I was in the process of setting up a new jump server a management station server virtual machine on Windows Server 2016 Hyper-V. The guest was also Windows Server 2016 (desktop install). That station needed to be used to manage some aging Brocade fibre channel switches. With the default setting and links this will give you some headaches and some solution require you to keep older and insecure browser or java versions installed. We’ll show you how to get GUI access to your FC switches without needing to do that so you can manage your Brocade Fibre channel switch with recent Java & browser versions. Well not all of them, but it can be done with IE 11 and Firefox 52.0.1 (at the time of writing).
Another solution is to use the CLI naturally.
Manage Your Brocade Fibre Channel Switch with recent Java & browser versions
It’s OK to use the most recent Java version available. At the moment that I wrote this blog post that was Java 220.127.116.11. I can’t give guarantees other than that, but for now that does work.
Instead of navigating to http or https to just the IP address which will send you to https://x.x..x.x/switchexplorer you need to create a shortcut link to the following: https://10.30.2.2/switchexplorer_installed.html (or http://10.30.2.2/switchexplorer_installed.html if you have not enabled https on your switch).
I normally change the icon to the shortcut to indicate it’s pointing to a network device. I actually created some ico files based on an image of brocades Fibre Channel switches that I use for this. I just place then under C:\Programdata\BrocadeFC for safe keeping together with a cop of the short cuts. On the management station, I add them to the desktop for easy access. Below is a screenshot of my Windows 10 or Windows Server 2016 (Desktop Experience) management station.
But we’re not there yet. You need to go to Java configuration and select the Security Tab. Make sure Enable Java Content in the browser is enabled. Leave the security at high but don’t forget to add the IP addresses of your Brocade switch to the Exception Site List.
You’ll need to add http or https or both depending on your situation. I think we can all agree we should go for https in this day and age.
In Firefox when you launch the shortcut you’ll get asked what app to use for opening this file.
Make sure you point it to javaws.exe (in C:\Program Files (x86)\Java\jre1.8.0_121\bin) if that’s not the case.
Also, check to “Do this automatically for files like this from now on” for faster access during normal operations.
In Internet Explorer allow the add-on “Java SE Runtime Environment 8 Update 121 from Oracle America Inc.” to run.
When it comes to Chrome, this doesn’t’ work anymore. See https://www.java.com/en/download/faq/chrome.xml
When the application is launched, depending on the age of the fibre channel switch and the version of the firmware you’ll be greeted by a more or less harsh security warning.
Check the “I accept the risk and want to run this application” or “Do not show this again for this app from the publisher above” depending on the case. This also allows for easy access the next time you launch the shortcut. The app will launch and you’ll be greeted by the login screen.
Juts log in and there’s nothing more to it. You can now manage your FC switches from Firefox again.
Hope this helps some of you out there that come across this issue.
You are most welcome.
It works great for me. Thank you very much, I was dealing with this issue for a couple of days.
Same principle can be applied to almost all old equipment/webinterfaces with java
to circumvent using the browser. Saved me a lot of headache.
Thank you very much!
Thanks, I had this working with an old portable version of Firefox but IE 11 works and those links helped.
wow, this is the most detailed guide I ever had from web, thanks
You’re welcome. Additional tip, you can run an older version of java side by side with the most recent one and select that for us when launching the java applet.
Thanks – but got another error for me. After doing the above, enter admin and password to logon, it comes up with:
Exception encountered during initialization: com.brocade.web.secscan.SecureSANException: White space now allowed in headers: “User-Agent,AD Name,AD ID,Application,Authorization”
Clicking Ok to this the “initializing session…” box sits at 15% and no more.
Same problem here. Did you get a solution to resolve this ?
Exception encountered, etc…
Box sits at 15% and nothing else happens.
I have two switches that use WebStart. I encountered the same error you reported (“Cannot grant permissions to unsigned jars.”) on my Brocade switch. I was able to resolve the problem.
My suggestion is to first install OpenWebStart since Java no longer implements WebStart in the newest releases and Java JRE. OpenWebStart will be further supported independently.
