After one of JVM updates, my Belkin KVM (Remote IP Manager) has started refusing to start with “Falied to validate certificate” error followed by “PKIX path validation failed”:
I’ve found following exceptions in Java console:
sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on disabled signature algorithm: MD5withRSA at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:352) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:249) ...
and
com.sun.deploy.security.BlockedException: User has denied the privileges to the code at sun.plugin2.applet.Plugin2ClassLoader.getPermissions(Unknown Source) at sun.plugin2.applet.Applet2ClassLoader.getPermissions(Unknown Source) at java.security.SecureClassLoader.getProtectionDomain(SecureClassLoader.java:206) at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142) at java.net.URLClassLoader.defineClass(URLClassLoader.java:467) ...
Google says that this is pretty common problem and returned plenty of receipts how to fix it.
Scanning the system for potential locations of the java.security file, there are four candidates. However, there is a catch: we should fix Java not in the system-wide location but the Java plugin for the web browser you’re using (Safari on MacOS in my case).
Jareks-MacBook-Pro:~ jhartman$ locate java.security /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/lib/security/java.security /Library/Java/JavaVirtualMachines/1.6.0.jdk/Contents/Home/lib/security/java.security /Library/Java/JavaVirtualMachines/jdk1.8.0_102.jdk/Contents/Home/jre/lib/security/java.security /Library/Java/JavaVirtualMachines/jdk1.8.0_45.jdk/Contents/Home/jre/lib/security/java.security
So we can skip the last three locations and just focus on the 1st one. Change the lines as described
Jareks-MacBook-Pro:~ jhartman$ edit "/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/lib/security/java.security" jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 256, \ DSA keySize < 1024, EC keySize < 224 jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768, \ EC keySize < 224
Save and restart the browser (Safari). This time the KVM applet can start (after plenty of security warnings though).
Update
The application has to be also white-listed, otherwise it will generate error as below:
Open System Preferences, Java settings and add IP address of your KVM to the list:
Add following:
Again: save and restart your browser.
Update 2
Another security exception is required (after one of Java 8 updates):
RFB: trying JSSE15-SSL connection to 192.168.1.111:444 RFB: JSSE15-SSL connect: java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessClassInPackage.com.sun.deploy.security") RFB: JSSE15-SSL connection FAILED to 192.168.1.111:444 RFB: trying connection to 192.168.1.111:444 network: Cache entry not found [url: http://192.168.1.111:444/crossdomain.xml, version: null] network: Connecting http://192.168.1.111:444/crossdomain.xml with proxy=DIRECT network: Connecting http://192.168.1.111:444/ with proxy=DIRECT network: Connecting http://192.168.1.111:444/crossdomain.xml with cookie "pp_session_id=74CE00A4735D02A0EE36BFA24EC6335837A2B97F0D6BF02E1D081BB6DA783C13" network: Connecting http://192.168.1.111:444/ with proxy=DIRECT java.net.SocketException: Unexpected end of file from server at sun.net.www.http.HttpClient.parseHTTPHeader(HttpClient.java:851) at sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:678) at sun.net.www.http.HttpClient.parseHTTPHeader(HttpClient.java:848) at sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:678) at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1587) at sun.net.www.protocol.http.HttpURLConnection.access$200(HttpURLConnection.java:91) at sun.net.www.protocol.http.HttpURLConnection$9.run(HttpURLConnection.java:1484) at sun.net.www.protocol.http.HttpURLConnection$9.run(HttpURLConnection.java:1482) at java.security.AccessController.doPrivileged(Native Method) at java.security.AccessController.doPrivilegedWithCombiner(AccessController.java:782) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1481) at com.sun.deploy.net.CrossDomainXML.check(Unknown Source) at com.sun.deploy.net.CrossDomainXML.check(Unknown Source) at sun.plugin2.applet.SecurityManagerHelper.checkConnectHelper(Unknown Source) at sun.plugin2.applet.AWTAppletSecurityManager.checkConnect(Unknown Source) at java.net.Socket.connect(Socket.java:584) at java.net.Socket.connect(Socket.java:538) at java.net.Socket.<init>(Socket.java:434) at java.net.Socket.<init>(Socket.java:211) at nn.pp.rc.aw.if(Unknown Source) at nn.pp.rc.aw.g(Unknown Source) at nn.pp.rc.ac.case(Unknown Source) at nn.pp.rc.aj.run(Unknown Source)
Edit this config file:
MBP:~ jhartman$ edit "/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/lib/security/java.policy"
Add this line within the grant { }; section:
// KVM permission java.net.SocketPermission "192.168.1.111:444", "connect, accept";