Solved: Re: CSCvs11682 - C220/C240 M3 server need HTML5 support for CIMC webUI

Victor Bidnenko · ‎09-02-2020

Is there any chance that cisco releases a new cimc version until end of 2020? I am trying to guess will I still can access my server CIMC after the end of support with old versions of browsers?

Julio Marquez · ‎01-15-2021

There is a workaround I was made aware of recently which uses the API on the UCS server to make a call directly to obtain the Java KVM console. I have tested this and although you don't get the GUI, you get the full console functionality (turn on/off, mount virtual images to upgrade, etc):

https://<CIMC_IP>/kvm.jnlp?cimcAddr=<CIMC_IP>&tkn1=<CIMC_username>&tkn2=<CIMC_Password>

The result will prompt you to download the jnlp file that upon execution will use Java to open the KVM console for you.

The process can even be automated (see python script below as an example). The call used in the script to aaaGetComputeAuthTokens still works for newer CIMC versions where the above call with the in-line user/pass only works for the older CIMC in the M3 servers.

import argparse
import os
import sys
import socket
import requests
import xml.etree.ElementTree as ET

parser = argparse.ArgumentParser("Launch KVM on a UCS system")
parser.add_argument('-n', '--node', help='UCS management IP', default=None)
parser.add_argument('-u', '--username', help='Username', default="admin")
parser.add_argument('-p', '--password', help='Password', default=None)
extraParams = {}
args = parser.parse_args()
mandatoryMissing = False
if args.node == None:
    mandatoryMissing = True
    print("Please provide -n <UCS management IP>")
if args.password == None:
    mandatoryMissing = True
    print("Please provide -p <password>")
if mandatoryMissing:
    sys.exit(-1)

urlCimc = "https://{}/nuova".format(args.node)
loginXml="""<aaaLogin inName='{}' inPassword='{}'></aaaLogin>""".format(args.username, args.password)
headers = {'Content-Type': 'application/xml'}
loginResponseTree = ET.fromstring(requests.post(urlCimc, data=loginXml, headers=headers, verify=False).text)
getAuthXml="""<aaaGetComputeAuthTokens cookie="{}"/>""".format(loginResponseTree.attrib['outCookie'])
getAuthResponseTree = ET.fromstring(requests.post(urlCimc, data=getAuthXml, headers=headers, verify=False).text)
tokens = getAuthResponseTree.attrib['outTokens'].split(",")
runCmd = 'javaws "https://{}/kvm.jnlp?cimcAddr={}&cimcName=KVM&tkn1={}&tkn2={}"'.format(args.node, args.node, tokens[0], tokens[1])
print('Running {}'.format(runCmd))
os.system(runCmd)

The full IMC API can be found here:

https://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/c/sw/api/4_0/b_Cisco_IMC_api_40.pdf

An alternate browser (Pale Moon 32-bit) and old Flash version (32-bit 32.0.0.371 from May 23, 2020) can be used to follow the official statement steps and get the GUI to work, but I would discourage it greatly due to the vulnerabilities Flash has, which is the reason why it got pulled in the first place.

View solution in original post

smaney016 · ‎10-14-2020

Just in case someone else is looking into this issue, here's Cisco's official response on CIMC for C220/C240 M3 servers that still use Flash:

The Cisco Cloud and Compute organization at Cisco expects that the WebUI interface of UCS C-Series M3 Standalone Rack Server Software (Cisco IMC) will not be accessible on future versions of web browsers that are deprecating support for Flash Player based content.

Cisco started shipping UCS C-Series M3 Rack Servers in 2012 and announced in 2015 and 2016 the EOL of all M3 rack server models, before Adobe announced the EOL of Flash Player support in July 2017. While we will continue to provide applicable service and support such as critical security fixes via patch releases for M3 servers through the End of Support date in December 2021, we do not plan to retrofit UCS C-Series M3 platforms with HTML5-based WebUI interface for Cisco IMC.

Impacted customers can consider below alternatives for managing their M3 Rack Servers:

1. Use CLI interface of IMC Software to control and configure the standalone M3 rack platforms
2. Use a web browser that will not be deprecating support for Flash
3. Keep web browser on the last version that supports Flash and disable update to future version in order to continue using WebUI to manage M3 rack servers
4. Attach the M3 rack servers to Fabric Interconnects in order to use HTML5-based WebUI interface of a corresponding UCS Manager release
5. Access vKVM through the XML API in case WebUI is not available

We appreciate your understanding and support.

So basically, use an old browser that will support the Flash plugin, use CLI access, or use vKVM with XML API if you can't use the WebGUI to access the host.

M4 and later models can be updated to a higher version that supports HTML5.

Julio Marquez · ‎01-15-2021

There is a workaround I was made aware of recently which uses the API on the UCS server to make a call directly to obtain the Java KVM console. I have tested this and although you don't get the GUI, you get the full console functionality (turn on/off, mount virtual images to upgrade, etc):

https://<CIMC_IP>/kvm.jnlp?cimcAddr=<CIMC_IP>&tkn1=<CIMC_username>&tkn2=<CIMC_Password>

The result will prompt you to download the jnlp file that upon execution will use Java to open the KVM console for you.

