IPMI frustration

[danb35]

When I first learned of IPMI, it sounded like a great idea--a built-in IP KVM for your server, so you could access its console from, theoretically, anywhere. That's been some years ago, and since then, the Java thing has gotten worse and worse. At this point, I can't get the remote console to work any more on my TrueNAS box (a Supermicro X9 series, more detailed specs in the .sig) or my new-to-me Dell C6220.

Bottom line, I want to be able to click the Launch button in the IPMI web UI, and have it actually launch the virtual console. I want to be able to do that on a Mac (my main system), on Windows, and it'd be nice from a Linux desktop as well. I mainly use Firefox, occasionally Chrome. Is it possible to make this work the way it's supposed to?

 

[Redcoat]

I want to be able to click the Launch button in the IPMI web UI, and have it actually launch the virtual console

It doesn't do "just that" for me on my X9 series on Win10 using Chrome: it initiates a multi-step (4) process.: After hitting "Launch Console" first "keep" a .jnlp file (in your Downloads folder), double click on that filename in the Chrome downlead footer to run it, then deal with a couple of java pop-ups, after which the console window opens (and it behaves as expected).

 

[Jailer]

Have you tried adding your IPMI address to the JAVA exceptions site list on the security tab? The java settings can be found in the control panel in Windows, not sure about Mac or Linux though.

 

[Arwen]

One thing I found useful is virtual serial console. I've used it with IPMI type devices, like HP Proliant servers, and HP Proliant blade servers. I move the console from frame buffer to serial in Grub and "/etc/inittab", (those were Linux OS), and off I went. I don't remember if I was able to change the BIOS to be over serial as well, but that's an option on some computers.

The end result is that I use SSH to the IPMI IP address and then use a special command to enable virtual serial console. Can't remember what I used on HP Proliant servers, but I vaguely recall it being something like "vsp".

Of course with a virtual serial console you don't get X-Windows or any type of GUI, (like you may NEED with MS-Windows). But, in general my goal in console work is to fix remote access via network. Meaning if I had a typo in a network configuration update and rebooted, then lost access, console would be the way to fix it. Or to un-lock a local account for access.

Back in the Sun Microsystem days, remote serial consoles, over various methods, LOM, ALOM, SC, RSC, etc, was the way to go. It was not until 2011 that the SPARC T3 series included full graphic IPMI.

Of course, using SSH instead of Java just passes the problems to different software stack. There have been SSH upgrades on client side that have resulted in loss of access because an embedded device does not support a common feature set of the newly upgraded client SSH.

 

[Redcoat]

Have you tried adding your IPMI address to the JAVA exceptions site list on the security tab? The java settings can be found in the control panel in Windows, not sure about Mac or Linux though.

Yes, I'm pretty sure that it was you that gave me that same advice before!

Here's the note adjacent to the entry box for those IP's:

I guess the two popups are "security prompts".

 

[IOSonic]

@danb35 Did you ever get this working? I remember those Java-based iDRAC consoles in Dells were the absolute worst. I've also had issues with some of the later HPE iLOs that used Java. Like Redcoat said, attempting to launch a console should prompt you to download a .jnlp file. Is this happening? If it is and you're getting an error when you try to launch it, try the following:

1. Enable old, insecure ciphers in the java.security file for old Java consoles. This was necessary to get anything done with iDrac 6 clients, because they didn't support anything else. I don't know what the story is on your SuperMicro or the BMC in your Dell, but I'd look into it. IIRC, the errors were cryptic and didn't explicitly call out a cipher negotiation issue.

2. Set the network mode to "Direct Connection": Java Control Panel > General > Network Settings > Direct Connection

3. After making the changes, delete all Temporary files: Java Control Panel > General > Temporary Files > "Delete Files". Leave the first two boxes checked and click "OK" to delete everything but installed applications/app Click "Ok" to delete the files. Uncheck the box that says "Keep Temporary Files on This COmputer" and click "OK" again to close the modal. You can revert this setting later.

4. Add the IPMI IP address to the site exceptions per @Redcoat 's post. Be sure to pay attention to the connection protocol (https) when you enter the exception.

5. Delete any downloaded .jnlp files you may have, and try to launch the console again, which should download a new one. Open it with Java when prompted.

If you have both the x86 & x64 version of Java installed, make note that you perform step #1 in the correct folder and perform steps #2 - #4 in the correct Java control panel.

I hope this helps.

 

[danb35]

Did you ever get this working?

I'd gotten a bit distracted from this while trying to deal with the SSL certificates for the IPMI systems (another issue altogether, and the Dells in particular are a PITA), and I think I'd improperly conflated the Dell and the Supermicro systems--and while they may be implementing the same protocol, they aren't even close to the same in terms of the web UI.

