iLO Java Remote Console: Upcoming JRE 1.7u51

We're aware of the problem and we will be adding the "Permissions" and "Codebase" attributes to the JAR file manifest for iLO2, iLO3 and iLO4 Java Remote Console Apps.

However, after adding the required attributes, we are still seeing these same warnings. Clicking on the details, we see that Java now complains about iLO not being a trusted website.  To solve this issue, users will have to import into each iLO a trusted SSL certificate signed by their own Certification Authority and then begin logging into iLO using only iLO DNS name instead of the iLO IP address.

In addition, users might need to import into the Java Keystore on each client the certificate of the Certification Authority that issued those iLO SSL certiticates or Java will not trust the iLO's new imported certificates.

So How do we do this at scale? we have over 1200 blades across 41 chassis's.

We have our own CA and it's root cert is in all our browsers, java etc.

Java 7u51 was released today and I can say that even with the fix for the manifest file we did for iLO2 v2.23, iLO3 v1.65 and iLO4 v1.32 and adding a trusted SSL certificate to each iLO, users could still experience issues opening the remote console and the virtual media applets.

The best solution so far is adding all your iLOs to the Java exception site list.

Hi Everyone,

Just to let everyone know that updating iLO 2  to latest firmware 2.23 for BL460c G6 and BL465 G5 did not solve the problem for the Java 7u51.

Also adding the acception list to java's security does not work either for 7u51.

Tested on Windows 7, Windows 8, Windows 8.1 - IE 10, IE11, Firefox 26.

Any help is appreciated since iLO's java remote session will not work on any of the blades. 

Do you have the debug output from the java console?

Like mattlok-101, upgrading to version 2.23 on my DL 385 G5, didn't fix the issue. 

When I try to view the Remote Console with IE 11 on Windows 7,  I receive a message that says - Error: Click for details.   The information from the Java console is listed below.

Firefox 24.2.0 ESR gives me even less information.  I've cleared the cache, etc. from both browsers.  I alo tried adding the IP address of the iLO to the Java exception list, but it doesn't fix the issue either. 

Java Plug-in 1.7.0_51
Using JRE version 1.7.0_51-b13 Java HotSpot(TM) Client VM

load: class com.hp.ilo2.remcons.remcons.class not found.
java.lang.ClassNotFoundException: com.hp.ilo2.remcons.remcons.class
	at sun.applet.AppletClassLoader.findClass(Unknown Source)
	at java.lang.ClassLoader.loadClass(Unknown Source)
	at sun.applet.AppletClassLoader.loadClass(Unknown Source)
	at java.lang.ClassLoader.loadClass(Unknown Source)
	at sun.applet.AppletClassLoader.loadCode(Unknown Source)
	at sun.applet.AppletPanel.createApplet(Unknown Source)
	at sun.plugin.AppletViewer.createApplet(Unknown Source)
	at sun.applet.AppletPanel.runLoader(Unknown Source)
	at sun.applet.AppletPanel.run(Unknown Source)
	at java.lang.Thread.run(Unknown Source)

Have you tried deleting temporary files in the Java Control Panel?

Open Java Control Panel and under General Tab, click on Settings button. It will open the Temporary File Settings window. Click on Delete Files button and select Installed Applicatons and Applets. Click OK.

This should force Java to download the new remcons app from iLO next time you click on the Remote Console link.

If it still won't work after this, go to the Security tab and try lowering the Security level.  Also click on "Restore Security Prompts".

I had the "keep temporary files on my computer" unchecked.  I re-enbled it, opened and closed Java time or two and deleted the temporary files, as well as the Installed Applications and Applets.

Retried the Remote Console - still doesn't work.

Have you tried deleting temporary files in the Java Control Panel?

I re-enabled the Next Generation Java Plugin (had it disabled for another app), and lowered the security from High to Medium.  Also clicked on "Restore Security Prompts".

Retried the Remote Console - still doesn't work.

If it still won't work after this, go to the Security tab and try lowering the Security level.  Also click on "Restore Security Prompts".

