How to fix IPMI KVM JAVA BMCMD5withRSA and is treated as unsigned error

Posted on in Categories Datacenter, Hardware last updated July 8, 2017

Like any good sysadmin, I kept my servers and desktop side up to date and patched all the time. However, recent Java updates have broken my IPMI KVM Java Applets on Dell, IBM, HP, Supermicro and FreeNAS mini servers. You will get an error that read as follows:

Unsigned application requesting unrestricted access to system. The following resource is signed with a weak signature algorithm MD5withRSA and is treated as unsigned.


The error continues as follows:

<?xml version="1.0" encoding="UTF-8"?>
 
<jnlp spec="1.0+" codebase="http://192.168.2.92:80/Java">
     <information>
        <title>JViewer</title>
        <vendor>American Megatrends, Inc.</vendor>
        <description kind="one-line">JViewer Console Redirection Application</description>
        <description kind="tooltip">JViewer Console Redirection Application</description>
        <description kind="short">
            JViewer enables a user to view the video display of managed server via KVM.  
            It also enables the user to redirect his local keyboard, mouse for managing the server remotely.
        </description>
    </information>
	<security>
		<all-permissions/>
	</security>
    <resources>
        <j2se version="1.5+"/>
        <jar href="release/JViewer.jar"/>
    </resources>
    <resources>
        <j2se version="1.5+"/>
        <jar href="release/JViewer-SOC.jar"/>
    </resources>
    <resources os="Windows" arch="x86">
    	<j2se version="1.5+"/>
    	<nativelib href="release/Win32.jar"/>
    </resources>    
    <resources os="Windows" arch="amd64">
           <j2se version="1.5+"/>
           <nativelib href="release/Win64.jar"/>
    </resources>
    <resources os="Linux" arch="x86">
    	<j2se version="1.5+"/>
    	<nativelib href="release/Linux_x86_32.jar"/>
    </resources>    
    <resources os="Linux" arch="i386">
    	<j2se version="1.5+"/>
    	<nativelib href="release/Linux_x86_32.jar"/>
    </resources>    
	<resources os="Linux" arch="x86_64">
	 	<j2se version="1.5+"/>
    	<nativelib href="release/Linux_x86_64.jar"/>
	</resources>	
	<resources os="Linux" arch="amd64">
	 	<j2se version="1.5+"/>
    	<nativelib href="release/Linux_x86_64.jar"/>
	</resources>
    <resources os="Mac OS X" arch="i386">
	<j2se version="1.5+"/>
	<nativelib href="release/Mac32.jar"/>
    </resources> 
    <resources os="Mac OS X" arch="x86_64">
	<j2se version="1.5+"/>
	<nativelib href="release/Mac64.jar"/>
    </resources> 
    <application-desc>
        <argument>-apptype</argument>
<argument>JViewer</argument>
<argument>-hostname</argument>
<argument>192.168.2.92</argument>
<argument>-kvmtoken</argument>
<argument>rjhWlxU7CiPFlKUE</argument>
<argument>-kvmsecure</argument>
<argument>0</argument>
<argument>-kvmport</argument>
<argument>80</argument>
<argument>-vmsecure</argument>
<argument>0</argument>
<argument>-cdstate</argument>
<argument>1</argument>
<argument>-fdstate</argument>
<argument>1</argument>
<argument>-hdstate</argument>
<argument>1</argument>
<argument>-cdnum</argument>
<argument>1</argument>
<argument>-fdnum</argument>
<argument>1</argument>
<argument>-hdnum</argument>
<argument>1</argument>
<argument>-userpriv</argument>
<argument>4</argument>
<argument>-lang</argument>
<argument>EN</argument>
<argument>-websecureport</argument>
<argument>443</argument>
<argument>-singleportenabled</argument>
<argument>1</argument>
<argument>-webcookie</argument>
<argument>yqvHjIVRoAPUDLjNGVUEHq6PNiXUEEjN000</argument>
 
    </application-desc>
</jnlp>
Fig.01: BMC/IPMI KVM Java Applets broken with Java  Security Update
Fig.01: BMC/IPMI KVM Java Applets broken with Java Security Update

MD5 added to jdk.jar.disabledAlgorithms Security property

Oracle added a new restriction on how MD5 signed JAR files are verified:

This JDK release introduces a new restriction on how MD5 signed JAR files are verified. If the signed JAR file uses MD5, signature verification operations will ignore the signature and treat the JAR as if it were unsigned. This can potentially occur in the following types of applications that use signed JAR files:

Applets or Web Start Applications
Standalone or Server Applications that are run with a SecurityManager enabled and are configured with a policy file that grants permissions based on the code signer(s) of the JAR file.

The list of disabled algorithms is controlled via the security property, jdk.jar.disabledAlgorithms, in the java.security file. This property contains a list of disabled algorithms and key sizes for cryptographically signed JAR files.

Fix

You need to find a file named java.security and comment out the jdk.jar.disabledAlgorithms line, from:

jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024

To:

#jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024

On Linux/macOS and Unix-like system one can use the find command as follows to locate file named java.security:
$ sudo find / -iname java.security
OR
$ locate java.security
On my macOS I found file at the following locations and edited out the vim command
$ sudo vi /Library/Internet\ Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/lib/security/java.security
All You have to do is comment out the line as follows:

Fig.02: Configuring jdk.jar.disabledAlgorithms, in the java.security file
Fig.02: Configuring jdk.jar.disabledAlgorithms, in the java.security file

The above procedure fixed my problem and I was able to open local and remote IPMI/BMC console:
Fig.03: I can access IPMI/BMC again
Fig.03: I can access IPMI/BMC again

The long term solution

I think in the long run, the hardware vendor must fix their BMC/IPMI firmware. Some vendors started to support HTML 5 based IPMI/BMC clients. The HTML5 client would replace Java Browser based plugins/Applet hell for all of us.

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin and a trainer for the Linux operating system/Unix shell scripting. He has worked with global clients and in various industries, including IT, education, defense and space research, and the nonprofit sector. Follow him on Twitter, Facebook, Google+.

Leave a Comment