Like any good sysadmin, I kept my servers and desktop side up to date and patched all the time. However, recent Java updates have broken my IPMI KVM Java Applets on Dell, IBM, HP, Supermicro and FreeNAS mini servers. You will get an error that read as follows:

Unsigned application requesting unrestricted access to system. The following resource is signed with a weak signature algorithm MD5withRSA and is treated as unsigned.

The error continues as follows:

<?xml version="1.0" encoding="UTF-8"?>
<jnlp spec="1.0+" codebase="">
        <vendor>American Megatrends, Inc.</vendor>
        <description kind="one-line">JViewer Console Redirection Application</description>
        <description kind="tooltip">JViewer Console Redirection Application</description>
        <description kind="short">
            JViewer enables a user to view the video display of managed server via KVM.  
            It also enables the user to redirect his local keyboard, mouse for managing the server remotely.
        <j2se version="1.5+"/>
        <jar href="release/JViewer.jar"/>
        <j2se version="1.5+"/>
        <jar href="release/JViewer-SOC.jar"/>
    <resources os="Windows" arch="x86">
    	<j2se version="1.5+"/>
    	<nativelib href="release/Win32.jar"/>
    <resources os="Windows" arch="amd64">
           <j2se version="1.5+"/>
           <nativelib href="release/Win64.jar"/>
    <resources os="Linux" arch="x86">
    	<j2se version="1.5+"/>
    	<nativelib href="release/Linux_x86_32.jar"/>
    <resources os="Linux" arch="i386">
    	<j2se version="1.5+"/>
    	<nativelib href="release/Linux_x86_32.jar"/>
	<resources os="Linux" arch="x86_64">
	 	<j2se version="1.5+"/>
    	<nativelib href="release/Linux_x86_64.jar"/>
	<resources os="Linux" arch="amd64">
	 	<j2se version="1.5+"/>
    	<nativelib href="release/Linux_x86_64.jar"/>
    <resources os="Mac OS X" arch="i386">
	<j2se version="1.5+"/>
	<nativelib href="release/Mac32.jar"/>
    <resources os="Mac OS X" arch="x86_64">
	<j2se version="1.5+"/>
	<nativelib href="release/Mac64.jar"/>

Fig.01: BMC/IPMI KVM Java Applets broken with Java Security Update

MD5 added to jdk.jar.disabledAlgorithms Security property

Oracle added a new restriction on how MD5 signed JAR files are verified:

This JDK release introduces a new restriction on how MD5 signed JAR files are verified. If the signed JAR file uses MD5, signature verification operations will ignore the signature and treat the JAR as if it were unsigned. This can potentially occur in the following types of applications that use signed JAR files:

Applets or Web Start Applications
Standalone or Server Applications that are run with a SecurityManager enabled and are configured with a policy file that grants permissions based on the code signer(s) of the JAR file.

The list of disabled algorithms is controlled via the security property, jdk.jar.disabledAlgorithms, in the file. This property contains a list of disabled algorithms and key sizes for cryptographically signed JAR files.


You need to find a file named and comment out the jdk.jar.disabledAlgorithms line, from:

jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024


#jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024

On Linux/macOS and Unix-like system one can use the find command as follows to locate file named
$ sudo find / -iname
$ locate
On my macOS I found file at the following locations and edited out the vim command $ sudo vi /Library/Internet\ Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/lib/security/
All You have to do is comment out the line as follows:

Fig.02: Configuring jdk.jar.disabledAlgorithms, in the file

The above procedure fixed my problem and I was able to open local and remote IPMI/BMC console:

Fig.03: I can access IPMI/BMC again

The long term solution

I think in the long run, the hardware vendor must fix their BMC/IPMI firmware. Some vendors started to support HTML 5 based IPMI/BMC clients. The HTML5 client would replace Java Browser based plugins/Applet hell for all of us.

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 2 comments so far... add one

CategoryList of Unix and Linux commands
Disk space analyzersdf ncdu pydf
File Managementcat tree
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
2 comments… add one
  • Scott Dec 14, 2017 @ 18:52

    how do you comment it out?

  • Scott Dec 15, 2017 @ 0:09

    or how do save your changes?

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum