IPMI remote access on old machines

 Posted on April 7, 2021  |  2 minutes  |  361 words  |  phoenix

This is a very short update post about getting the IPMI Remote Control Java Applet from horrible old system running on modern systems. This is an issue that haunted me for some time.

TL;DR

Problem: You get the following error message when launching the Remote Control Java Applet on SuperMicro servers:

Application Error: Cannot grant permissions to unsigned jars. Application requested security permissions, but jars are not signed.

Solution: Re-Enable MD5 for JARs

# /usr/lib64/jvm/java/jre/lib/security/java.security
---
[...]
#jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024       # keep the original line as comment
jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024, DSA keySize < 1024             # remove MD5 
[...]

No restart or anything needed, it should now work right away.

Problem description

Supermicro Servers provide a Java Applet for Remote Control. If you have to do some maintenance or testing on bare metal machines, you will occasionaly have the honor to access those machines via this applet. It kinda works, but I’m always happy when I can close this again :-)

However some of the older machines don’t work. You get an error message like

Application Error: Cannot grant permissions to unsigned jars. Application requested security permissions, but jars are not signed.

The error message is misleading, because there is a signature, but it’s MD5, which is not trusted anymore.

Solution

My solution is to allow MD5 signatures. This is a horrible idea and you should not do this, in cause you are realying on valid code signatures!

Edit the file java.security file, typically located in /usr/lib64/jvm/java/jre/lib/security/java.security or /usr/lib/jvm/java/jre/lib/security/java.security. The path might differ a bit on your system, but it should be somewhere in /usr/lib/jvm or /usr/lib64/jvm. The command find /usr -name jvm might give you a clue where to look.

Search for the following line, comment it and add a copy without the MD5

jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024

This is what the replace should look like

#jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024
jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024, DSA keySize < 1024

After editing this, I was able to launch the Remote Control Applet.

Alternative solutions

There are also alternative solutions on stackexchange.

Bare Metal  IPMI