The DRAC5 is a remote access card, letting you control a server such as the PowerEdge 300. With it, you can simulate physical access to the machine, viewing the screen on boot, entering commands and cycling power.
Unfortunately, Dell has neglected this aging product. Trying to use it today will lead to errors in modern browsers and Java implementations. Fortunately, they can be worked around.
Clear space on the DRAC5
Before getting started, we want to ensure there is sufficient free space on the remote access card. If there is not sufficient space, the card will fail in strange ways (such as the web interface not loading).
Log in to the remote access card using SSH. Clear the logs:
racadm clrraclog
Restart the device:
racadm racreset
Update the DRAC5 firmware
Download version 1.65 of the firmware. Get the “hard drive” update package. If you’re on a Mac or Linux, you can decompress the .exe
with the unzip
command:
unzip f_drac5v165_A00.exe
You’ll get one file: firmimg.d5
.
- Go to the web interface for your DRAC5.
- Enter your username and password. Click OK.
- On the left-hand side menu, click Remote Access.
- Click Choose File. Select
firmimg.d5.
- Click Update.
- Wait for the update to complete and the DRAC card to reboot.
Install a TLS (SSL) certificate
Before you can install a certificate, you need to create a Certificate Signing Request (CSR). By default the Dell DRAC5 uses short, less secure keys for its certificates. This can be fixed with a CLI command.
Log in to the DRAC5 using SSH. Run the following:
racadm config -g cfgRacSecurity -o cfgRacSecCsrKeySize 2048
You should see:
Object value modified successfully
Now, let’s generate CSR and obtain and install the certificate:
- Go to the web interface for your DRAC5.
- Enter your username and password.Click OK
- On the left-hand side menu, click Remote Access.
- Click the Configuration tab
- Click SSL.
- “Generate a New Certificate Signing Request (CSR)” will be selected. Click Next.
- Fill out the form and click Generate.
- A file named
csr.txt
will download. Open it up. It will start with-----BEGIN CERTIFICATE REQUEST-----
. Ensure the next line starts with MIIC, indicating a 2048-bit key. (If it starts with MIIB, you have a 1024-bit key, and need to run the racadm config command again.) - Go to sslforfree.com. This will let you get a certificate using Let’s Encrypt without having to run your own website.
- Enter the hostname of your DRAC5 card. Click Create Free SSL Certificate.
- Click Manual Verification (DNS).
- Click Manually Verify Domain.
- Add the TXT record they specify.
- Verify the TXT record.
- Check the “I Have My Own CSR” box.
- Read the warning and click OK.
- Paste the contents of
csr.txt
in to the text field. - Click “Download SSL Certificate.”
- Click “Download All SSL Certificate Files.” A file named sslforfree.zip will be downloaded.
- Create an account to get reminded by SSLForFree when the certificate expires (in 90 days).
- Unzip sslfofree.zip. You’ll see three files:
private.key
ca_bundle.crt
certificate.crt - Repeat steps 1-5 above.
- Click Upload Server Certificate. Click Next.
- Click Choose File. Select
certificate.crt
. - Click Apply. You should see:
The certificate was uploaded successfully. The DRAC will now reset and the browser will close. Wait for a few minutes before logging back into the DRAC
- Click OK.
- Wait for DRAC card to reboot.
Downgrade Java security to allow remote access
Modern Java implementations disable older encryption algorithms. Unfortunately, because the DRAC5 does not support modern encryption, you need to manually enable these older method to use the DRAC5 remote console.
To do this, you need to edit the java.security
text file. Its location will vary depending on which version of Java you have installed.
On macOS, you will find it in Internet Plug-Ins:
/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/lib/security/java.security
/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/conf/security/java.security
The path will vary depending on your version of Java. Java 9.0.4+11 uses conf/security/java.security
.
Edit this file. Comment out two lines (add a # at the beginning)
Change:
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, \
EC keySize < 224, DES40_CBC, RC4_40
To:
#jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, \
# EC keySize < 224, DES40_CBC, RC4_40
Change:
jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224
To:
#jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
# RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224
Remember to uncomment those lines when you’re done with the DRAC5 remote console.
Add Security Exceptions
- Go to System Preferences > Java
- In the Java Control Panel, click the Security tab
- Click “Edit Site List”
- Add both https://hostname and http://ipaddress
- Click OK
- Click OK
Access remote console
- Go to the web interface for your DRAC5.
- Enter your username and password. Click OK.
- Click the Console tab.
- Click Connect. A file named
vkvm.jnlp
will download. - In Terminal, type
javaws vkvm.jnlp
.
Paul,
Thanks for this blog.
Is there a way to do step 10 without a domain name? I’m behind a NAT with no internal DNS. Does a cert require an world accessible domain name?
Thanks,
John
1. Buy a domain name and point it somewhere.
2. Get a certificate and install it on your Dell server.
3. Edit your /etc/hosts file and point your internal IP at that hostname.
or use a “fake” domain like idrac.company.local or wildcard for that –> *.company.local, you could get that if you make your own CA. (certificate Authority)
Or you can use portable firefox and java.
Works Fine.
No conf needed