Tag Archives: esxi

DRACs and Macs and Java Hacks

I’m inherently lazy. Like, “I want a bottle of water, but it’s all the way over there, so I guess I’ll just dehydrate” style lazy.

Our server room is maybe, MAYBE, 50 feet from my desk. But I’ve got to go around a wall and unlock two doors, disable an alarm system, fight a dragon, and then find the machine I want to administer. Ain’t nobody got time for that.

To make sure that I can maintain my standards of laziness, we have remote management available for all of our servers. Since we’re a Dell shop, that consists of DRAC , the Dell Remote Access Controller (with the Enterprise license for remote console).

In the past, these have been of questionable quality and perhaps I have, on occasion, called into question the marital status of the DRAC’s mother, but we seem to have settled into an uneasy truce where I try to do things, and it continually tells me no until I ask nicely enough.

The first case in point is the DRAC’s remote console and the security surrounding it. If you ever take a look at the jnlp file, you’ll see that the application pulls down a platform-specific jar file that is the actual KVM application.

When you run jarsigner -verbose -certs -verify on the jar file, here’s what you get:

$ jarsigner -verbose -certs -verify ./avctVMLinux32.jar

135 Thu Sep 08 13:44:00 EDT 2011 META-INF/MANIFEST.MF
259 Thu Sep 08 13:44:00 EDT 2011 META-INF/DELL.SF
5406 Thu Sep 08 13:44:00 EDT 2011 META-INF/DELL.RSA
0 Thu Sep 08 13:42:48 EDT 2011 META-INF/
sm 160904 Thu Dec 11 19:54:40 EST 2008 libavmlinux.so

[entry was signed on 9/8/11 9:44 AM]
X.509, CN=Dell Inc., OU=PG Software Development, OU=Digital ID Class 3 – Java Object Signing, O=Dell Inc., L=Round Rock, ST=Texas, C=US
[certificate expired on 8/30/13 7:59 PM]

X.509, CN=VeriSign Class 3 Code Signing 2009-2 CA, OU=Terms of use at https://www.verisign.com/rpa (c)09, OU=VeriSign Trust Network, O=”VeriSign, Inc.”, C=US
[certificate is valid from 5/20/09 8:00 PM to 5/20/19 7:59 PM]
[KeyUsage extension does not support code signing]
X.509, OU=Class 3 Public Primary Certification Authority, O=”VeriSign, Inc.”, C=US
[certificate is valid from 1/28/96 7:00 PM to 8/1/28 7:59 PM]

s = signature was verified
m = entry is listed in manifest
k = at least one certificate was found in keystore
i = at least one certificate was found in identity scope

jar verified.

This jar contains entries whose signer certificate has expired.

Emphasis mine.

As you can see via the bolded line, the certificate used to sign this jar file expired in August of 2013. This creates an awkward situation, because Java 1.7 got all gung-ho about security and was like, “sorry dude, no can do. If you want to run this, you’ve got to turn your security into swiss cheese. Via con Dios”. That might be a loose quote.

Of course, that’s assuming you can actually run the thing. If you’re on a Mac, your computer is conspiring against you. If you run Chrome, for reasons that have never been apparent to me, the jnlp file doesn’t actually get downloaded as viewer.jnlp. It gets downloaded as viewer.jnlp([email protected]@idrac-6C61TS1,+PowerEdge+R410,[email protected]).[email protected]@idrac-6C61TS1,+PowerEdge+R410,[email protected]), and at least on a Mac, the OS is like, “Sorry, I’ve got no idea. Would you like to open this with like, text edit, or maybe XMLedit? Because I can’t do anything with this”.

So once you rename it to .jnlp (complete with scary “changing the file extension may lead to wormholes destroying the universe” warnings), then you double click the file and your computer goes full-on HAL9000. “I’m sorry, Matt, I’m afraid I can’t let you do that”.