I still receive a message that says "Error, Click for details". 

When I click on it, up pops up an  "Application Error" dialog box titled "RuntimeException" that lists  "java.lang.reflect.InvocationTargetException".    The dialog has a button "Details" but clicking this just opens the Java Console, in which there are no error messages.

I do see the "Error, Click for details" with iLOs that are not in my Java exception site list but, If I close it and try again or click on the "Reload" button, Java will open the remote console.

You said you tried adding your iLO to the exception site list.   Did you use   https://iLO-IP-Address   format?

Yes I did.

You said you tried adding your iLO to the exception site list.   Did you use   https://iLO-IP-Address   format?

Clicking the "Reload" button, just takes me back to the same, "Error, Click for details" message.

I do see the "Error, Click for details" with iLOs that are not in my Java exception site list but, If I close it and try again or click on the "Reload" button, Java will open the remote console.

Taking your "reload" suggestion a little further, I found that if I got the the "Error, Click for details" message, and then closed the window.  And, back at the main iLO window, did a F5 (refresh), and reselected the "Remote Console", I'd get the (expected) server console screen. 

And, it worked for me, regardless of whether the IP address was listed as an exception or not.  I was experimenting with 2 servers - one with an exception, the other with one.

While it's clumsy, at least I have a working solution now.

Thanks for your help.

I did some additional testing this morning.  I was able to raise the Java Security level back to High.  And, I removed the IP addresses from the exception list.

My workaround of having to try to access the Remote Console, close the window, refresh, retry Remote Console still works. 

The solution works with either IE 11 or Firefox 24.2.0 ESR.

I'm running into this on the Lo100s running fw 4.25.  I added the site to the exception site list and still can't get the applet to load.  I get the "Missing required Permissions manifest attribute in main jar:  http://<my ip>/M2.jar"

This is still an issue, I cannot access any remote consoles across my 4 blade chassis.

I am using Java 8-25

I get the "error, click for details" message, and no amount of reloading seems to help.

Is there an iLO patch we need to apply?

Thanks

We have the same problem (even with 1.7u51, and 1.8u25. x86 and x64, with IE, Firefox and Chrome).

So what can we do?! HP?!

If you have your iLOs with a trusted SSL certificate, your browsers trust iLO webserver, you have imported the Root CA cert into the Java Keystore and you still have problems opening the Java iLO Remote Console then, call Oracle and ask them to get their act together.  

We have added all the required permissions into the JAR Manifest file and yet, JRE keeps blocking the Remote Console app.

I was just having the same problem.  I went into Administration > Settings > Security > SSL and changed the SSL Key length to 2048 and customized the CSR to change the Common Name (CN) to the IP address as that was how I was referencing the ILO.  When I tried to use the remote console it asked me to confirm the usage of the Remote Console class.

This is the first time I've been able to post something like this after years of getting out of trouble from other peoples posts so I really help this returns a favour or two.

Same problem on iLO100. :( Is it any chance, that this manifest will be added to iLO100? Thanks

Not sure if others have resolved their problem but I worked through my issue recently.

1. Installed Java JSE v8u5 on my Fedora 20 64bit Linux station.

2. Used 'alternatives' to update the default Java over openjdk (including link to libjavaplugin.so.x86_64)

alternatives --install /usr/lib64/mozilla/plugins/libjavaplugin.so libjavaplugin.so.x86_64 /usr/java/latest/jre/lib/amd64/libnpjp2.so 200000

3. Ensured Firefox had a link to the plugin

sudo ln -sf /usr/java/latest/jre/lib/amd64/libnpjp2.so /usr/lib64/firefox/plugins/libnpjp2.so

4. Restarted Firefox

     a. Go to your Addons and ensure the proper Java plugin is enabled

5. Finally need to add exceptions for Java security for the applet to run.

     - You can do this by running ControlPanel (/usr/java/latest/bin/ControlPanel)

        and adding exceptions in the Security tab for your iLO address.

