supermicro / java / console redirection / kvm

supermicro / java / console redirection / kvm

  • Written by
    Walter Doekes
  • Published on

Connecting to the new SuperMicro iKVM management interfaces requires a working Java in your browser (IcedTea browser plugin). It will launch a Java Web Start (javaws) application. And java plugins (and needless web forms) are a pain in the behind. Is there a better way?

Obviously, running from the web interface just means downloading a Java application, and running it locally. So why can’t we do that directly, and skip the IcedTea Java browser plugins?

Previously, we could connect to most hosts using the IPMIView utility, downloadable from the SuperMicro FTP server. Nowadays, that doesn’t work for two reasons:

  1. A TLS layer is added to all connections (KVM port 5900, and virtual storage port 623). That’s a good thing.
  2. The KVM username and password are rotated instead of being the same as the one used to connect to the HTTPS interface. A less obvious decision.

Wrapping the connection in TLS

IPMIView already had the capability of wrapping some connections in TLS. As can be seen in ipmikvm (2019):

# spawn socat
crtpath="$ipmipath/BMCSecurity" # "/opt/ipmiview/BMCSecurity/client.crt"
socat "TCP4-LISTEN:$port" "OPENSSL:$remotehost:$remoteport,$crtopt" &

That works for most current SuperMicro iKVM interfaces. However, that script did not provide for Virtual Storage (port 623) TLS wrapping.

Fetching the rotated username and password

With the newer SuperMicro management interfaces, you can log in on https://MANAGEMENT_IP/ using the configured username+password, but connecting to the KVM interface yields a Authentication Failed.

If you go to Remote Control, Console Redirection and click Launch Console, you’re presented with a launch.jnlp download — which may or may not get picked up by your Java plugins, if you have them.

You can fetch this file programmatically, using a bit of curl and bash:

get_launch_jnlp() {

    b64_user=$(echo -n "$user" | base64 -w0 | sed -e 's/=/%3D/g;s/+/%2B/g')
    b64_pass=$(echo -n "$pass" | base64 -w0 | sed -e 's/=/%3D/g;s/+/%2B/g')
    if curl --fail -sk --cookie-jar "$temp" -XPOST "$url/cgi/login.cgi" \
          --data "name=$b64_user&pwd=$b64_pass&check=00" -o/dev/null; then
        launch_jnlp=$(curl --fail -sk --cookie "$temp" \
        test $? -eq 0 && fail=
    rm "$temp"
    test -z "$fail" && echo "$launch_jnlp"
# SYNOPSIS: get_launch_jnlp 10.x.x.x USERNAME PASSWORD

And that launch.jnlp file will look somewhat like this:

<jnlp spec="1.0+" codebase="http://10.x.x.x:80/">
    <title>ATEN Java iKVM Viewer</title>
    <description>Java Web Start Application</description>


    <property name="jnlp.packEnabled" value="true"/>
    <j2se version="1.6.0+" initial-heap-size="128M"
      max-heap-size="128M" java-vm-args="-XX:PermSize=32M -XX:MaxPermSize=32M"/>
    <jar href="iKVM__V1.69.39.0x0.jar" download="eager" main="true"/>

<!-- ... -->

  <resources os="Linux" arch="amd64">
    <nativelib href="liblinux_x86_64__V1.0.12.jar" download="eager"/>

<!-- ... -->

  <application-desc main-class="">
    <!-- arguments 0..9 -->

    <!-- arguments 10..21 -->
    <argument>10.x.x.x</argument><!-- 10 management_ip -->
    <argument>otherUserName</argument><!-- 11 username -->
    <argument>otherPassWord</argument><!-- 12 password -->
    <argument>null</argument><!-- 13 hostname (unused) -->
    <argument>63630</argument><!-- 14 non-tunnel KVM port -->
    <argument>63631</argument><!-- 15 non-tunnel VM port -->
    <argument>0</argument><!-- 16 companyId? -->
    <argument>0</argument><!-- 17 boardId? -->
    <argument>1</argument><!-- 18 use TLS tunnel -->
    <argument>5900</argument><!-- 19 remote KVM port -->
    <argument>623</argument><!-- 20 remote VM port -->
    <argument>1</argument><!-- 21 VM/USB service -->

Using the socat trick as mentioned above works when supplying these emphemeral otherUserName and otherPassWord to the old iKVM.jar as seen in the ipmikvm (2019) script.