Download at: https://openwebstart.com
I also completely removed Java from my system, but it’s not necessary.
Even though OpenWebStart made my Voltaire switch load out of the box (when Java JRE would not), the Brocade switches still error because they employ very weakly encrypted certificates.
After installing OpenWebStart, to resolve:
(1) Launch Notepad as Administrator
(2) Open the file C:\Program Files\OpenWebStart\jre\lib\java.security
(3) Search (Edit > Find) for the string: jdk.certpath.disabledAlgorithms
(4) Remove MD5 and change RSA keySize to not-less-than 1023 (RSA keySize < 1023)
jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224
(I commented out the original line and made modifications to the duplicate)
#jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
# RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224
jdk.certpath.disabledAlgorithms=MD2, SHA1 jdkCA & usage TLSServer, \
RSA keySize < 1023, DSA keySize < 1024, EC keySize Find…) for the string:
(6) Repeat Step (4): Remove MD5 and change RSA keySize to not-less-than 1023 (RSA keySize < 1023)
#jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024
jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1023, DSA keySize New > Shortcut
(2) Paste into the location field:
“C:\Program Files\OpenWebStart\javaws.exe” http://192.168.1.2/switchexplorer_installed.html
Note: Change the IP and protocol to https as appropriate.
(3) Name your shortcut. I called mine Brocade 200E
(4) Launch your shortcut. Enjoy
Note to OP: Sorry, this resolution completely changes your instructions and makes them somewhat moot. But, because of your post, where I had no access to my switch with modern browsers and JRE versions – your steps lead me in the direction to this resolution. Thanks. Also, feel free to post these instructions or modify them as you wish.
Cool. Thanks for sharing!
I am trying to apply this to different software. I’ve configured java and added the exceptions. I am trying to follow the part at the beginning when you changed from one hyperlink to the same hyperlink with _installed added. is that something specific for your hardware?
At this point I can get it to find the jar file and launch.. BUT the display that launches remains empty and I am not sure why
Yes, specific to (older) brocades. Whatever you do, if using older SSL/TLS and chipers edit the security settings => you can remove the jdk.tls.disabledAlgorithms section in the java.security file (comment it out) or adjust it (versions, size).
instead opening the url in the browser create a cmd script or other tool that executes
simple and works 100%.thanks a million.
Happy it helped.
After upgrade BNA version 14.4.3 we unable to discover broacade switches which is running on V7.4.2c and getting below error (Fabric Discovery failed because the SSL certificate of the seed switch uses a weak algorithm. Install an SSL certificate with strong authentication algorithm on the switch and try again.) Do we have any steps to fix it
Yes, same old options: better cert or re-enable weak algorithms. See https://community.emc.com/docs/DOC-68114
I am having this same issue and none of these steps worked, can you recommend anything else?
Been a while but from the top of my head some things you can try: Use older browser versions (keep a separate VM for that purpose) or move to https://blog.workinghardinit.work/2019/11/27/bna-14-4-1-upgrade-to-dellemc-cmcne-14-4-4/. Als o see if you can import a modern SHA2/TLS1.2 cert form your PKI onto the device.
Thank you bro! you save my life :))
You are most welcome. Always happy to read a blog post was of use. Thx.
It works great for me. Thank you very much, I was dealing with this issue for a couple of weeks.
Happy to read this still helps people today.
I’m having problems in 2021 Trying to get to an old switch with Java 7 and windows 10
In a pinch fire up an VM with an older OS/Java/Browser version. This issue is not getting better or easier with every day that passes as old FC swicthes are not upgraded to support modern UIs.
Hi guys, how to login by using microsoft edge or google chrome browser? Please help. Thanks
You rock !!! Thanks !
Thanks! Glad it helped.
I was able to get past the “whitespace not allowed” bug by launching the GUI with Java version 1.7.0_51.
You might be able to find this Java version online in the Java Archive. I used IE11 to launch the GUI, but it might work with other browsers as well, provided you use the workaround described above.
Hope this helps someone.
Yes, but the point is not to have to revert back old insecure, unsupported Java versions if possible.