Supermicro's beloved iKVM Console Redirection is dumping problem-ridden Java for HTML5, yay!

Posted by Paul Braren on Mar 8 2016 (updated on Jul 18 2016) in
  • HomeLab
  • HomeServer
  • Network

    • Updates to this article added below.

    People love their remote admin, especially in lights-out datacenters and discreet home labs. Tucking a server away, without needing a locally attached keyboard/video/mouse ever, is a great advantage from a noise and heat perspective. Since you can mount ISO files remotely so easily, who needs DVDs/CDs anymore anyway.

    This-plugin-has-security-vulnerabilities
    iKVM-cropped

    Supermicro's flavor of on-board IPMI BMC for remote administration is called iKVM, Remote Console, or Console Redirection, depending upon where you look in the Browser UI. Some questions about Java arose recently, starting with what seemed like a simple tweet. It quickly got a bit more involved. Like Robert, I reluctantly used Java for iKVM in a separate browser rarely used for much of anything else, IE11. The logic here is that any IE11 vulnerabilities aren't a big concern since this iKVM Console Redirect function is internal network traffic intranet. But like Java, IE11 is not long for this world, with Edge Browser slowly taking its place in Windows base images, such as Windows 10 and Windows Server 2016. Much like the recent death of Adobe Flash, this demise is very long overdue.

    So I moved to Firefox, knowing IE wasn't a long term solution to be including in how to videos I produce. But on Firefox, alas, I encountered a bit of instability, pictured above. I just hadn't gotten around to opening a ticket on that.

    Let's just say it. Oracle doesn't exactly give me the warm fuzzies when their Java installer tries to sneak toolbars and junk onto my systems, or my family's systems. Also kind of harbors resentment against the Oracle brand, every single time IT Pros like myself get to fight with Java version updates on relatives PCs on holidays, who still "need" Java for some casual gaming.

    IPMIView

    Think you can get around Java dependencies with something like Supermicro's stand-alone utility called IPMI View? See also:

    Turns out it's not only a 32 bit relic, but it also carries its own Java runtime. Yuck.

    Using your "other" browser, or a stand-alone Windows-only application, is clumsy.

    Announcing HMTL5 iKVM

    It is with great pleasure that I share this news today with you, about an HTML5 future for iKVM. A special thanks to @RERobbins for helping me stumble upon this gem of an FAQ from Supermicro, apparently published largely unnoticed, back on January 29 2016:

    supermicro.com/support/faqs/faq.cfm?faq=22376

    Question
    Regarding IPMI, do you have any view console or web browsers that can be used without the need for java?
    Important Note
    Baseboard Management Controllers (BMC) running IPMI protocol is designed to make the management of servers easy for IT operations. Due to BMC's powerful capabilities, it is recommended that BMC network access be restricted to a protected subnet behind firewall. IPMI Security is an evolving topic and Supermicro has been actively working with security community and customers to provide timely patches and continuously improve security on our products. We encourage you to visit following links for most updated resources and information: Best Practices guide and recommended security firmware patches on our IPMI landing page.
    Answer
    Currently, you will need to use Java. However, since Oracle has announced they will discontinue support for Java plugin, we have HTML5 based KVM for testing and will release it soon.

    https://blogs.oracle.com/java-platform-group/entry/moving_to_a_plugin_free

    You may want to visit that faq URL for yourself, to type in your comments to let Supermicro know how important development of this capability really is.

    This kind of news makes me happy. And RERobbins too, apparently. Given much of my day job has been spent wrangling with Java versions for old-school SAN administration and iLO/AMM/iDRAC remote admin, I know many IT Pros like me would rather see that all go away. I'm relieved it might be the case that our home labs might be Java-free sooner than the enterprise. I'll believe it when I see it. Only then will I make the same joyous noise that's featured in this closely-related article:

    I'll be curious to see how mounting ISOs from local filesystems works out, and whether the FPS holds up. I imagine those are just a few of the many barriers the developers must be facing. But wow, wouldn't it be nice to have a (hopefully) consistent experience across browsers, when launching iKVM from any of your home network operating systems, without having to worry about a constant barrage of Java updates, versions, and vulnerabilities? See just one example of Steve Gibson's many Java vulnerability mentions, in these shownotes for Security Now! Episode #393.

    2016-03-08_12-11-17
    click this screenshot to jump to the Supermicro webform so you can submit your own feedback

    Mar 09 2016 Update

    Q&A with Supermicro - this just in:

    1. Any chance you have HTML5 based beta that can be tested yet? (presumably a new IPMI version)

      Not at this moment.

    2. And or any sort of vague estimate of when this HTML5 version might be released publicly? (subject to change of course)

      Still in development stage so I don’t have ETA

    3. Will HTML5 work for all existing Supermicro mobos, or only recent models where IPMI updates are more likely to happen?

