ASRock IPMI - cannot open JViewer due to weak signature algorithm

OK so for quite a while now I own an ASRock C2750D4I and I'm pretty happy with it so far (except for the whole CPU drama...), but since a few weeks I cannot use the IPMI Remote Viewer anymore.

When launching the Application I get this:

Now I see this is a mixed issue, on the one hand the application itself, on the other hand apparently Java since it used to work just fine. After a Java Update a few weeks ago (I guess) the application won't start anymore since it is considered unsafe, this is the exception:

JNLPException[category: Security Error : Exception: null : LaunchDesc: 
<jnlp spec="1.0+" codebase="http://192.168.0.201:80/Java">
  <information>
    <title>JViewer</title>
    <vendor>American Megatrends, Inc.</vendor>
    <description kind="one-line">JViewer Console Redirection Application</description>
    <description kind="tooltip">JViewer Console Redirection Application</description>
    <description kind="short">
            JViewer enables a user to view the video display of managed server via KVM.  
            It also enables the user to redirect his local keyboard, mouse for managing the server remotely.
        </description>
  </information>
  <security>
    <all-permissions/>
  </security>
  <resources>
    <j2se version="1.5+"/>
    <jar href="release/JViewer.jar"/>
  </resources>
  <resources>
    <j2se version="1.5+"/>
    <jar href="release/JViewer-SOC.jar"/>
  </resources>
  <resources os="Windows" arch="x86">
    <j2se version="1.5+"/>
    <nativelib href="release/Win32.jar"/>
  </resources>
  <resources os="Windows" arch="amd64">
    <j2se version="1.5+"/>
    <nativelib href="release/Win64.jar"/>
  </resources>
  <resources os="Linux" arch="x86">
    <j2se version="1.5+"/>
    <nativelib href="release/Linux_x86_32.jar"/>
  </resources>
  <resources os="Linux" arch="i386">
    <j2se version="1.5+"/>
    <nativelib href="release/Linux_x86_32.jar"/>
  </resources>
  <resources os="Linux" arch="x86_64">
    <j2se version="1.5+"/>
    <nativelib href="release/Linux_x86_64.jar"/>
  </resources>
  <resources os="Linux" arch="amd64">
    <j2se version="1.5+"/>
    <nativelib href="release/Linux_x86_64.jar"/>
  </resources>
  <resources os="Mac OS X" arch="i386">
    <j2se version="1.5+"/>
    <nativelib href="release/Mac32.jar"/>
  </resources>
  <resources os="Mac OS X" arch="x86_64">
    <j2se version="1.5+"/>
    <nativelib href="release/Mac64.jar"/>
  </resources>
  <application-desc>
    <argument>-apptype</argument>
    <argument>JViewer</argument>
    <argument>-hostname</argument>
    <argument>192.168.0.201</argument>
    <argument>-kvmtoken</argument>
    <argument>eOpwCzlDLiArCAE8</argument>
    <argument>-kvmsecure</argument>
    <argument>0</argument>
    <argument>-kvmport</argument>
    <argument>80</argument>
    <argument>-vmsecure</argument>
    <argument>0</argument>
    <argument>-cdstate</argument>
    <argument>1</argument>
    <argument>-fdstate</argument>
    <argument>1</argument>
    <argument>-hdstate</argument>
    <argument>1</argument>
    <argument>-cdnum</argument>
    <argument>1</argument>
    <argument>-fdnum</argument>
    <argument>1</argument>
    <argument>-hdnum</argument>
    <argument>1</argument>
    <argument>-userpriv</argument>
    <argument>4</argument>
    <argument>-lang</argument>
    <argument>EN</argument>
    <argument>-websecureport</argument>
    <argument>443</argument>
    <argument>-singleportenabled</argument>
    <argument>1</argument>
    <argument>-webcookie</argument>
    <argument>E5wSwf5NbjIozSinMlcUVAmgTQJgXJPH000</argument>
  </application-desc>
</jnlp> ]
	at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResourcesHelper(Unknown Source)
	at com.sun.javaws.security.JNLPSignedResourcesHelper.checkSignedResources(Unknown Source)
	at com.sun.javaws.Launcher.prepareResources(Unknown Source)
	at com.sun.javaws.Launcher.prepareAllResources(Unknown Source)
	at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
	at com.sun.javaws.Launcher.prepareToLaunch(Unknown Source)
	at com.sun.javaws.Launcher.launch(Unknown Source)
	at com.sun.javaws.Main.launchApp(Unknown Source)
	at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
	at com.sun.javaws.Main.access$000(Unknown Source)
	at com.sun.javaws.Main$1.run(Unknown Source)
	at java.lang.Thread.run(Unknown Source)

I already updated the BMC in the hopes it would update the viewer alongside it, unfortunately that is not the case and there doesn't seem to be any other way of updating the viewer.

