After one of JVM updates, my Belkin KVM (Remote IP Manager) has started refusing to start with “Falied to validate certificate” error followed by “PKIX path validation failed”:
I’ve found following exceptions in Java console:
sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on disabled signature algorithm: MD5withRSA at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:352) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:249) ...
com.sun.deploy.security.BlockedException: User has denied the privileges to the code at sun.plugin2.applet.Plugin2ClassLoader.getPermissions(Unknown Source) at sun.plugin2.applet.Applet2ClassLoader.getPermissions(Unknown Source) at java.security.SecureClassLoader.getProtectionDomain(SecureClassLoader.java:206) at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142) at java.net.URLClassLoader.defineClass(URLClassLoader.java:467) ...
Google says that this is pretty common problem and returned plenty of receipts how to fix it.
Scanning the system for potential locations of the java.security file, there are four candidates. However, there is a catch: we should fix Java not in the system-wide location but the Java plugin for the web browser you’re using (Safari on MacOS in my case).
Jareks-MacBook-Pro:~ jhartman$ locate java.security /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/lib/security/java.security /Library/Java/JavaVirtualMachines/1.6.0.jdk/Contents/Home/lib/security/java.security /Library/Java/JavaVirtualMachines/jdk1.8.0_102.jdk/Contents/Home/jre/lib/security/java.security /Library/Java/JavaVirtualMachines/jdk1.8.0_45.jdk/Contents/Home/jre/lib/security/java.security
So we can skip the last three locations and just focus on the 1st one. Change the lines as described
Jareks-MacBook-Pro:~ jhartman$ edit "/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/lib/security/java.security" jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 256, \ DSA keySize < 1024, EC keySize < 224 jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768, \ EC keySize < 224
Save and restart the browser (Safari). This time the KVM applet can start (after plenty of security warnings though).