      We are trying to kill two birds with one stone so whichever mb has redfish version that will have HTML5

    This seems to be a good time to add what Supermicro has published about Redfish:

    • Supermicro Server Management (Redfish API)

      Supermicro will support Redfish RESTful APIs on its X10 Generation and future server product line. All the BMC firmware designated with 3.xx will support this technology.

    So we're not so sure what will become of pre-X10 motherboards. Perhaps they're stuck with Java? We probably shouldn't put too much weight on what one Supermicro person has stated. Time will tell.

    Mar 09 2016 Update #2

    I never really got into how awkward it is to launch the iKVM applet currently, dealing with differing behaviors in each browser, white-listing IPs, and downloading a JNLP file that you use to launch it. But once you jump through all those hoops with you rmouse, it's so awesome, and so worthwhile.

    Java is a very popular language. The vulnerability I'm focusing on here are those web integrations, where much of the inherent danger lies. Our browsers have no business opening full-featured applications like Java. You're an IT Pro, trying to run a secure datacenter, while weakening your administrative PC's security just to do so. Even Alanis knows that's ironic.

    The 'Java[tm] Plug-In SSV Helper' add-on from 'Oracle America, Inc.' is ready for use.
    Java_Update_Available_Popup

    I avoid browser applets/plugins/extensions wherever possible, especially Java, for the reasons outlined at The Java Browser Plug-in is a Complete Disaster. Chrome is my current primary browser, see also what Oracle says at Java and Google Chrome Browser, given Chrome no longer supports the NPAPI that was required for Java applets. Similar to the issues VMware is facing with their vSphere Web Client's reliance on Adobe Flash that's being deprecated everywhere.

    All we SYS-5028D-TN4T home lab enthusiasts really need is a safe way to do smooth remote control of our ASPEED AST2400 based iKVM.

    I've now added some screenshots below showing portions of the latest Java installation routine. This is Java Version 8 Update 73, from Feb 05 2016.

    Java installer telling us to go use IE11

    Oracle_Download_Java_for_Windows
    In Windows 10, the Edge browser does not support plug-ins and therefore will not run Java. Switch to a different browser [Firefox or Internet Explorer 11] to run the Java plug-in.

    Skeevy offer

    Oracle_Java_offers_Amazon_Assistant
    Please Amazon, please don't go to the dark side and continue to broker deals with such skeevy software installers. Makes us associate your brand with Yahoo and Ask Toolbars. Is that what you really want?

    June 04 2016

    It would seem we're getting closer to having something to try on our X10 Generation SYS-5028D-TN4T/X10SDV-TLN4F systems, see the following Twitter conversation:

    dmtf-redfish-logo

    See also the closely related article, just published:

    JUL 18 2016 Update

    Over at STH Forums:

    • Supermicro HTML5 iKVM arrived
      -JUN 22 2016 by Patrick Kennedy at STH.

      We have a Supermicro SYS-5018D-LN4T in the lab and I saw something I think STH-ers will be excited about: an initial HTML5 iKVM!

      The HTML5 KVM functions are working as are the power on/ off. Virtual media still requires the Java app or using the web page:
      Supermicro X10SDV-2C-TP4F HTML5 and Java iKVM.PNG

      Still, this is a very exciting development for those of us who want to move to a java-less environment

    See also at TinkerTry

    See also

    Supermicro's beloved iKVM Console Redirection is dumping problem-ridden Java for HTML5, yay!
    reddit thread by speckz with a great discussion: VNC, noVNC, ties with Avocent (KVM vendor), and more.

    Twitter

    TinkerTry - PCs, EVs, home tech, efficiency and more, including virtualization. My opinions here, not my employer's.

    Paul Braren, MCSE in 1998, VCP #2681 in 2005, vExpert 2014 to 2024, Veeam Vanguard Emeritus, 2015 to 2019.

    Support TinkerTry

    PayPal | Patreon | VMware Store

    After 6 successful years testing then shipping well over 1,000 Xeon D Bundles, Wiredzone had to stop selling them in mid-2021 due to cost, supply, and logistics challenges. So far, Xeon D-1700/2700 (Ice Lake D) was a minor refresh for 2023, with Xeon D-1800/2800 (Granite Rapids D) refresh looking a little better for 2024. More cores, but still just PCIe Gen4 and DDR4. Looking ahead, I'm glad it's Pat Gelsinger at Intel's helm. I'm also grateful to have had the honor of working at VMware when Pat was the CIO there. I'll leave it at that, given the whole Broadcom thing.

    Easily update VMware ESXi at TinkerTry.com/easy-update-to-latest-esxi