Belkin KVM: Falied to validate certificate

After one of JVM updates, my Belkin KVM (Remote IP Manager) has started refusing to start with “Falied to validate certificate” error followed by “PKIX path validation failed”:

I’ve found following exceptions in Java console:

sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on disabled signature algorithm: MD5withRSA
 at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:352)
 at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:249)
...

 

and

com.sun.deploy.security.BlockedException: User has denied the privileges to the code
 at sun.plugin2.applet.Plugin2ClassLoader.getPermissions(Unknown Source)
 at sun.plugin2.applet.Applet2ClassLoader.getPermissions(Unknown Source)
 at java.security.SecureClassLoader.getProtectionDomain(SecureClassLoader.java:206)
 at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142)
 at java.net.URLClassLoader.defineClass(URLClassLoader.java:467)
...

 

Google says that this is pretty common problem and returned plenty of receipts how to fix it.

Scanning the system for potential locations of the java.security file, there are four candidates. However, there is a catch: we should fix Java not in the system-wide location but the Java plugin for the web browser you’re using (Safari on MacOS in my case).

Jareks-MacBook-Pro:~ jhartman$ locate java.security
/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/lib/security/java.security
/Library/Java/JavaVirtualMachines/1.6.0.jdk/Contents/Home/lib/security/java.security
/Library/Java/JavaVirtualMachines/jdk1.8.0_102.jdk/Contents/Home/jre/lib/security/java.security
/Library/Java/JavaVirtualMachines/jdk1.8.0_45.jdk/Contents/Home/jre/lib/security/java.security

 

So we can skip the last three locations and just focus on the 1st one. Change the lines as described

Jareks-MacBook-Pro:~ jhartman$ edit "/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/lib/security/java.security"

jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 256, \
 DSA keySize < 1024, EC keySize < 224
jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768, \
 EC keySize < 224

 

Save and restart the browser (Safari). This time the KVM applet can start (after plenty of security warnings though).

Update

The application has to be also white-listed, otherwise it will generate error as below:

Open System Preferences, Java settings and add IP address of your KVM to the list:

Add following:

Again: save and restart your browser.

Update 2

Another security exception is required (after one of Java 8 updates):

RFB: trying JSSE15-SSL connection to 192.168.1.111:444
RFB: JSSE15-SSL connect: java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessClassInPackage.com.sun.deploy.security")
RFB: JSSE15-SSL connection FAILED to 192.168.1.111:444
RFB: trying connection to 192.168.1.111:444
network: Cache entry not found [url: http://192.168.1.111:444/crossdomain.xml, version: null]
network: Connecting http://192.168.1.111:444/crossdomain.xml with proxy=DIRECT
network: Connecting http://192.168.1.111:444/ with proxy=DIRECT
network: Connecting http://192.168.1.111:444/crossdomain.xml with cookie "pp_session_id=74CE00A4735D02A0EE36BFA24EC6335837A2B97F0D6BF02E1D081BB6DA783C13"
network: Connecting http://192.168.1.111:444/ with proxy=DIRECT
java.net.SocketException: Unexpected end of file from server
at sun.net.www.http.HttpClient.parseHTTPHeader(HttpClient.java:851)
at sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:678)
at sun.net.www.http.HttpClient.parseHTTPHeader(HttpClient.java:848)
at sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:678)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1587)
at sun.net.www.protocol.http.HttpURLConnection.access$200(HttpURLConnection.java:91)
at sun.net.www.protocol.http.HttpURLConnection$9.run(HttpURLConnection.java:1484)
at sun.net.www.protocol.http.HttpURLConnection$9.run(HttpURLConnection.java:1482)
at java.security.AccessController.doPrivileged(Native Method)
at java.security.AccessController.doPrivilegedWithCombiner(AccessController.java:782)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1481)
at com.sun.deploy.net.CrossDomainXML.check(Unknown Source)
at com.sun.deploy.net.CrossDomainXML.check(Unknown Source)
at sun.plugin2.applet.SecurityManagerHelper.checkConnectHelper(Unknown Source)
at sun.plugin2.applet.AWTAppletSecurityManager.checkConnect(Unknown Source)
at java.net.Socket.connect(Socket.java:584)
at java.net.Socket.connect(Socket.java:538)
at java.net.Socket.<init>(Socket.java:434)
at java.net.Socket.<init>(Socket.java:211)
at nn.pp.rc.aw.if(Unknown Source)
at nn.pp.rc.aw.g(Unknown Source)
at nn.pp.rc.ac.case(Unknown Source)
at nn.pp.rc.aj.run(Unknown Source)

 

Edit this config file:

MBP:~ jhartman$ edit "/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/lib/security/java.policy"

Add this line within the grant { }; section:

// KVM
permission java.net.SocketPermission "192.168.1.111:444", "connect, accept";
Belkin KVM: Falied to validate certificate
Tagged on:

Leave a Reply

Your email address will not be published. Required fields are marked *