«
»

Read and Follow All Directions Carefully. And, Firefox SSL Settings for Accessing IBM pSeries ASMI via HTTPS

This is a public service announcement for those with IBM pSeries servers who muck up the ASMI setup. And for those that don’t but it doesn’t work anyway.

Sometimes when I’m in a hurry I don’t always follow the directions to the letter, especially if I’m confident I know what’s going on.

Never do that. Especially setting up new hardware. The people who write the directions spell those steps out for a reason.

A while back I installed a new IBM pSeries server. I’m no sysadmin guru, but I thought hey, I’ve hooked up more than a few new computers in my time. How hard could it be?

I don’t have an HMC, so I needed to cable up my ethernet LAN to the HMC port to access the ASMI via a web browser. (In hindsight, I should have known I was wandering into shark-infested waters with all those new acronyms.) The installation manual has a rather lengthy description of how to do this, involving configuring a PC or laptop ethernet interface in a particular way, wire that directly to the HMC port, type a specific URL into a web browser, log in, then reconfigure the IP address etc for the local LAN, move the cable to the LAN and off you go. Easy.

Well I thought I could take a few shortcuts. I am, after all, a network programming guy. I’ve implemented IP. Multiple times. And I’m in a hurry.

Well, it may have been the install manual (it is a bit confusing and seems to contradict itself) but probably not. In any event, I somehow wedged the HMC ethernet port into an unusable state. Somehow I did manage to get the server up and things hummed along nicely.

Until it happened. The server crashed and hung on reboot. What a lovely paperweight. Without access to the ASMI I was stuck. As far as I could tell, I was going to have to reset the service processor to factory defaults and start over, following the directions carefully this time. Now how to reset it?

After a frantic call to IBM, I got a very helpful person on the phone. After explaining my bungling the HMC ethernet setup and why I needed to reset the SP, he asked “Why don’t you just use the serial port and reset the network parameters to what you need?”

Oh.

That went pretty quickly. Network parameters now set to the correct values, port connected to LAN, here we go… get Firefox up, give it the magic URL, and…

“Cannot communicate securely with peer: no common encryption algorithm(s).

(Error code: ssl_error_no_cypher_overlap)”

My friendly IBM fellow had no advice for this one.

So I got wireshark going and watched the exchange between Firefox and the server that produced this error. Short and sweet – one SSL exchange and connection reset.

I wondered if maybe the server needed to speak SSL2, so enabled that. Wireshark reported that the server really didn’t like that either – SSL2 start, SSL3 reset. So, it wants SSL3, but what else?

I poked around in the Firefox about:config page for SSL-related items and found a bunch that are disabled by default – less-secure options that are normally not used. Except for talking secure HTTP to pSeries ASMI, that is.

Long story short, if you need to use Firefox to access one of these IBM ASMI via web, the option that worked for me was to enable:

security.ssl3.rsa_rc4_40_md5

I’m guessing that this is because it’s a low-strength cipher that can be easily exported. In any event, that was the last piece of the puzzle I needed to get management access to this box. Maybe it will save someone a few days’ work.

This entry was posted on January 13, 2011 at 5:41 pm and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

8 Responses to “Read and Follow All Directions Carefully. And, Firefox SSL Settings for Accessing IBM pSeries ASMI via HTTPS”

  1. Abdel Says:
    August 9, 2011 at 9:57 am | Reply

    Thanks, it helps me a lot 🙂

  2. Filip Says:
    November 14, 2011 at 8:46 am | Reply

    thanks, helped me too (did exactly the same things as you did :))

  3. Eric Thibodeau Says:
    April 3, 2012 at 1:07 am | Reply

    THANK YOU! I just lost an hour trying to track down THE option required to gain access to the ASMI console!

  4. Manuel Mitnyan Says:
    September 27, 2012 at 12:15 am | Reply

    work just fine tks.

  5. Jason Donovan Says:
    October 6, 2012 at 6:42 am | Reply

    Thanks man, saved my day 🙂

  6. Christopher Jacoby Says:
    June 29, 2013 at 2:48 pm | Reply

    Many, many thanks!

  7. shrijan Says:
    November 24, 2013 at 2:25 am | Reply

    hi Steve.. am getting same error now. And when i followed you instruction to check security.ssl3.rsa_rc4_40_md5, i could not find it in my firefox “about:config”. Instead of it i can see, security.ssl3.rsa_rc4_128_md5. Is there any way to make it work?

  8. Erling Ouweneel Says:
    April 13, 2015 at 7:19 am | Reply

    Today I found this post while trying to access the management processor of our IBM AIE system. Because above procedure isn’t working anymore with the latest & greatest version of Firefox I share my workaround to anyone who is interested:

    Changing above setting is not possible anymore since Firefox 18. To avoid decreasing my systems security I downloaded the latest version of Firefox Portable 17 where I was able to change the security.ssl3.rsa_rc4_40_md5 setting.
    To avoid an accidental update you should also disable the autoupdate function: Tools -> Options -> Advanced -> Update -> Never check for updates.

    So now I am using Firefox Portable 17.0.2 only to access the management processor and the latest version of Firefox (without decreased security settings!) for all other websites.

    Download Firefox Portable Edition 17.0.2 from:
    http://sourceforge.net/projects/portableapps/files/Mozilla%20Firefox%2C%20Portable%20Ed./Mozilla%20Firefox%20ESR%2C%20Portable%20Edition%2017.0.2/

Leave a reply to shrijan Cancel reply