Because of this I have tried getting the viewer to run despite the security warning, but I can't get it to work. I tried only downloading the Win32.jar and opening this, but that didn't work.
I also tried setting the security settings and clearing Java Cache, that didn't work either.

The security settings look like this:

Nevermind all the 3 adresses, I just tried around, but none would work.
This is something I could find regarding (apparently) the same issue, but since those are the steps I took, this didn't work either.

So long story short, any idea how I can circumvent that security warning and force start the viewer? At least until the application is updated... Which may take some time unfortunately... I don't exactly want to install an old Java version because... you know... Java.

Thanks in advance.

When using IPMI just install a linux VM for using it. You could also try adding the https://192.168.0.201 to a security rule.

Mh.... suppose I could do that, but that's a lot of steps for something as simple as accessing another machine...

Is there no way to make that site exception list work? If it's there, there should be a way to make it work, no?

I also tried adding the https version to the site exceptions, didn't work either though :frowning:

They really should have fixed this in the latest BMC build.

Soooo...... I temporarily don't need to worry about the issue anymore, because guess what... my second board just fried ...

After 9(?) months since I got the replacement, and I didn't even run it under load this time :frowning: On the first board I had Folding@Home running 24/7, after the news about the "issues" came out I stopped the folding, now it's dead again ... kinda frustrating... guess I need a new board (again), hopefully this time I get a replacement with the implemented "fix" from intel... tho not sure if this board even has a revision with the "fixed" CPUs...

yeah that was my thought, but an update didn't help :frowning:

1 Like

I have not dared to restart it ever since - hope my UPS will always hold long enough XD

It's not about the restart.
When it happens the system freezes/hangs/shuts down/whatever (I can't check because... yeah well, see above) and is unreachable (RDP/ping/whatever doesn't work). After that you can only try to restart, but it won't work (if it's actually dead and the system didn't just hang).

It's not the restarts that kills it, it's actually the working part that kills it because the clock generator dies.

The only way you're guaranteed it won't die is turning it off and put it in the closet. And even then... who knows, maybe it'll die of boredom ¯\_(ツ)_/¯

1 Like

Ah ok, had that part missunderstood than; I thought the dead clockgen is only a broblem at the early intitialisation (after a re- or coldboot) . Thanks for correcting me :slight_smile:

By the way when this happens, on this particular board the sensor readouts in the IPMI go totally haywire.

When the system just hangs and is unreachable (before the restart) everything is green. I tried doing a power off (first orderly shutdown, where the OS didn't respond, then an immediate, got an error too), then a reset. With the reset it shut down immediately, then the fans started spinning 100% and I received 3 new errors in the console:

From that moment on the board is dead. It's not an overheating issue though (my CPU never went over 40° regularly, and not over 60° while folding, and on the first board it was 120°), because every time you seperate the power connection, drain capacitors and reconnect, and then try to boot... it's fine again, but some other "critical" error pops up (on my first board it was an "empty" BIOS battery). So yeah... time to get a replacement again I guess.

1 Like

Ouch - i have had that already; Was surprised as this was my first ever empty cmos battery O.o (in 20+ years with PCs) but swapping for a new one saved it for me so far.

Yeah the "empty" BIOS battery was the only thing that didn't change on the first board, so I swapped it, and it was green again, but after second try it was "empty" again so.. yeah :slight_smile: You're lucky if it's still working :smiley:

The only issue I have is that I don't know if this particular board has a new revision with the revised CPU stepping... because I'm not really in the mood of getting a third board that'll fry again in 6 months :confused:

From - the little - I found online, it has not; Is there actually a revised (bugfixed) stepping of that SOC?

Supposedly yes. Though I'm not sure if it is in manufacturing already. They did announce there would be one, but I haven't followed it too much to be honest.

Considering they made quite some reserves for this issue I would imagine they are already on it or already manufactured though. Those things are not just in storage servers afterall. The first company to really bring this issue up was Cisco because they are using it in routers and such.. and if they fail, could be really costly for Intel.

1 Like