Skip to content

Legacy AMI JAR signatures break Java KVM in child container (ASUS ASMB8) #36

Description

@nesvet

Environment

  • BMC: ASUS ASMB8-iKVM, firmware 1.14.2
  • Child image: sciapp/nojava-ipmi-kvm OpenJDK 8
  • Server: nojava-ipmi-kvm-server v0.2.2

Expected

Java Web Start launches JViewer inside the ephemeral KVM child container.

Actual

Connect fails with weak-signature errors on AMI-signed JARs, for example:

Unsigned application requesting … signed with a weak signature algorithm MD5withRSA …

IcedTea may also reject the BMC HTTPS certificate when fetching the JNLP.

Reproduction

  1. Use a stock OpenJDK 8 child without legacy allowances.
  2. Connect to ASMB8 1.14.2 through the server web UI.
  3. Observe javaws / IcedTea failure before the noVNC session is ready.

Proposed configuration (opt-in, default off)

Pass flags only into the ephemeral child via template YAML and matching env vars:

YAML key Child env Effect
allow_legacy_jar_signatures: true ALLOW_LEGACY_JAR_SIGNATURES=true Allow MD5 in jdk.jar.disabledAlgorithms
allow_insecure_jnlp_certs: true ALLOW_INSECURE_JNLP_CERTS=true IcedTea deployment.security.itw.ignorecertissues

Convenience alias: ALLOW_LEGACY_AMI_JARS=true enables both child flags.

Example host template snippet:

allow_legacy_jar_signatures: true
allow_insecure_jnlp_certs: true

Tested on ASUS ASMB8-iKVM firmware 1.14.2. With flags disabled, failure matches the report above. With both YAML keys enabled, the KVM session loads after server connect.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions