Rudi van Rooyen's Blog
Quick Fix: How to enable iLOM web access and remote console redirection for Oracle Storage Appliance ZFS 3-2

Quick Fix: How to enable iLOM web access and remote console redirection for Oracle Storage Appliance ZFS 3-2

Rudi van Rooyen's photo
Rudi van Rooyen
·

4 min read

I assume you are familiar with the appliance and the day to day adminstration procedures using the service processor. So I will not deep dive into every step.

Problem

The service processor of Oracle's Storage Appliance model, ZFS 3-2 (with firmware version 3.1.2.18), does not support any TLS versions above version 1. Depending on your organisation's security policies, this can cause a few headaches when you try to access the service processor's iLOM web interface.

Typically, security policies disallow the use of TLS v. 1 because of its inherent security risks. However, this causes problems when administering the ZFS 3-2 appliance.

Two issues arise. First, the service processor's HTTPS service is likely disabled, so you cannot access it using a web browser. Second, with HTTPS enabled, the remote console video redirection functionality will fail if TLS v 1 is disabled in your client-side Java. Note that TLS version 1 support is disabled by default in recent versions of Java.

Checking HTTPS & TSL 1 settings

Check your appliance's settings using the service processor's command line. Below is an example of how to do this.

I have already enabled the HTTPS service and the TLS version 1 property in this example.

Notice that only TLS version is 1 available.

-> show SP/services/https

/SP/services/https
    Targets: 
        ssl

    Properties:
        port = 443
        servicestate = enabled
        sessiontimeout = 15
        sslv2 = disabled
        sslv3 = disabled
        tlsv1 = enabled ------> the only supported tls version
        weak_ciphers = disabled

Enabling HTTPS and TLS settings

If your HTTPS servicestate and/or tlsv1 property are disabled, you can enable it using the service processor's command line. The commands are shown below.

-> set /SP/services/https=enabled
-> set /SP/services/tlsv1=enabled

At this point, you should be able to access the iLOM web interface with a web browser.

Remote console redirection problems

When you launch the Remote Console tool available in the iLOM web interface, you may run into Java security-related errors, which will cause the redirection process to fail.

The errors discussed in this section can all be resolved by making changes to the java.security file. On my system, this file is located here: /etc/java-11-openjdk/security/java.security .

TLS v 1 in Java

When launching the remote console, you may encounter the error message below.

Error message: The server selected protocol version TLS10 is not accepted by client preferences.

This means Java is set to disallow TLS 1 protocols. To enable TLS v1, edit the java.security file, and remove the TLSv1 and TLSv1.1 parameter from the dk.tls.disabledAlgorithms property.

I use this command: vi /etc/java-11-openjdk/security/java.security

Output:

jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, RC4, DES, MD5withRSA, \
    DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
    include jdk.disabled.namedCurves

After removing the parameters, the command output should look like this.

Output:

jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, \
    DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
    include jdk.disabled.namedCurves

The following two errors are unrelated to TLS settings, but I encountered them when I tried to launch the Remote Console redirection tool. So, I decided to include them here. Hopefully, it will benefit someone else.

Permission to unsigned jars

Error message: Application Error: Cannot grant permissions to unsigned jars.

Disable the jdk.jar.disabledAlgorithms property by commenting out the relevant line.

I use this command: vi /etc/java-11-openjdk/security/java.security .

Output:

#jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
      DSA keySize < 1024, SHA1 denyAfter 2019-01-01, \
      include jdk.disabled.namedCurves

Video redirection error

Error message: Video redirection error. No appropriate protocol (protocol is disabled or cipher suites are inappropriate).

Remove the SSLv3 parameter from the jdk.tls.disabledAlgorithms property.

I use this command: vi /etc/java-11-openjdk/security/java.security .

Output:

jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, \
    DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
    include jdk.disabled.namedCurves

After removing the parameters, the command output should look like this.

Output:

jdk.tls.disabledAlgorithms=RC4, DES, MD5withRSA, \
    DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
    include jdk.disabled.namedCurves

Done

That is it from me!

ilomOracleTLSserver administration