[Linux-PowerEdge] older IDRAC's

john lists at cloned.org.uk
Fri Sep 9 03:35:50 CDT 2016


On Tue, 5 Apr 2016, john wrote:

> iDRAC6 works fine on latest Java (8u77) / Windows 7 here. You need to add the 
> URL of the DRAC to the Java exception list though in control panel, or edit 
> this file: 
> C:\Users\Administrator\AppData\LocalLow\Sun\Java\Deployment\security\exception.sites
>
> DRAC5 Java console also uses SSLv3 which is disabled by default in newer Java 
> versions. You will also need to re-enable it again by editing the file:
> C:\Program Files\Java\%java_version%\lib\security and commenting out this 
> line with a # at the start:
>
> jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768
>
> Bear in mind this might leave you vulnerable to SSL vulnerabilities if you 
> access untrusted Java content. You will also need to redo this every time 
> there is a Java update as it installs new files in a different version 
> directory.

Have started having SSL issues again on some of the DRACs and finally 
found the solution to this again which I thought I'd share.. This would 
affect some DRAC5 and iDRAC6 but not all of them. Took a while to figure 
this one out but it's down to Java again SSL. On connecting to the remote 
console from the iDRAC java would throw out an error:

"Error when reading from ssl socket connection"

I verified that we had commented out the disabledAlgorithms in 
java.security and that the IP/hostname was in the exceptions list.

It looks like some of the certs have an older SSL certificate signed by an 
older chain that is being rejected by Java. Java console logged:

javax.net.ssl.SSLHandshakeException: 
java.security.cert.CertificateException: Certificates does not conform to 
algorithm constraints

To fix this I had to comment out both of these lines

jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768
jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024

in java.security located at:

C:\Program Files\Java\%java_version%\lib\security\java.security

I guess this could also be fixed by updating your SSL cert+chain to a 
newer one but I've had issues trying to do that before.

This will leave your Java vulnerable to some weak SSL issues but I'd 
recommend you run a machine/vm purely for DRAC access if possible to avoid 
this issue.

john



More information about the Linux-PowerEdge mailing list