In this article, we take a look at how to configure Java to get Java-based KVM up and running to remotely perform a re-imaging of the Cisco ISE application on physical SNS servers.
Re-imaging an ISE SNS server
Re-imaging a physical ISE SNS server should preferably be done using a USB stick containing a bootable ISE image which can be installed on the SNS server, but there are some instances where one might want to do the re-imaging remotely instead by virtually mounting the ISE ISO image via the Cisco Integrated Management Controller (IMC) tool.
Virtually mounting the ISE ISO image this way should only be done from a computer or server that does NOT go into sleep/hibernate mode after some time, and the computer or server should be relatively close to the SNS server in terms of bandwidth and latency.
Caveats of Re-imaging SNS server remotely
However, re-imaging an SNS server remotely using a virtually mounted ISE ISO file takes a very long time compared to simply using a properly prepared USB stick. To virtually mount the ISE ISO file, one has to connect to the IMC web interface and then launch a KVM (Keyboard/Video/Mouse) session, which will emulate having a keyboard/monitor/mouse connected to the physical SNS server. Inside this KVM session, you are able to mount ISO files directly from your computer/server that will be available for the SNS server to use for re-imaging.
The KVM session can be either HTML5-based (new) or Java-based (old). I have done re-imaging of SNS servers to Cisco ISE 3.1 recently and tried both of these methods.
Even when being almost directly connected to the network where the IMC physical interface is connected, re-imaging an SNS server takes almost 6 hours when using HTML5-based KVM, while it “only” takes around 3 hours to do this using the Java-based KVM.
The Issues with Java-based Applications
Java-based KVM has the disadvantage of being Java-based (duh), which means it could be tricky to get it up and running in the year 2023 and beyond since Java is considered legacy technology at this point, and is being pushed out of the IT world. That means that if you try to use the Java-based KVM viewer right off the bat, chances are you will run into the error message below.
This error message is probably even more common on corporate computers/servers, which most often are locked down security-wise by company policies.
Nevertheless, if you want to use the Java-based KVM viewer anyway, follow the steps below to see if they can get you up to speed.
Prerequisite - install a newer Java version
First off, make sure to download the latest version of Java from their website. Whatever is the latest version of Java should work fine.
When you have installed Java on your computer/server, continue down below to configure the Java settings which hopefully are the fixes you need to get the Java-based KVM viewer up and running.
Add IMC URL to Java Security Exceptions
Next up, we are going to add the URL of the IMC web interface to the Exception Site List of Java-based applications. Search for “java” in Windows and you should find the “Configure Java” application. This will launch the Java Control Panel.
In the Java Control Panel, navigate to the Security tab. Go down to the Exception Site List section and click on the “Edit Site List…” button. In the window that pops up, click on the Add button and type in either the IP address or the FQDN of your IMC’s web interface.
Make sure to include “https://” in the URL, like in the image below. In my case, we will use the IP address of the IMC web interface, which would make the URL:
https://10.100.1.123Click on OK when you are done.
With this done, you should now attempt to launch the Java-based KVM. If this step does not do the trick for you, continue down below to perform the second (possible) fix.
Add IMC Certificate to Java Trusted Certificate Store
If you are still running into the error message at the top of this article, there is another thing you can try to get it going.
Use any web browser to connect to the IMC web interface and extract (download) the certificate that is used for the web interface itself. How you do this varies from browser to browser, but you can usually do this by clicking the little security “lock” next to the address field in the browser to view the certificate of the web page. Look for a way to download the certificate to your local computer.
Once you have the certificate, head back into the Java Control Panel, go to the Security tab once again, and this time, click on the “Manage Certificates…” button. Here, you can import certificates directly into the trusted certificates store for Java. Set the Certificate type to “Trusted Certificates”, then click on Import and browse to the IMC web interface’s certificate you just downloaded to your local computer.
With the certificate added to Java’s trusted certificate store, now try to launch the Java-based KVM again and see if it works. With some luck, you should now be able to get it running.