        E.g. I was hitting my iLO via IP address, so the exception looked like "https://10.39.8.13"

     - Also, I noticed that by adding this exception, it was fortunately just saved into a plain text file located at:

       ~/.java/deployment/security/exception.sites

     - I intend to create a simple script that ensures my exception is there and then opens a tab in firefox to the iLO address.

Update:

I figured that I can successfully open the iLO2 Java Remote Console after I disabled TLS 1.1 and TLS 1.2 protocols in the Java Control Panel (iLO2 webserver supports up to TLS 1.0).

So, to me it looks like Java Runtime Environment versions 7 and 8 have a broken TLS implementation.  

Thanks Oscar A. Perez for pointing that out! Wenn disabling TLS 1.2 and TLS 1.1 in Java setting the Java console in ilo2 is working again. I tried with Java 8 Update 31 (1.8.0_31-b13).

It took me half an hour of searching the web until I found your solution.

Of cause it is needed to close the browser (or kill any running instances of Java) so that the new settings are applied.

I find it a bit strange that TSL 1.0  is working, because here is an Advisory from HP that says: "iLO is configured to enable SSL Version 3 for compatibility and disable TLS (Transport Layer Security) Version 1.0, which also will disable TLS Version 1.1 and TLS Version 1.2 as well."

Unfortunately thre is still no updated firmware available...

@aFriend,

That advisory is about iLO connecting as a "client" to servers that support TLS 1.0

BTW, this client connecting issue has been addressed in the latest iLO2 v2.27, iLO3 v1.82 and iLO4 v2.03

 I tried to follow the exact steps but I am unable to start the Java Intergrated Remote Console. JDK1.8.45 and Fedora 21 not working.

---

@Jon_Miller wrote:

Not sure if others have resolved their problem but I worked through my issue recently.

 

1. Installed Java JSE v8u5 on my Fedora 20 64bit Linux station.

 

2. Used 'alternatives' to update the default Java over openjdk (including link to libjavaplugin.so.x86_64)

 

alternatives --install /usr/lib64/mozilla/plugins/libjavaplugin.so libjavaplugin.so.x86_64 /usr/java/latest/jre/lib/amd64/libnpjp2.so 200000

 

3. Ensured Firefox had a link to the plugin

 

sudo ln -sf /usr/java/latest/jre/lib/amd64/libnpjp2.so /usr/lib64/firefox/plugins/libnpjp2.so

 

4. Restarted Firefox

     a. Go to your Addons and ensure the proper Java plugin is enabled

 

5. Finally need to add exceptions for Java security for the applet to run.

     - You can do this by running ControlPanel (/usr/java/latest/bin/ControlPanel)

        and adding exceptions in the Security tab for your iLO address.

        E.g. I was hitting my iLO via IP address, so the exception looked like "https://10.39.8.13"

 

     - Also, I noticed that by adding this exception, it was fortunately just saved into a plain text file located at:

       ~/.java/deployment/security/exception.sites

 

     - I intend to create a simple script that ensures my exception is there and then opens a tab in firefox to the iLO address.

---

I there any support from HP for this ? The last time I was able to start ILO console properly on Linux was 5 or 6 years ago on CentOS 5 with JDK1.6 . After that look like HP dropped support entirely for Linux. Very odd all the HP servers I installed in the last 5 years are running Linux.

OK,

  finally I was able to make it work under Fedora 21  with JDK 1.8.0_45

Very important to follow the above list of stuff but additionally:

- make sure to have the last JDK version (jdk 1.8.0_45 in my case)

- make sure to disable any addblocker/scriptblocker in the browser for your ILO site

- make sure to add the site in the Java Security Exception list under Security in Java Control Panel

- make sure TLS 1.1 and TLS 1.2 are disabled under Advanced Tab in Java Control Panel

- make sure to allow java plugin execution for the ILO site. Stupid Firefox denies by default any execution and you have to click a plugin button (between back button and the address bar) to allow execution.

- open in your firewal/firewalls port 17990 which is the default port for Remote Console Port

- open in your firewal/firewalls port 17988 which is the default port for Virtual Media Port

 Hope this help someone.