The client system for testing is a Windows 10 system with Oracle Java recently installed (within the last couple of weeks), and current Chrome as the browser.

On the Supermicro, once I add its IP (http and https) to the exception list, it works, even if not as conveniently as I remember it working in the past. It does present the .jnlp file for download, then warns that it could damage my computer, I click keep, I open it (and I'm sure I remember, in the past, the .jnlp opening automatically), I tell Java to trust the app, and the console window opens and responds properly to the keyboard. I haven't tested virtual media, but if it's running, I assume that will work as well.

On the Dell, different story. Again, I've added the system's URL (both http and https) to the exception list. There are two buttons in its web UI (Launch Java KVM Client and Launch Java VM client), and I'm not sure of what's supposed to be the difference between them. If I click the "Launch Java VM client" button, I just get "Please Wait" with nothing else. If I click the "Launch Java KVM client" button, it (like on the SM) gives me the .jnlp file for download, warns it could damage the computer, I click keep, I open it, and I accept the Java warning--but I'm then quickly presented with a "Connection failed" message.

Edit: Java KVM Client is the virtual console; Java VM Client is virtual media--unlike on Supermicro, those functions aren't combined into one app.

So with that said, the security protocols suggestion sounded useful--and that does seem to have fixed it, at least under Chrome/Windows. Now on to other browsers/OSs...

 

[Stux]

Is there a redfish upgrade for the x9 series?

upgradingmy x10 meant I could use html kvm. Only works in chrome but it meant no more Java.

 

[danb35]

Is there a redfish upgrade for the x9 series?

Not that I've seen. I have the latest firmware that Supermicro shows for this board, and it's using the Java KVM.

 

[Jailer]

upgradingmy x10 meant I could use html kvm. Only works in chrome but it meant no more Java.

I decided to upgrade my BIOS and IPMI firmware to see what all this html ikvm is all about. After fixing some mistakes I made I got it all updated and it's working. Works in Firefox for me as well as Chrome.

 

[Ericloewe]

Is there a redfish upgrade for the x9 series?

No. X10s barely squeezed in.

upgradingmy x10 meant I could use html kvm. Only works in chrome but it meant no more Java.

No virtual media though, even on the latest X12/H12 stuff! It's not even a platform limitation, Gigabyte, ASRock and I think Asus all support it on the same platform!

 

[Stux]

No virtual media though, even on the latest X12/H12 stuff! It's not even a platform limitation, Gigabyte, ASRock and I think Asus all support it on the same platform!

This is true. I've been making do with USB drives and a short walk. It works.

Truth tho, now that bhyve is a bit more mature, everything else is running in VMs inside TrueNAS... so other than bios updates I don't use virtual media.

 

[Stux]

I decided to upgrade my BIOS and IPMI firmware to see what all this html ikvm is all about. After fixing some mistakes I made I got it all updated and it's working. Works in Firefox for me as well as Chrome.

Yes. Found this out yesterday after realising that I purged Chrome recently :) It warns about not supported video recording, but seems to work just fine.

 

[keithpjolley]

i was able to upgrade quite a few of our hosts to newer firmware with html5. i get a complaint about video recording not being available in firefox but it doesn't seem to be a feature i care about enough to go back to using chrome. as there's so many variables your mileage will vary.

 

[Samuel Tai]

@danb35, what I had to do to resolve the connection failures was to:

• Edit the java.security file to allow TLS1.0 (it's blocked by default in later releases of Java)
• Enable TLS1.0 in the Java control panel Advanced tab.

 

[danb35]

i was able to upgrade quite a few of our hosts to newer firmware with html5.

That would be my preference, but all the relevant hosts at this time are too old for HTML5 to be available. It's there on my HPE Microservers, and quite handy (even if the virtual media part is excruciatingly slow on the Gen8, but it apparently isn't available at all via HTML5 on the SuperMicro gear), but my current SuperMicro and Dell gear make it available only through Java.

 

[Ericloewe]

Just bought a used A2SDi-4C-HLN4F. I'd forgotten how virtual media was so much like watching paint dry.

I distinctly remember there being something that slowed things down massively (like having a certain menu open), but I can't remember the specifics... Here's hoping for someone with better google-fu than me and/or for the damned install to be done by the time I get up in the morning.

 

[Ericloewe]

I think I figured it out. I have to open the virtual media menu, then close it. Repeat every time the transfer stalls. This sort of thing is what gives computers a bad name.

The worst part is that I don't know whether to blame Supermicro, AMI or ATEN.

 

[Jailer]

IPMI is all but useless on my old x9 series board now. Not sure why but it runs at between 5 and 8 FPS making using it for anything meaningful useless. My X10 board still works fine. I'm guessing it's a Supermicro thing.

 

[Redcoat]

Not sure why but it runs at between 5 and 8 FPS

How did you determine that? I'd like to check mine.