Like any good sysadmin, I kept my servers and desktop side up to date and patched all the time. However, recent Java updates have broken my IPMI KVM Java Applets on Dell, IBM, HP, Supermicro and FreeNAS mini servers. You will get an error that read as follows:


Unsigned application requesting unrestricted access to system. The following resource is signed with a weak signature algorithm MD5withRSA and is treated as unsigned.

The error continues as follows:

<?xml version="1.0" encoding="UTF-8"?>
<jnlp spec="1.0+" codebase="">
        <vendor>American Megatrends, Inc.</vendor>
        <description kind="one-line">JViewer Console Redirection Application</description>
        <description kind="tooltip">JViewer Console Redirection Application</description>
        <description kind="short">
            JViewer enables a user to view the video display of managed server via KVM.  
            It also enables the user to redirect his local keyboard, mouse for managing the server remotely.
        <j2se version="1.5+"/>
        <jar href="release/JViewer.jar"/>
        <j2se version="1.5+"/>
        <jar href="release/JViewer-SOC.jar"/>
    <resources os="Windows" arch="x86">
    	<j2se version="1.5+"/>
    	<nativelib href="release/Win32.jar"/>
    <resources os="Windows" arch="amd64">
           <j2se version="1.5+"/>
           <nativelib href="release/Win64.jar"/>
    <resources os="Linux" arch="x86">
    	<j2se version="1.5+"/>
    	<nativelib href="release/Linux_x86_32.jar"/>
    <resources os="Linux" arch="i386">
    	<j2se version="1.5+"/>
    	<nativelib href="release/Linux_x86_32.jar"/>
	<resources os="Linux" arch="x86_64">
	 	<j2se version="1.5+"/>
    	<nativelib href="release/Linux_x86_64.jar"/>
	<resources os="Linux" arch="amd64">
	 	<j2se version="1.5+"/>
    	<nativelib href="release/Linux_x86_64.jar"/>
    <resources os="Mac OS X" arch="i386">
	<j2se version="1.5+"/>
	<nativelib href="release/Mac32.jar"/>
    <resources os="Mac OS X" arch="x86_64">
	<j2se version="1.5+"/>
	<nativelib href="release/Mac64.jar"/>
Fig.01: BMC/IPMI KVM Java Applets broken with Java  Security Update

Fig.01: BMC/IPMI KVM Java Applets broken with Java Security Update

MD5 added to jdk.jar.disabledAlgorithms Security property

Oracle added a new restriction on how MD5 signed JAR files are verified:

This JDK release introduces a new restriction on how MD5 signed JAR files are verified. If the signed JAR file uses MD5, signature verification operations will ignore the signature and treat the JAR as if it were unsigned. This can potentially occur in the following types of applications that use signed JAR files:

Applets or Web Start Applications
Standalone or Server Applications that are run with a SecurityManager enabled and are configured with a policy file that grants permissions based on the code signer(s) of the JAR file.

The list of disabled algorithms is controlled via the security property, jdk.jar.disabledAlgorithms, in the file. This property contains a list of disabled algorithms and key sizes for cryptographically signed JAR files.


You need to find a file named and comment out the jdk.jar.disabledAlgorithms line, from:

jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024


#jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024

On Linux/macOS and Unix-like system one can use the find command as follows to locate file named
$ sudo find / -iname
$ locate
On my macOS I found file at the following locations and edited out the vim command $ sudo vi /Library/Internet\ Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/lib/security/
All You have to do is comment out the line as follows:

Fig.02: Configuring jdk.jar.disabledAlgorithms, in the file

Fig.02: Configuring jdk.jar.disabledAlgorithms, in the file

The above procedure fixed my problem and I was able to open local and remote IPMI/BMC console:
Fig.03: I can access IPMI/BMC again

Fig.03: I can access IPMI/BMC again

The long term solution

I think in the long run, the hardware vendor must fix their BMC/IPMI firmware. Some vendors started to support HTML 5 based IPMI/BMC clients. The HTML5 client would replace Java Browser based plugins/Applet hell for all of us.

🥺 Was this helpful? Please add a comment to show your appreciation or feedback.

nixCrat Tux Pixel Penguin
Hi! 🤠
I'm Vivek Gite, and I write about Linux, macOS, Unix, IT, programming, infosec, and open source. Subscribe to my RSS feed or email newsletter for updates.

2 comments… add one
  • Scott Dec 14, 2017 @ 18:52

    how do you comment it out?

  • Scott Dec 15, 2017 @ 0:09

    or how do save your changes?

Leave a Reply

Your email address will not be published. Required fields are marked *

Use HTML <pre>...</pre> for code samples. Your comment will appear only after approval by the site admin.