Like any good sysadmin, I kept my servers and desktop side up to date and patched all the time. However, recent Java updates have broken my IPMI KVM Java Applets on Dell, IBM, HP, Supermicro and FreeNAS mini servers. You will get an error that read as follows:
Unsigned application requesting unrestricted access to system. The following resource is signed with a weak signature algorithm MD5withRSA and is treated as unsigned.
The error continues as follows:
<?xml version="1.0" encoding="UTF-8"?>
<jnlp spec="1.0+" codebase="http://192.168.2.92:80/Java">
<information>
<title>JViewer</title>
<vendor>American Megatrends, Inc.</vendor>
<description kind="one-line">JViewer Console Redirection Application</description>
<description kind="tooltip">JViewer Console Redirection Application</description>
<description kind="short">
JViewer enables a user to view the video display of managed server via KVM.
It also enables the user to redirect his local keyboard, mouse for managing the server remotely.
</description>
</information>
<security>
<all-permissions/>
</security>
<resources>
<j2se version="1.5+"/>
<jar href="release/JViewer.jar"/>
</resources>
<resources>
<j2se version="1.5+"/>
<jar href="release/JViewer-SOC.jar"/>
</resources>
<resources os="Windows" arch="x86">
<j2se version="1.5+"/>
<nativelib href="release/Win32.jar"/>
</resources>
<resources os="Windows" arch="amd64">
<j2se version="1.5+"/>
<nativelib href="release/Win64.jar"/>
</resources>
<resources os="Linux" arch="x86">
<j2se version="1.5+"/>
<nativelib href="release/Linux_x86_32.jar"/>
</resources>
<resources os="Linux" arch="i386">
<j2se version="1.5+"/>
<nativelib href="release/Linux_x86_32.jar"/>
</resources>
<resources os="Linux" arch="x86_64">
<j2se version="1.5+"/>
<nativelib href="release/Linux_x86_64.jar"/>
</resources>
<resources os="Linux" arch="amd64">
<j2se version="1.5+"/>
<nativelib href="release/Linux_x86_64.jar"/>
</resources>
<resources os="Mac OS X" arch="i386">
<j2se version="1.5+"/>
<nativelib href="release/Mac32.jar"/>
</resources>
<resources os="Mac OS X" arch="x86_64">
<j2se version="1.5+"/>
<nativelib href="release/Mac64.jar"/>
</resources>
<application-desc>
<argument>-apptype</argument>
<argument>JViewer</argument>
<argument>-hostname</argument>
<argument>192.168.2.92</argument>
<argument>-kvmtoken</argument>
<argument>rjhWlxU7CiPFlKUE</argument>
<argument>-kvmsecure</argument>
<argument>0</argument>
<argument>-kvmport</argument>
<argument>80</argument>
<argument>-vmsecure</argument>
<argument>0</argument>
<argument>-cdstate</argument>
<argument>1</argument>
<argument>-fdstate</argument>
<argument>1</argument>
<argument>-hdstate</argument>
<argument>1</argument>
<argument>-cdnum</argument>
<argument>1</argument>
<argument>-fdnum</argument>
<argument>1</argument>
<argument>-hdnum</argument>
<argument>1</argument>
<argument>-userpriv</argument>
<argument>4</argument>
<argument>-lang</argument>
<argument>EN</argument>
<argument>-websecureport</argument>
<argument>443</argument>
<argument>-singleportenabled</argument>
<argument>1</argument>
<argument>-webcookie</argument>
<argument>yqvHjIVRoAPUDLjNGVUEHq6PNiXUEEjN000</argument>
</application-desc>
</jnlp>
|
<?xml version=”1.0″ encoding=”UTF-8″?>
<jnlp spec=”1.0+” codebase=”http://192.168.2.92:80/Java”>
<information>
<title>JViewer</title>
<vendor>American Megatrends, Inc.</vendor>
<description kind=”one-line”>JViewer Console Redirection Application</description>
<description kind=”tooltip”>JViewer Console Redirection Application</description>
<description kind=”short”>
JViewer enables a user to view the video display of managed server via KVM.
It also enables the user to redirect his local keyboard, mouse for managing the server remotely.
