Using a Dell DRAC5 with a modern browser and OS

The DRAC5 is a remote access card, letting you control a server such as the PowerEdge 300. With it, you can simulate physical access to the machine, viewing the screen on boot, entering commands and cycling power.

Unfortunately, Dell has neglected this aging product. Trying to use it today will lead to errors in modern browsers and Java implementations. Fortunately, they can be worked around.

Clear space on the DRAC5

Before getting started, we want to ensure there is sufficient free space on the remote access card. If there is not sufficient space, the card will fail in strange ways (such as the web interface not loading).

Log in to the remote access card using SSH. Clear the logs:

racadm clrraclog

Restart the device:

racadm racreset

Update the DRAC5 firmware

Download version 1.65 of the firmware. Get the “hard drive” update package. If you’re on a Mac or Linux, you can decompress the .exe with the unzip command:

unzip f_drac5v165_A00.exe

You’ll get one file: firmimg.d5.

  1. Go to the web interface for your DRAC5.
  2. Enter your username and password. Click OK.
  3. On the left-hand side menu, click Remote Access.
  4. Click Choose File. Select firmimg.d5.
  5. Click Update.
  6. Wait for the update to complete and the DRAC card to reboot.

Install a TLS (SSL) certificate

Before you can install a certificate, you need to create a Certificate Signing Request (CSR). By default the Dell DRAC5 uses short, less secure keys for its certificates. This can be fixed with a CLI command.

Log in to the DRAC5 using SSH. Run the following:

racadm config -g cfgRacSecurity -o cfgRacSecCsrKeySize 2048

You should see:

Object value modified successfully

Now, let’s generate CSR and obtain and install the certificate:

  1. Go to the web interface for your DRAC5.
  2. Enter your username and password.Click OK
  3. On the left-hand side menu, click Remote Access.
  4. Click the Configuration tab
  5. Click SSL.
  6. “Generate a New Certificate Signing Request (CSR)” will be selected. Click Next.
  7. Fill out the form and click Generate.
  8. A file named csr.txt will download. Open it up. It will start with -----BEGIN CERTIFICATE REQUEST-----. Ensure the next line starts with MIIC, indicating a 2048-bit key. (If it starts with MIIB, you have a 1024-bit key, and need to run the racadm config command again.)
  9. Go to sslforfree.com. This will let you get a certificate using Let’s Encrypt without having to run your own website.
  10. Enter the hostname of your DRAC5 card. Click Create Free SSL Certificate.
  11. Click Manual Verification (DNS).
  12. Click Manually Verify Domain.
  13. Add the TXT record they specify.
  14. Verify the TXT record.
  15. Check the “I Have My Own CSR” box.
  16. Read the warning and click OK.
  17. Paste the contents of csr.txt in to the text field.
  18. Click “Download SSL Certificate.”
  19. Click “Download All SSL Certificate Files.” A file named sslforfree.zip will be downloaded.
  20. Create an account to get reminded by SSLForFree when the certificate expires (in 90 days).
  21. Unzip sslfofree.zip. You’ll see three files:

    private.key
    ca_bundle.crt
    certificate.crt

  22. Repeat steps 1-5 above.
  23. Click Upload Server Certificate. Click Next.
  24. Click Choose File. Select certificate.crt.
  25. Click Apply. You should see:

    The certificate was uploaded successfully. The DRAC will now reset and the browser will close. Wait for a few minutes before logging back into the DRAC

  26. Click OK.
  27. Wait for DRAC card to reboot.

Downgrade Java security to allow remote access

Modern Java implementations disable older encryption algorithms. Unfortunately, because the DRAC5 does not support modern encryption, you need to manually enable these older method to use the DRAC5 remote console.

To do this, you need to edit the java.security text file. Its location will vary depending on which version of Java you have installed.

On macOS, you will find it in Internet Plug-Ins:

/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/lib/security/java.security
/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/conf/security/java.security

The path will vary depending on your version of Java. Java 9.0.4+11 uses conf/security/java.security.

Edit this file. Comment out two lines (add a # at the beginning)

Change:

jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, \
EC keySize < 224, DES40_CBC, RC4_40

To:

#jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, \
# EC keySize < 224, DES40_CBC, RC4_40

Change:

jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224

To:

#jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
# RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224

Remember to uncomment those lines when you’re done with the DRAC5 remote console.

Add Security Exceptions

  1. Go to System Preferences > Java
  2. In the Java Control Panel, click the Security tab
  3. Click “Edit Site List”
  4. Add both https://hostname and http://ipaddress
  5. Click OK
  6. Click OK

Access remote console

  1. Go to the web interface for your DRAC5.
  2. Enter your username and password. Click OK.
  3. Click the Console tab.
  4. Click Connect. A file named vkvm.jnlp will download.
  5. In Terminal, type javaws vkvm.jnlp.

Join the Conversation

5 Comments

  1. Paul,

    Thanks for this blog.

    Is there a way to do step 10 without a domain name? I’m behind a NAT with no internal DNS. Does a cert require an world accessible domain name?

    Thanks,
    John

  2. 1. Buy a domain name and point it somewhere.
    2. Get a certificate and install it on your Dell server.
    3. Edit your /etc/hosts file and point your internal IP at that hostname.

  3. or use a “fake” domain like idrac.company.local or wildcard for that –> *.company.local, you could get that if you make your own CA. (certificate Authority)

Leave a comment

Your email address will not be published. Required fields are marked *