TechCenter Blogs

iDRAC7 Virtual Console - Enhanced security checks in the Integrated Dell Remote Access Controller

TechCenter

TechCenter
DellTechCenter.com is a community for IT professionals that focuses on Data Center and End User Computing best practices. Here you can learn about and share knowledge about Dell products and solutions.

iDRAC7 Virtual Console - Enhanced security checks in the Integrated Dell Remote Access Controller

This post was written by Murali Somarouthu of the Enterprise Remote Management Firmware team

In response to customer feedback, Dell has provided an extra level of certificate security checking in the iDRAC7 when using virtual console .  This feature is new in iDRAC7 firmware and some customers might encounter an error when trying to launch the iDRAC7 (firmware versions v1.06.06 and below) virtual console through the Java plug in.  This blog addresses issues around virtual console launch failures and possible solutions for the new security feature as well as configuration setup issues. 

This blog contains two sections, one for security related launch issues and another for general issues.

  

Section 1:  Certificate related issues

The information below provides the steps necessary to check and correct the certificate location that will allow customers to take full advantage of the added security check Dell has in place.To launch Virtual Console successfully (though Java plug in) it is necessary to have a user home directory configured properly on both windows or Linux management clients.

If you are not able to launch virtual console because of a non-default user home, please use the following instructions:

On Windows Client

Check if the user home is non-default (default is c:\Users\<NAME> on Windows). 

Run the following commands

reg query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders" /v "Desktop"

You should see output like:

Desktop    REG_SZ    C:\temp\MyHome\Desktop

Now run

echo %USERPROFILE%\Desktop

If the outputs are not the same, then your user home is non-default.  In that case, run the following command to copy certificates to non-default home certificate store.

copy %USERPROFILE%\AppData\LocalLow\Sun\Java\Deployment\Security\trusted.*  <NON_DEFAULT_HOME>\ AppData\LocalLow\Sun\Java\Deployment\Security\*

Now you should be able to launch virtual console.

On Linux Client

On some linux installations due to Java OpenSDK (based on IcedTea), the certificate store will be different. If there is no trusted.certs file under ~/.java/deployment/security and if there are ~/.icedtea/security/trusted.* files, then run the following commands.

  • mkdir –p ~/.java/deployment/security
  • cp ~/.icedtea/security/trusted.* ~/.java/deployment/security
  • Launch virtual console now

Also, the default home directory on Linux is /home/<user_name>.  Sometimes this would be an NFS mount or remote file system and user home doesn’t have the permission to create ~/.java/deployment/security.  Change/obtain permissions to the folder and create it using the command ‘mkdir –p ~/.java/deployment/security’.

Section 2: Other possible problems

Possible problem 1:  Proxy setup in Browser will not allow virtual console connection

Solution:

Launch Java Network panel, by selecting Start -> Control Panel -> Java (On Windows) or run “javaws –viewer” from command line (On Linux), this will launch control panel.

In the ‘General’ tab select Network Settings, (see screen shot below) , check to see if “Direct Connection” has been checked.   If not, set it to ‘Direct Connection’ and re-launch the console.  

Possible problem 2: Zombie virtual console process issue

Solution:

First check if there is a zombie virtual console ‘java’ process running, if it is, then that needs to be terminated. 

Run the following commands to view virtual console processes and terminate it, then and you should be able to launch virtual console successfully.

On Windows Client:

wmic process get Caption,Commandline,Processid | find “viewer.jnlp”  and this would give the processID as the last column and they can use

taskkill /PID <PID>                    

In the following screen shot (9380 is the PID)

 

On Linux Client:

ps | grep viewer.jnlp

Use kill -9 <PID> to kill the process.

  

Possible Problem 3: Old archived libraries present in the cache

Solution:

Clear java cache by selecting ‘View’ under Temporary internet files section under ‘General’ tab in Java Control Panel

Select to remove the following

  

Thanks for reading this blog and we hope these solutions help you use the iDRAC7 on your Dell PowerEdge servers more effectively.

To post a comment login or create an account

Comment Reminder

Unrelated comments or requests for service will be unpublished. Please post your technical questions in the Support Forums or for direct assistance contact Dell Customer Service or Dell Technical Support.. All comments must adhere to the Dell Community Terms of Use.

  • My user home is at default (ie c:\Users\myusername), but my desktop is moved to D: at

    D:\My space\Desktop

    Am I in the first case which is certificate related issue?

  • It turned out that I'm concerned by the section 1 even though my "user home" folder is at default location whereas "desktop" is not.  (Note: there seems to be a confusion between "user home" and "desktop" which are two different things)

    The workaround (copying trusted certificates) did work for me, but I have to say that this part is badly programmed.

    1. The Java program should not interfere in the certificate management which is supposed to be done by JRE layer.  When I'm looking in the Java console (inside Control Panel), it shows the certificates without this tweak.  This shows that JRE runtime is able to manage correctly the certificates.

    2. The programmers should not use "desktop" as the reference point to determine if "user home" is non-default or not and to determine where the certs are.  There are at least two better candidates in Win7:

    %USERPROFILE%\AppData\LocalLow

    %LOCALAPPDATA%\..\LocalLow