However, getting the Virtual Storage to work was less trivial than simply setting up a second socat (with forking mode, needed because the Java iKVM will connect to it multiple times):

socat "TCP4-LISTEN:$sport,bind=,fork" "OPENSSL:$dhost:$dport,$crtopt"

That did not do the trick. Instead, it rained Close Socket Beause Socket Pipe is broken errors.

Luckily there is a better way: fetch the new Java application from the SuperMicro management interface directly, and use that.

Fetching the Java Web Start application

If we take the URLs from the launch.jnlp above, we get:


However, it is jnlp.packEnabled packed, so it becomes:


Fetching those:

$ for x in iKVM__V1.69.39.0x0.jar liblinux_x86_64__V1.0.12.jar; do
     curl -o $x.pack.gz http://10.x.x.x:80/$x.pack.gz

$ for x in *.pack.gz; do unpack200 $x ${x%.pack.gz}; done

$ ls -l
total 7968
-rw-r--r-- 1 walter walter 3985027 feb 12 16:21 iKVM__V1.69.39.0x0.jar
-rw-r--r-- 1 walter walter 3811134 feb 12 16:20 iKVM__V1.69.39.0x0.jar.pack.gz
-rw-r--r-- 1 walter walter  178685 feb 12 16:21 liblinux_x86_64__V1.0.12.jar
-rw-r--r-- 1 walter walter  178699 feb 12 16:20 liblinux_x86_64__V1.0.12.jar.pack.gz

(Seriously? Why bother packing it?)

$ unzip liblinux_x86_64__V1.0.12.jar
Archive:  liblinux_x86_64__V1.0.12.jar
  inflating: META-INF/SMCCERT2.SF
  inflating: META-INF/SMCCERT2.RSA

$ rm -rf META-INF

Alright! Now we have everything we need. (It needs the in the current path.)

$ java -cp iKVM__V1.69.39.0x0.jar
no iKVM64 in java.library.path

$ java -Djava.library.path=. -cp iKVM__V1.69.39.0x0.jar

$ java -Djava.library.path=. -cp iKVM__V1.69.39.0x0.jar \
  1 2 3 4

Interesting. Somehow that help text did not keep up with development.

$ java -Djava.library.path=. -cp iKVM__V1.69.39.0x0.jar \
  $(seq 10) 10 11 12 13
Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException: 14

$ java -Djava.library.path=. -cp iKVM__V1.69.39.0x0.jar \
  $(seq 10) 10 11 12 13 14
Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException: 15

$ java -Djava.library.path=. -cp iKVM__V1.69.39.0x0.jar \
  $(seq 10) 10 11 12 13 14 15
Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException: 21

Ok, ok, I get it! All arguments it is…

(Full disclosure: decompiling KVMMain.class from iKVM__V1.69.39.0x0.jar helped in determining the arguments seen in the annotated xml above.)

So, connecting to the KVM then becomes something like this:

exec_ikvm_tls2020() {
    # If you look at the (decompiled) source, you'll notice that the
    # two local ports (65534 65535) get replaced, and the two remote ports
    # are set to default (5900 623). We'll set them here in case an updated
    # jar file fixes it.
    # Additionally, if you set use_tls (argument 18) to 0, the code
    # path simply ends. So we cannot use this one to connect to older
    # plain iKVM interfaces.
    exec java -Djava.library.path="$(dirname "$jar")" \
      -cp "$jar" \
      0 1 2 3 4 5 6 7 8 9 \
      "$management_ip" "$user" "$pass" null 65534 65535 0 0 1 5900 \
      623 1
# SYNOPSIS: exec_ikvm_tls2020 10.x.x.x KVM_USERNAME KVM_PASSWORD

Combined with the code that fetched the JNLP, and the java application, we’ll end up with something like this:
ipmikvm-tls2020 (see also: ossobv/vcutil on GitHub).

Back to overview Newer post: saltstack / printf IO-error / debianutils / which Older post: openssl / sign / subject alternative names