Environment
- BMC: ASUS ASMB8-iKVM, firmware 1.14.2
- Child image:
sciapp/nojava-ipmi-kvm OpenJDK 8
- Server:
nojava-ipmi-kvm-server v0.2.2
Expected
Java Web Start launches JViewer inside the ephemeral KVM child container.
Actual
Connect fails with weak-signature errors on AMI-signed JARs, for example:
Unsigned application requesting … signed with a weak signature algorithm MD5withRSA …
IcedTea may also reject the BMC HTTPS certificate when fetching the JNLP.
Reproduction
- Use a stock OpenJDK 8 child without legacy allowances.
- Connect to ASMB8 1.14.2 through the server web UI.
- Observe javaws / IcedTea failure before the noVNC session is ready.
Proposed configuration (opt-in, default off)
Pass flags only into the ephemeral child via template YAML and matching env vars:
| YAML key |
Child env |
Effect |
allow_legacy_jar_signatures: true |
ALLOW_LEGACY_JAR_SIGNATURES=true |
Allow MD5 in jdk.jar.disabledAlgorithms |
allow_insecure_jnlp_certs: true |
ALLOW_INSECURE_JNLP_CERTS=true |
IcedTea deployment.security.itw.ignorecertissues |
Convenience alias: ALLOW_LEGACY_AMI_JARS=true enables both child flags.
Example host template snippet:
allow_legacy_jar_signatures: true
allow_insecure_jnlp_certs: true
Tested on ASUS ASMB8-iKVM firmware 1.14.2. With flags disabled, failure matches the report above. With both YAML keys enabled, the KVM session loads after server connect.
Environment
sciapp/nojava-ipmi-kvmOpenJDK 8nojava-ipmi-kvm-serverv0.2.2Expected
Java Web Start launches JViewer inside the ephemeral KVM child container.
Actual
Connect fails with weak-signature errors on AMI-signed JARs, for example:
IcedTea may also reject the BMC HTTPS certificate when fetching the JNLP.
Reproduction
Proposed configuration (opt-in, default off)
Pass flags only into the ephemeral child via template YAML and matching env vars:
allow_legacy_jar_signatures: trueALLOW_LEGACY_JAR_SIGNATURES=truejdk.jar.disabledAlgorithmsallow_insecure_jnlp_certs: trueALLOW_INSECURE_JNLP_CERTS=truedeployment.security.itw.ignorecertissuesConvenience alias:
ALLOW_LEGACY_AMI_JARS=trueenables both child flags.Example host template snippet:
Tested on ASUS ASMB8-iKVM firmware 1.14.2. With flags disabled, failure matches the report above. With both YAML keys enabled, the KVM session loads after server connect.