Manage Your Brocade Fibre Channel Switch with recent Java & browser versions

Introduction

I was in the process of setting up a new jump server a management station server virtual machine on Windows Server 2016 Hyper-V. The guest was also Windows Server 2016 (desktop install). That station needed to be used to manage some aging Brocade fibre channel switches. With the default setting and links this will give you some headaches and some solution require you to keep older and insecure browser or java versions installed. We’ll show you how to get GUI access to your FC switches without needing to do that so you can manage your Brocade Fibre channel switch with recent Java & browser versions. Well not all of them, but it can be done with IE 11 and Firefox 52.0.1 (at the time of writing).

Another solution is to use the CLI naturally.

Manage Your Brocade Fibre Channel Switch with recent Java & browser versions

It’s OK to use the most recent Java version available. At the moment that I wrote this blog post that was Java 1.8.0.121. I can’t give guarantees other than that, but for now that does work.

Instead of navigating to http or https to just the IP address which will send you to https://x.x..x.x/switchexplorer you need to create a shortcut link to the following: https://10.30.2.2/switchexplorer_installed.html (or http://10.30.2.2/switchexplorer_installed.html if you have not enabled https on your switch).

Like this:

clip_image001

I normally change the icon to the shortcut to indicate it’s pointing to a network device. I actually created some ico files based on an image of brocades Fibre Channel switches that I use for this. I just place then under C:\Programdata\BrocadeFC for safe keeping together with a cop of the short cuts. On the management station, I add them to the desktop for easy access. Below is a screenshot of my Windows 10 or Windows Server 2016 (Desktop Experience) management station.

clip_image002

But we’re not there yet. You need to go to Java configuration and select the Security Tab. Make sure Enable Java Content in the browser is enabled. Leave the security at high but don’t forget to add the IP addresses of your Brocade switch to the Exception Site List.

clip_image004

You’ll need to add http or https or both depending on your situation. I think we can all agree we should go for https in this day and age.

In Firefox when you launch the shortcut you’ll get asked what app to use for opening this file.

clip_image005

Make sure you point it to javaws.exe (in C:\Program Files (x86)\Java\jre1.8.0_121\bin) if that’s not the case.

clip_image007Also, check to “Do this automatically for files like this from now on” for faster access during normal operations.

In Internet Explorer allow the add-on “Java SE Runtime Environment 8 Update 121 from Oracle America Inc.” to run.

clip_image009

When it comes to Chrome, this doesn’t’ work anymore. See https://www.java.com/en/download/faq/chrome.xml

When the application is launched, depending on the age of the fibre channel switch and the version of the firmware you’ll be greeted by a more or less harsh security warning.

clip_image010

clip_image011

Check the “I accept the risk and want to run this application” or “Do not show this again for this app from the publisher above” depending on the case. This also allows for easy access the next time you launch the shortcut. The app will launch and you’ll be greeted by the login screen.

clip_image012

Juts log in and there’s nothing more to it. You can now manage your FC switches from Firefox again.

image

Hope this helps some of you out there that come across this issue.

18 thoughts on “Manage Your Brocade Fibre Channel Switch with recent Java & browser versions

    • You’re welcome. Additional tip, you can run an older version of java side by side with the most recent one and select that for us when launching the java applet.

  1. Thanks – but got another error for me. After doing the above, enter admin and password to logon, it comes up with:

    Exception encountered during initialization: com.brocade.web.secscan.SecureSANException: White space now allowed in headers: “User-Agent,AD Name,AD ID,Application,Authorization”

    Clicking Ok to this the “initializing session…” box sits at 15% and no more.

    • Hi there,

      Same problem here. Did you get a solution to resolve this ?
      Exception encountered, etc…
      Box sits at 15% and nothing else happens.
      Thanks

      • I have two switches that use WebStart. I encountered the same error you reported (“Cannot grant permissions to unsigned jars.”) on my Brocade switch. I was able to resolve the problem.

        My suggestion is to first install OpenWebStart since Java no longer implements WebStart in the newest releases and Java JRE. OpenWebStart will be further supported independently.
        Download at: https://openwebstart.com

        I also completely removed Java from my system, but it’s not necessary.

        Even though OpenWebStart made my Voltaire switch load out of the box (when Java JRE would not), the Brocade switches still error because they employ very weakly encrypted certificates.

        After installing OpenWebStart, to resolve:

        (1) Launch Notepad as Administrator
        (2) Open the file C:\Program Files\OpenWebStart\jre\lib\java.security

        (3) Search (Edit > Find) for the string: jdk.certpath.disabledAlgorithms

        (4) Remove MD5 and change RSA keySize to not-less-than 1023 (RSA keySize < 1023)

        Before:
        jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
        RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224

        After:
        (I commented out the original line and made modifications to the duplicate)

        # Orig
        #jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
        # RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224
        #
        # Custom
        jdk.certpath.disabledAlgorithms=MD2, SHA1 jdkCA & usage TLSServer, \
        RSA keySize < 1023, DSA keySize < 1024, EC keySize Find…) for the string:
        jdk.jar.disabledAlgorithms

        (6) Repeat Step (4): Remove MD5 and change RSA keySize to not-less-than 1023 (RSA keySize < 1023)

        After:

        # Orig
        #jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024
        #
        # Custom
        jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1023, DSA keySize New > Shortcut

        (2) Paste into the location field:
        “C:\Program Files\OpenWebStart\javaws.exe” http://192.168.1.2/switchexplorer_installed.html

        Note: Change the IP and protocol to https as appropriate.

        (3) Name your shortcut. I called mine Brocade 200E

        (4) Launch your shortcut. Enjoy

        Note to OP: Sorry, this resolution completely changes your instructions and makes them somewhat moot. But, because of your post, where I had no access to my switch with modern browsers and JRE versions – your steps lead me in the direction to this resolution. Thanks. Also, feel free to post these instructions or modify them as you wish.

  2. I am trying to apply this to different software. I’ve configured java and added the exceptions. I am trying to follow the part at the beginning when you changed from one hyperlink to the same hyperlink with _installed added. is that something specific for your hardware?
    At this point I can get it to find the jar file and launch.. BUT the display that launches remains empty and I am not sure why

    • Yes, specific to (older) brocades. Whatever you do, if using older SSL/TLS and chipers edit the security settings => you can remove the jdk.tls.disabledAlgorithms section in the java.security file (comment it out) or adjust it (versions, size).

  3. After upgrade BNA version 14.4.3 we unable to discover broacade switches which is running on V7.4.2c and getting below error (Fabric Discovery failed because the SSL certificate of the seed switch uses a weak algorithm. Install an SSL certificate with strong authentication algorithm on the switch and try again.) Do we have any steps to fix it

Leave a Reply

Your email address will not be published. Required fields are marked *

* Checkbox GDPR is required

*

I agree

This site uses Akismet to reduce spam. Learn how your comment data is processed.