SuperMicro, IPMI, and Java
We’ve been so dependent on SuperMicro for so long that I don’t even know where to start on this.
SuperMicro’s IPMI controllers have long required unsigned Java WebStart applets. Basically, if you don’t configure your browser to stand outside stark naked with a downward-pointing arrow on its back labelled «enter here» you won’t be getting console access to your SuperMicro servers.
Against any sort of rationality, they’re not phasing this stuff out, they’re making it worse. The latest batch of servers we ordered has moved the console preview functionality from a simple dynamically-generated JPEG to yet another unsigned Java webstart app that sits on the IPMI home page and tries to auto-run every time it is loaded.
Worse yet, among the many Java warnings that are generated every time a console is generated is one that says that future versions of Java will no longer support these types of unsigned apps at all because they’re so insecure. So pretty soon we will not only have to use poorly-configured clients to access these consoles, we will have to let them fall out of date with security patches as well.
Obviously there are workarounds to this, running the web client in a virtual machine that only talks on a VPN, etc. But it seems like every new release of their firmware increases the number of workaround steps to the point where it can now take 10+ minutes to get remote access to the console of a server. Which is an automatic +10 minutes to any unplanned downtime that winds up needing console access to resolve.
The latest F-U: If you want to try to access a console on the latest SuperMicro IPMI from a Mac, please make sure you have X11 installed and running. Why? Just because.
We’ve approached SuperMicro about this on two occasions, and they are completely disinterested. They don’t see any of this as a problem and state that keeping old, un-updated machines around is the recommended solution. They have no roadmap for moving to anything better. Maybe not surprising for a company that still expects you to build custom DOS boot images for every BIOS update.
So, rant aside, my question is this: does SuperMicro even have any competitors anymore? Preferable ones with a better solution to this? Dell seems to be on the ropes (and last I heard their DRAC was either Windows-only or just as bad), and the twice-the-price premium for equivalent hardware from HP/IBM is not in our budget.
Introduction
This guide details howto adjust your Java settings to allow remote connection to Supermicro IPMI remote console.
Identify what Java version you have installed.
You will first need to identify which version(s) of java you have installed on your computer. To do this you will have to look for a folder called Java that will either be located at C:\Program Files (x86)\Java or C:\Program Files\Java. This folder should contain a number of sub-folders listing the versions of java that are installed on your computer. In the screenshot below only one Java version installed but you may have multiple installations starting with jre or jdk.
Editing the Java Security File
1) For each installation folder you will have to edit its corresponding java.security file.
To do this first open the start menu, search for notepad then right click and select run as admin.
2) From notepad now select file then open and open the java.SECURITY file for the first java installation. If it’s a jre install the file location will look something like: C:\Program Files (x86)\Java\jre1.8.0_311\lib\security\java.SECURITY, otherwise if its a jdk install it may look like C:\Program Files (x86)\Java\jre1.8.0_311\conf\security\java.SECURITY
3) Find the line that starts with jdk.tls.disabledAlgorithms (This is best done with the find tool) and remove all entries on the line that contains “TLS”. After you’ve made the change it should look something like this, make surethat there is still a comma and then a space between the other entries on this line.
4) Save the file. If you get an error here it’s probably because you didn’t open notepad as admin.
5) Repeat steps 3 to 5 with each java install on your computer.
Editing the Java Security Settings
1) In the start menu search for “Configure Java” and open the Configure Java app
2) Select the Advanced tab on the right then scroll down to the bottom then ensure all versions of TLS are selected
Adding an exception for the website/IP within Java
1) In the start menu search for “Configure Java” and open the Configure Java app
2) Select the Security tab and then select Edit Site List…
3) You should now be able to type in your website/IP address. Make sure to include the full address, including the https:// protocol and select Add. It is advised to repeat the process with http:// as well.
The Super Micro IPMI Console + Java are killing me
I don’t know if it’s Java or the Super Micro IPMI developers to blame, or both. One thing is for sure – I rarely need it, but almost each time I want to use the server-critical “Console Redirection” feature on our Super Micro servers, there is some problem with the Java applet. Thus I’m not able to access the remote console of the server quickly, which in turn gets me real headache.
Today, it’s the “Launch Console” button doing absolutely nothing on my Kubuntu desktop – no errors, no action after clicking it, no nothing. I (always) have a “backup option” – a Windows 7 virtual machine running on my desktop, as Java tends to work better for me on Windows (cross-platform, eh?). Same problem on the Windows too. As I’m a real paranoid about having a backup, I have a backup of the “backup option” – X over VNC, running on
some not-so-bleeding-edge Linux machines, in order to have a “stable” Java installation there. Though the Java failed on them today as well, as they are running Debian “lenny”, which seems to be having the latest Java version 1.6.20 too.
