[kwlug-disc] Need help with running java applets from IPMI/BMC

[Mikalai Birukou]

Context of the story:

1) Many 5y old servers have remote consoles available. But these are 
available via java applets.

2) Over the past years two things have happened. Browsers stop 
supporting java. Some restricting on dealing with signatures in java has 
also changed: for example this is an account 
https://stackoverflow.com/questions/21157450/how-to-make-a-machine-trust-a-self-signed-java-application


The story:

a) I have machines into which I used to go via java applet console, i.e. 
it worked.

b) No new browser will allow java. I am on ubuntu, a firefox fan. 
Firefox 52 something dropped java. Creating a VM with fresh install of 
Ubuntu 14 will give you Firefox 52 that doesn't run java. Its the 
version with most warnings.

c) I have Ubuntu 12 with some older firefox, on which I did "apt-mark 
hold firefox*", or something like this, before allowing it on the network.

d) icedtea plugin installs, all is nice, except java complains about 
code being unsigned, and shows respective exception. I've tried a thing 
from mentioned post, sticking "grant { permission 
java.security.AllPermission; };" to policy files, to no avail on both 
openjdk6 and 7.

e) I have VM specifically to run this insecure view, attached to 
internal virtual network with no escape, to which ports are forwarded by 
host via ssh tunneling. Setup is perfect, except for java refusing to run.


Words of caution. If you are logging into java console now, preserve the 
tools, better virtualize your setup for future.

Question 1:
Does anyone have an image, or can make an image of tools setup that 
allow running browser with java applets?

Question 2:
Is there a flag that will tell java to run like its development, without 
checking any signatures and allowing any permissions?

Thank you.