The process can even be automated (see python script below as an example). The call used in the script to aaaGetComputeAuthTokens still works for newer CIMC versions where the above call with the in-line user/pass only works for the older CIMC in the M3 servers.

import argparse
import os
import sys
import socket
import requests
import xml.etree.ElementTree as ET

parser = argparse.ArgumentParser("Launch KVM on a UCS system")
parser.add_argument('-n', '--node', help='UCS management IP', default=None)
parser.add_argument('-u', '--username', help='Username', default="admin")
parser.add_argument('-p', '--password', help='Password', default=None)
extraParams = {}
args = parser.parse_args()
mandatoryMissing = False
if args.node == None:
    mandatoryMissing = True
    print("Please provide -n <UCS management IP>")
if args.password == None:
    mandatoryMissing = True
    print("Please provide -p <password>")
if mandatoryMissing:
    sys.exit(-1)

urlCimc = "https://{}/nuova".format(args.node)
loginXml="""<aaaLogin inName='{}' inPassword='{}'></aaaLogin>""".format(args.username, args.password)
headers = {'Content-Type': 'application/xml'}
loginResponseTree = ET.fromstring(requests.post(urlCimc, data=loginXml, headers=headers, verify=False).text)
getAuthXml="""<aaaGetComputeAuthTokens cookie="{}"/>""".format(loginResponseTree.attrib['outCookie'])
getAuthResponseTree = ET.fromstring(requests.post(urlCimc, data=getAuthXml, headers=headers, verify=False).text)
tokens = getAuthResponseTree.attrib['outTokens'].split(",")
runCmd = 'javaws "https://{}/kvm.jnlp?cimcAddr={}&cimcName=KVM&tkn1={}&tkn2={}"'.format(args.node, args.node, tokens[0], tokens[1])
print('Running {}'.format(runCmd))
os.system(runCmd)

The full IMC API can be found here:

https://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/c/sw/api/4_0/b_Cisco_IMC_api_40.pdf

An alternate browser (Pale Moon 32-bit) and old Flash version (32-bit 32.0.0.371 from May 23, 2020) can be used to follow the official statement steps and get the GUI to work, but I would discourage it greatly due to the vulnerabilities Flash has, which is the reason why it got pulled in the first place.

nmohajery · ‎01-24-2021

@Julio Marquez

I want to send you a gift card. This link actually solved the problem for me:

http://andkon.com/arcade/faq.php

Took about two days of searching to finally got to this resolution!

Thank you!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

Netwerkbeheer ROC van Amsterdam · ‎05-20-2022

life-saver!!!!!

Joseph Rinehart · ‎06-25-2023

This was brilliant! It worked right the first time without issue!

Data Center Training Specialist
Learning@Cisco High Touch Delivery
CCIE #14256

Jason Wang · ‎03-01-2021

Thanks the link to the java applet worked

douglasfir · ‎04-09-2021

Thank you so much, Julio!

Cheers,

Dragan

Michael Masterson · ‎07-14-2021

Hi Jose,

Thanks for the info. The call

https://<CIMC_IP>/kvm.jnlp?cimcAddr=<CIMC_IP>&tkn1=<CIMC_username>&tkn2=<CIMC_Password>

worked for me and I was able to get my 2 (C240 M3, C220 M3) servers from version 2.0 to 3.0(4). Once on 3.0(4) I need to get the Java KVM console again to upgrade VMWare but I can't get the above or the python script to work.

When using the Python script I get an error:

File "\\storage3\Redirect\MichaelM\Desktop\UCS-CMIC.py", line 28, in <module>
getAuthXml="""<aaaGetComputeAuthTokens cookie="{}"/>""".format(loginResponseTree.attrib['outCookies'])
KeyError: 'outCookies'

I'm far from a Python guy so a bit stuck. any ideas?

nmohajery · ‎07-14-2021

Not sure what you are trying to achieve here, but I also discovered that the K-Meleon browser works with zero issues. No need to make changes and hack things. Just download the installer and use the k-meleon browser.

Michael Masterson · ‎07-16-2021

Hey, thanks, this worked for me too. I can browse to the CMIC. I hit another issue with the java not working but fixed it using this just incase anyone else hits it

https://community.cisco.com/t5/unified-computing-system/cimc-launch-kvm-console/td-p/2478169

stuart.pannell · ‎01-13-2022

your a star, I was able to mount a recovery disk image for my out of disk space ISE box and hopefully now Cisco TAC will be able to delete some files and free up some space.

Lino Vargas · ‎03-04-2021

in order to get it to work you need to modify the flashplayer dll and remove the hard coded time bomb.

Here is how I was able to get it to work...

Download and install K-Meleon browser (I used the installer from PortableApps[.]com it should also work from the direct installer)

Download and install HxD (freeware hex editor)

Download and install Flash (I used FlashPlayer 32.0.0.465)

Once you have the software installed, open K-Meleon and navagate to "about:plugins" this will show you which version and path of flash that the browser is using. in my case it was "C:\WINDOWS\SysWOW64\Macromed\Flash\NPSWF32_32_0_0_465.dll"

Run HxD as administrator and open "NPSWF32_32_0_0_465.dll"

Search for:
00 00 40 46 3E 6F 77 42
replace it with:
00 00 00 00 00 00 F8 7F

Then disable the EOL Uninstall Warnings
Run notepad as administrator and Edit "C:\Windows\SysWOW64\Macromed\Flash\mms.cfg"
Add a line with "EOLUninstallDisable=1"
save and close
After that it should work just fine.
I had a very old CIMC that an error SSL_ERROR_NO_CYPHER_OVERLAP
to Fix this, I had to change some of the settings in "about:config"I don't remember which ones did the trick but where there is a will there is a way..

Good Luck!

MatthewShaw4644 · ‎12-20-2021

I messed around with this for quite a while until I saw a post about grabbing the .jnlp off github - it's just enough to map the KVM drive for booting to the .huu. Change the txt file to use your CIMC IP and credentials. Change the file extension to .jnlp. Don't forget to add the CIMC address to your Java Security Exceptions. I ran this with regular Chrome - worked well.

github.com/Kris-Sekula/UCS-KVM

Will D · ‎04-09-2023

I found this browser and it works perfectly. https://github.com/radubirsan/FlashBrowser