Howdy folks so i recently replaced my Single Socket Hypervisors with Dell R710’s pick them up at a good price in a auction on eBay. The Firmware were really out of date on the iDRAC, Lifecycle Controller and BIOS so i updated them I tried to use the iDRAC Virtual Console to update the Firmware on the Server but i was presented with a Application Blocked by Java Security this is familiar as the older Supermicro Motherboards have the same problem. I ended up updating the iDRAC, Lifecycle Controller and BIOS etc by the manual method of Connecting a Monitor, Keyboard and installed Ubuntu Server on a junk drive to apply the updates.
To install Java SE & Web Start follow this guide. https://www.violetdragonsnetwork.co.uk/how-to-install-java-web-start-java-se-runtime-in-ubuntu-debian-linux/
Lets fix this and get the handy Virtual Console working with the latest Java 1.8.0_301 IDrac Version as of this guide 2.92 (Build 05). Please make sure that you upgrade the iDRAC, note this guide is only for Linux.
When you log into the iDRAC via the IP Address or Internal Domain Name and click on Launch in the Virtual Console Preview and download the viewer.jnlp file and open it you will be greeted with the Application Blocked by Java Security box to fix this we need to add the IP Address to the Java Control Panel. On Linux this comes under jcontrol. To open jnlp on Linux run the following,
sudo javaws viewer.jnlp
To open the Java Control Panel on Linux we need to go to the directory of where java is installed to. If you followed my guide Java is installed in /opt/java,
cd /opt/java/jre1.8.0_301
ls
cd /opt/java/jre1.8.0_301/bin
depending on the version you have installed the section only needs to be changed. jre1.8.0_301. The directory we need to go in bin,
You should see that under cd /opt/java/jre1.8.0_301/bin there is jcontrol. This is the utility we need to open for Java Control Panel To open jcontrol run the following,
sudo ./jcontrol
Java Control Panel should pop up,
Now we need to go to Security Section -> Edit Site List and add the IP Address of the iDRAC module, if you plan on using a internal Domain Name then i would recommend adding that as well as the IP.
Once adding the IP of the iDRAC we can now try Opening the Virtual Console but you will notice another box will come up with Connection failed. This is because of disabled Algorithms in java.security.
We need to edit java.security file. To access java.security file we need to go to the following directory lib/security,
cd /opt/java/jre1.8.0_301/lib/security
ls
We need to edit java.security,
sudo nano java.security
look for the disabled jdk.tls.disabledAlgorithms, use ctrl w to search in command line and ctrl shift v to paste,
In my Windows guide i completely hashed out the disabled jdk.tls.disabledAlgorithms issue with this is that is completely disables all the vulnerable Algorithms this isnt a problem if the machine you are using is not connected to the internet and only used in a management VLAN. Only remove RC4 because its only that ciper that we need to be removed for the iDRAC6 on the R710 and 510 revision 2 i.e R710 II, R510 II. If you Server is revision 1 MD5withRSA needs to be also removed.
Example Revision II Dell R510, R710,
jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, DES, MD5withRSA, \
DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
include jdk.disabled.namedCurves
Example Revision I Dell R510, R710,
jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, \
DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
include jdk.disabled.namedCurves
As i only have Revision II Servers I am going to only remove RC4,
jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, DES, MD5withRSA, \
DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
include jdk.disabled.namedCurves
Save and quit. Now try and Access the Virtual Console, dependings on the name of the File that is downloaded i renamed it to viewer.jnlp so i use the following,
sudo javaws viewer.jnlp
You will see that the Virtual Console now works but after disabling some of older Security Algorithms this is a security risk. Here’s what i recommend put the iDRAC in a VLAN segmented from everything else and use either a Virtual Machine with Linux running and only run the VM with Linux when ever you need to use the Console or you can disable it on the fly or have a dedicated management machine that sees no internet connection. Please don’t expose the management interface to the Public. For remote access i extremely recommend to use a VPN.
I hope this guide helps you. Any Questions don’t hesitate to comment below.
Michal says:
Thanks Jack! It helped me a lot when troubleshooting iDRAC6 jnlp console issue.
In my case removing RC4 algorithm (from disabled) helped.
Jack Bamford says:
Your Welcome, glad it helped you. Thanks for the Comment.