Ever try to launch a Java web application like iKVM/ Virtual KVM and get an error message: Java Application Blocked, Application Blocked by Java Security? This quick guide will show you how to fix that issue. We are going to use a Dell PowerEdge C6220 node to show how to fix this and get to work in a matter of seconds. Although we are using a server application to demonstrate this technique, it will work for other applications where a similar issue is present.
Why am I getting the Java Application Blocked, Application Blocked by Java Security warning?
The error is likely happening (especially for server administrators) due to the Java application having a self-signed certificate. On older generations of servers, before IPMI security was seen as a major issue, it was common practice for server vendors to self-sign IPMI certificates. Since then two things have happened. First, Oracle began blocking self-signed certificates in standard security settings. This change is why there are so many servers out there still with this issue. Second, most servers/ server vendors have released patches with properly signed certificates. These patches require IPMI firmware to be upgraded which can be risky on a remote installation. Not all vendors have updated firmware available to fix this issue. Also, flashing a failed baseboard management controller (BMC) firmware flash means the BMC may become unresponsive.
The real fix is to upgrade the BMC firmware or whatever Java application you are trying to run. If this is not possible here is the workaround.
How to workaround the Application Blocked by Java Security issue
To demonstrate the issue, we are using one of our Dell PowerEdge C6220 nodes which has an older self-signed Java application certificate. We navigate to Server Information -> vKVM and vMedia -> Launch via the Web GUI. One might notice this is not the standard iDRAC interface. The Dell PowerEdge C6220 was intended for cloud deployments and therefore came with a more industry standard Web IPMI interface. Form the appearance, we think it is running the Avocent BMC software.
When we click on Launch Java KVM Client (or Launch Java VM Client) we get the dreaded Java Application Blocked – Application Blocked by Java Security window. Click OK and let’s start to fix the issue.
The key here is to go to the Windows Control Panel and then navigate to Java (32-bit) or the Java Control Panel. On Windows 10 you can head to the search bar, start typing Java and you can go directly to the Java Control Panel.
Move to the Security tab. Lowering the security level to High will not fix this issue. Instead, under Exception Site List you can add the IP address or domain name of the IPMI interface you are trying to use. In our example the IP is 10.0.8.86. Sometimes to avoid future issues you may want to add both https and http versions of the machine name/ IP address to avoid potential future conflict. We have found a few machines that required both but most work with just https. You will need to hit OK on the Exception Site List and the Java Control Panel and you should be all set.
Now when we try to launch our application again we get Security Warning – Running this application may be a security risk. In most cases you should think about this prior to proceeding, but with server applications like this one, sometimes you just need the JNLP file to launch.
After clicking the I accept the risk and want to run this application checkbox, click run. You should see the Java application launch.
Final Words
This guide should take you only a few seconds to complete. For cases where you have one server or application that you need to immediately access, it works. On the other hand, when you switch PCs, it will not help. Likewise when you have to access multiple servers, you have to add multiple IPs to the site list (e.g. this Dell PowerEdge C6220 server has four nodes in the 2U chassis. One tip we have is that non-browser based Java application launchers (e.g. Supermicro IPMIview) do not require this workaround as they can launch the applications directly.
And this is why it would be great if these things used a standard protocol instead of these java abominations.
I use ASM7-IKVM on an ASUS P9D-C4/L motherboard and your workaround works great. I need to add both https and http versions of the machine name/IP address to make it work.
Thank you very much,
Daniel
Also worth adding here as above doesn’t always work.
For me it was a two step process. Absolutely do the above but make sure you upgrade the KVM to latest firmware otherwise it doesn’t work with latest java and you will get a “network error” on JAVA launch. Obvious I guess but I missed it.
i’ve seen all sort of hack firmwares for phones. unlocked modified bios for various motherboards. total conversion linux based firmware for wifi routers over the years. Makes you wonder if someone good at that kind of stuff could rework the software/firmware in these things!