</description>
</information>
<security>
<all-permissions/>
</security>
<resources>
<j2se version=”1.5+”/>
<jar href=”release/JViewer.jar”/>
</resources>
<resources>
<j2se version=”1.5+”/>
<jar href=”release/JViewer-SOC.jar”/>
</resources>
<resources os=”Windows” arch=”x86″>
<j2se version=”1.5+”/>
<nativelib href=”release/Win32.jar”/>
</resources>
<resources os=”Windows” arch=”amd64″>
<j2se version=”1.5+”/>
<nativelib href=”release/Win64.jar”/>
</resources>
<resources os=”Linux” arch=”x86″>
<j2se version=”1.5+”/>
<nativelib href=”release/Linux_x86_32.jar”/>
</resources>
<resources os=”Linux” arch=”i386″>
<j2se version=”1.5+”/>
<nativelib href=”release/Linux_x86_32.jar”/>
</resources>
<resources os=”Linux” arch=”x86_64″>
<j2se version=”1.5+”/>
<nativelib href=”release/Linux_x86_64.jar”/>
</resources>
<resources os=”Linux” arch=”amd64″>
<j2se version=”1.5+”/>
<nativelib href=”release/Linux_x86_64.jar”/>
</resources>
<resources os=”Mac OS X” arch=”i386″>
<j2se version=”1.5+”/>
<nativelib href=”release/Mac32.jar”/>
</resources>
<resources os=”Mac OS X” arch=”x86_64″>
<j2se version=”1.5+”/>
<nativelib href=”release/Mac64.jar”/>
</resources>
<application-desc>
<argument>-apptype</argument>
<argument>JViewer</argument>
<argument>-hostname</argument>
<argument>192.168.2.92</argument>
<argument>-kvmtoken</argument>
<argument>rjhWlxU7CiPFlKUE</argument>
<argument>-kvmsecure</argument>
<argument>0</argument>
<argument>-kvmport</argument>
<argument>80</argument>
<argument>-vmsecure</argument>
<argument>0</argument>
<argument>-cdstate</argument>
<argument>1</argument>
<argument>-fdstate</argument>
<argument>1</argument>
<argument>-hdstate</argument>
<argument>1</argument>
<argument>-cdnum</argument>
<argument>1</argument>
<argument>-fdnum</argument>
<argument>1</argument>
<argument>-hdnum</argument>
<argument>1</argument>
<argument>-userpriv</argument>
<argument>4</argument>
<argument>-lang</argument>
<argument>EN</argument>
<argument>-websecureport</argument>
<argument>443</argument>
<argument>-singleportenabled</argument>
<argument>1</argument>
<argument>-webcookie</argument>
<argument>yqvHjIVRoAPUDLjNGVUEHq6PNiXUEEjN000</argument>
</application-desc>
</jnlp>
MD5 added to jdk.jar.disabledAlgorithms Security property
Oracle added a new restriction on how MD5 signed JAR files are verified:
This JDK release introduces a new restriction on how MD5 signed JAR files are verified. If the signed JAR file uses MD5, signature verification operations will ignore the signature and treat the JAR as if it were unsigned. This can potentially occur in the following types of applications that use signed JAR files:
Applets or Web Start Applications
Standalone or Server Applications that are run with a SecurityManager enabled and are configured with a policy file that grants permissions based on the code signer(s) of the JAR file.The list of disabled algorithms is controlled via the security property, jdk.jar.disabledAlgorithms, in the java.security file. This property contains a list of disabled algorithms and key sizes for cryptographically signed JAR files.
Fix
You need to find a file named java.security and comment out the jdk.jar.disabledAlgorithms line, from:
jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
To:
#jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
On Linux/macOS and Unix-like system one can use the find command as follows to locate file named java.security:
$ sudo find / -iname java.security
OR
$ locate java.security
On my macOS I found file at the following locations and edited out the vim command
$ sudo vi /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/lib/security/java.security
All You have to do is comment out the line as follows:
The above procedure fixed my problem and I was able to open local and remote IPMI/BMC console:
The long term solution
I think in the long run, the hardware vendor must fix their BMC/IPMI firmware. Some vendors started to support HTML 5 based IPMI/BMC clients. The HTML5 client would replace Java Browser based plugins/Applet hell for all of us.