The workaround is, of course, to right click the file then select Open. This lets the computer know that you’re totally serial about opening the malware.

Once you do that (then click Open again), Java actually pulls down the jar file and runs it. If you haven’t replaced the self-signed DRAC certificate (you lout), then you get an SSL warning when it pulls the jar file, of course. But then you have the jar file, and it runs it, and immediately pukes because of the aforementioned signing issue.

The way to trick it into running is to go into your System Preferences, launch the Java Control Panel, go to Security, say “I solomnly swear that I am up to no good”, set your security slider to “High” or if you live dangerously, Medium. I’d say “Low”, but much like the pizza place by my house, there is no “Small”, only “Medium, “Large”, and “Extra Large”. You know what? That makes Medium the Small, you morons! Gah!

Anyway, where were we? Right, change your security level to High or Medium, then in the Exception Site List section, click the Edit Site List, then add the https:// url to your DRAC. Yes, all of them. No, you can’t use wildcards. Awesome, right?

Anyway, add your DRACs to the list (or just edit the list once and distribute it) and then you’ll be able to connect.

Of course…if you’re trying to manage ESXi machines like I am, and you’re logging in to the console to, say, reset the management agents, you’re going to run into other problems…like the fact that VMware’s ESXi console makes extensive use of the F11 key, something Macs have claimed as their own, as pressing F11 launches Expose. So basically, by default, you can’t possibly press F11 in the virtual terminal because it makes all of your windows scatter like cockroaches.

You can also fix that by going into the control panel, clicking on Mission Control, and change the “Show Desktop” shortcut to something that your enterprise consoles haven’t used for critical functionality.

So there. If you use a Mac to manage things, hopefully you can at least remove those particular hurdles. What other things do you run into with Macs (or just stupid platforms in general)? Comment and let me know!

VMWare ESXi – Decreasingly Free As Time Goes On

Hey, what do you say we throw some actual content up here and see what happens…

The excellent virtualization blog RTFM Education has a post today talking about VMware ESXi. Specifically that as time continues, fewer and fewer features work with it.

The case in point started with the remote command line interface being changed to “read only”, which doesn’t make it much of an interface at all.

After that failed to correct itself, a 3rd party backup solution called Veeam was just asked to remove backup support for ESXi.

This is a disturbing trend, and as someone on the brink of making a decision, this weighs heavily. Citrix’s Xenserver supports live motion (live transferring of a running virtual machine from one Xenserver to another without shutting it down) for free. What does VMware offer at this point except a future of heavy skepticism? Not much that I see.

Fun with VMware ESXi

Day one of playing with bare metal hypervisors, and I’m already having a blast.

I decided to try ESXi first, since it was the closest relative to what I’m running right now.

Straight out of the box, I run into my first error. I’m installing on a Dell Poweredge 1950 server. The CD boots into an interesting initialization sequence. The screen turns a featureless black, and there are no details as to what is going on behind the scenes. The only indication that the machine isn’t frozen is a slowly incrementing progress bar at the bottom. After around 20 minutes (I’m guessing the time it takes to read and decompress an entire installation CD into memory), the screen changes to a menu asking me to hit R if I want to repair, or Enter if I want to install. I want to install, so I hit Enter. Nothing happens, so I hit enter again. And again. And again. It takes a few more times before I realize that the “numlock” light is off. Curious, I hit numlock and it doesn’t respond.


I unplug and replug the keyboard in. Nothing. Move it to the front port. Nothing. I reboot and come back to my desk to research. Apparently, I’m not alone. Those accounts are from 2008. I downloaded this CD an hour ago, and it’s 3.5 U4 (the most current 3.5x release). It is supposed to have support on the PE1950, but if the keyboard doesn’t even work, I have my doubts.

Lots of people have suggested using a PS2 keyboard as the accepted workaround, but in a similar tone to most of my problem/solution options, this server has no PS2 ports.

I’m downloading ESX v4 now. I’ll update with how it goes, no doubt.