & usage TLSServer, \ DSA keySize < 1024, EC keySize < 224
jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024
At line 615, I did the same.
jdk.jar.disabledAlgorithms=MD2, DSA keySize < 1024
Now, if you run it once again, you might get an “Application Blocked by Java Security” for various reasons (missing a permissions manifest, invalid SSL certificate, etc). The easiest and most pragmatic way is to open the Security tab of the Configure Java program (which you can find by searching in the Start menu). After opening it, add the URL without the file path (which is also shown in the “Location” field of the previous error) to the Exception Site List.
Java Control Panel:
You should now be able to connect to the IPMI Java Virtual Console without issue (although you may need to start a new session if it has been too long since you downloaded the file). If you encounter any issues, feel free to ask in the comments and we may be able to help.