Well… sorry Java applets + Super Micro IPMI, you really disappoint me!
27/Mar/2012: Resolution: Use the IPMIView application which does not rely on web browsers. Tested with Java Version 6 Update 31 (build 1.6.0_31) on Windows 7. Note that IPMIView does not provide a KVM console for older versions of the Super Micro IPMI devices — the good news is that those devices work well within a web browser. 🙂
The (ugly) fix is to downgrade your Java to 1.6.19 (and disable automatic Java updates):
http://www.webhostingtalk.com/showthread.php?t=953055
Update #1: I downgraded to Java 1.6.19 on my Windows 7 by:
- Uninstalling the Java 1.6.20 JRE update.
- Installing the Java 1.6.19 JRE update which I downloaded from the “Archive: Java[tm] Technology Products Download” page.
- Being able to get this working only with Chrome. Firefox and IE 8 failed to work.
Update #2: Linux doesn’t seem to be having any problems. Firefox 3.6.3 on Ubuntu and Gentoo with Sun Java 1.6.20 works fine.
Update #3: If you upgrade the IPMI firmware to version 2.02, the Windows problem is fixed.
Here is some debug info from the Debian “lenny” Iceweasel browser, the only one which issued an error:
Unable to launch ATEN Java iKVM Viewer.
An error occurred while launching/running the application.Title: ATEN Java iKVM Viewer
Vendor: ATEN
Category: Download ErrorUnable to load resource: (https://%IP%/iKVM.jar, 1.56.3.0×0)
Wrapped Exception: java.io.IOException: HTTP response 404.
At the same time, the Java test page works fine. The version on the Debian “lenny” “sun-java6-jre” package is “6-20-01lenny1” (Java JRE 1.6.20).
The same problem is re-produced on:
- Windows 7, running Java 1.6.20, under IE 8, Firefox 3.6.3 and Chrome 5.0.375.99.
- Kubuntu Lucid, running OpenJDK 6 build b18, under Firefox 3.6.3.
The Firmware Revision of the IPMI interface on the X8DTL motherboard is 01.29, dated 2010-01-06. It’s not the latest one, but surely not a very old one. After all, you can’t reboot your production servers for every IPMI firmware release…
Anyway, I try not to write articles with negative attitude, but this time I just couldn’t resist.
Java, Java, Java… 🙂
supermicro ipmi
подскажите как работать с этим чудо продуктом?
дали доступ и задачу-переустановить систему
ipmi требует java, пробовал на линукс, винде 7,хр но везде хочет джаву
пытался поставить джаву на винду но она совсем не ставится
пробовал ipmiview но там не нахожу консоль переустановки
А что значит java совсем не ставится? А так ну как бы нужна она естественно. Причём ещё наверняка нужно будет добавлять в доверенные адрес сервера.
Оно работает просто как kvm — то есть, просто ты видишь консоль системы через сеть, включая экраны биоса. То есть, перезагружаешь, жмешь Del (или F2, по обстоятельствам) — попадаешь в биос. Также при загрузке надо внимательно смотреть на сообщения, говорящие какую комбинацию клавиш надо нажать, что бы попасть в настройки raid-контроллера (если есть).
Более-менее свежие реализации ipmi умеют подрубать виртуальные загрузочные флешки или iso через сеть. То есть, где-то в веб-интерфейсе подрубаешь загрузочную флешку/диск, перезагружаешься, и вперед. Имеет смысл искать самый-самый минимальный загрузочный образ, потому что через сеть оно работает печально.
И да, и родной web-интерфейс, и ipmiview требуют жабу. Причем, возможно, какой-то определенной версии (жаба же, она вся такая из себя обратносовместимая, ага).
ipmi жаба не нужна. ipmi нужен ipmitool
А если на том сервере линкус, то и SOL можно использовать (из ipmitool).
жаба нужна только для ip-kvm.
А какие проблемы с жабой ? Распаковал ее в отдельный каталог, в пути ее добавил, да JAVA_HOME прописал.
Ну и потом в браузере для выполнения .jnl указать указать javaws
нажимаю в попапе ок обновить жабу и ничего
в хр скачивал пакеты с java.com но не запускаются
в вин7 скачал,установил но не помогло
После установки на вин7, что пишет когда лезеш в управлялку? Плюс, каким браузером, плюс посмотреть, и добавить в секьюрити явы адрес этого сервера.
просит опять обновить жабу
использую хром