Last active
May 8, 2024 20:40
-
-
Save makeitcloudy/4d82bf5ec24cb15488f659d246304336 to your computer and use it in GitHub Desktop.
supermicro_ipmi_x9scl-f_java_jnlp_certificate_error_fixed
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# 2024.02.18 | |
# windows 10 22H2 | |
java -version | |
# java version "1.8.0_401" | |
# Java(TM) SE Runtime Environment (build 1.8.0_401-b10) | |
# Java HotSpot(TM) Client VM (build 25.401-b10, mixed mode, sharing) | |
# supermicro x9scl-f, supermicro x9dri-ln4f | |
The issue is caused by JARs signed with SHA-1 algorithms that are restricted by default and treated as if they were unsigned, starting from the Oracle Java Version 8 Update 351. | |
Resolution | |
To run JNLP files and start Remote Control Managed sessions not using pre-installed Controller, perform the following steps: | |
Open the "java.security" file available in the following directory: | |
[installation_path]\server\java\jre\lib\security\java.security | |
in my case: C:\Program Files (x86)\Java\jre-1.8\lib\security\java.security | |
1. Locate the "jdk.certpath.disabledAlgorithms" property and comment the section | |
#jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \ | |
# RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224, \ | |
# include jdk.disabled.namedCurves, \ | |
# SHA1 usage SignedJAR & denyAfter 2019-01-01 | |
2. Locate the "jdk.jar.disabledAlgorithms" property and comment the section | |
#jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \ | |
# DSA keySize < 1024, include jdk.disabled.namedCurves, \ | |
# SHA1 denyAfter 2019-01-01 | |
this allows the old algorithms which was used to sign the jnlp from the BMC of X9SCL-F motherboard. | |
Some of the certificates within the chain already expired, and they left much to be desired security wise, these days. | |
Save the file and run the downloaded JNLP file. | |
### | |
on ubuntu | |
1. sudo apt-get install libxtst6:i386 | |
2. download java8 jdk-8u333-linux-i586.tar.gz from https://www.oracle.com/java/technologies/javase/javase8u211-later-archive-downloads.html | |
3. tar xvfz jdk-8* | |
4. jdk1.8.0_333/bin/javaws launch.jnlp | |
### | |
on macOS | |
# 2024.05.08 | |
# macos Sonoma 14.4.1 | |
# java version "1.8.0_411" | |
# Java(TM) SE Runtime Environment (build 1.8.0_411-b09) | |
# Java HotSpot(TM) 64-Bit Server VM (build 25.411-b09, mixed mode) | |
sudo find / -name java.security | |
cd /Library/Internet\ Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/lib/security/ | |
nano java.security | |
# then repeat the steps mentioned above in paragraph 1 and 2 | |
### | |
source: https://www.bytesizedalex.com/supermicro-ipmi-ssl-tls-certificate-replacement/ | |
I had the same problem and resetting, factory defaulting the BMC etc did nothing. After months of searching I eventually found the raw command to set the SSL certificate back to the default which brought the web web server back from the dead. | |
ipmicfg -raw 0x30 0x68 0 0 | |
### | |
an interesting approach with socat | |
https://www.osso.nl/blog/2020/supermicro-java-console-redirection-kvm/ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment