Hi all,
The Supermicro IPMI is a constant source of both conveniences and inconveniences.
Here are 2 problems that I've encountered lately, including workarounds. If you've got a better fix, please share.
The board in question is an X11 ssi-ln4f, with BMC firmware 1.48.
1. Java web start IKVM failure:
If I access IPMI through a DNS name, for example: ipmi.admin.mynet, and try to start up the java KVM then the jnlp file created by IPMI doesn't get the server IP address properly populated. There's an argument tag set in the jnlp file that's left blank.
Workaround #1: If you edit the downloaded jnlp file and add the server address to the appropriate argument tag set, then it will work in java web start
Workaround #2: Use the HTML5 iKVM (but you cannot mount virtual drives from this - handy for OS install).
Workaround #3: Access your IPMI using the numeric address. Then java web start KVM works for me.
Any other ideas?
2. SSL cert with an intermediate certificate.
I'm using my pfsense router to provide certs for all of my internal servers. I've got the master certificate self-signed and used it to sign an intermediate certificate. I imported the master certificate to my laptop's trusted list. I've created a server cert for the IPMI function on the board. First, make sure to use the defaults from pfsense GUI - when I used stronger cryptography, I think the IPMI choked on it.
Problem: If I sign it with my intermediate certificate, my web browser (Chrome) won't show the server as trusted. This happened even if I export the full chain of trust in the server cert file and upload that to the IPMI board (I used openssl to convert the p12 file to a text cert file with the intermediate cert in there).
Workaround: If I sign it with the master certificate, it does show as trusted.
I thought it was best practices to have an intermediate cert and use that for all server sign-offs. Or am I doing certificates wrong?
The Supermicro IPMI is a constant source of both conveniences and inconveniences.
Here are 2 problems that I've encountered lately, including workarounds. If you've got a better fix, please share.
The board in question is an X11 ssi-ln4f, with BMC firmware 1.48.
1. Java web start IKVM failure:
If I access IPMI through a DNS name, for example: ipmi.admin.mynet, and try to start up the java KVM then the jnlp file created by IPMI doesn't get the server IP address properly populated. There's an argument tag set in the jnlp file that's left blank.
Workaround #1: If you edit the downloaded jnlp file and add the server address to the appropriate argument tag set, then it will work in java web start
Workaround #2: Use the HTML5 iKVM (but you cannot mount virtual drives from this - handy for OS install).
Workaround #3: Access your IPMI using the numeric address. Then java web start KVM works for me.
Any other ideas?
2. SSL cert with an intermediate certificate.
I'm using my pfsense router to provide certs for all of my internal servers. I've got the master certificate self-signed and used it to sign an intermediate certificate. I imported the master certificate to my laptop's trusted list. I've created a server cert for the IPMI function on the board. First, make sure to use the defaults from pfsense GUI - when I used stronger cryptography, I think the IPMI choked on it.
Problem: If I sign it with my intermediate certificate, my web browser (Chrome) won't show the server as trusted. This happened even if I export the full chain of trust in the server cert file and upload that to the IPMI board (I used openssl to convert the p12 file to a text cert file with the intermediate cert in there).
Workaround: If I sign it with the master certificate, it does show as trusted.
I thought it was best practices to have an intermediate cert and use that for all server sign-offs. Or am I doing certificates wrong?