Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

amarcionek

1 Rookie

 • 

56 Posts

1756

July 28th, 2017 11:00

API Error - Certificates does not conform to algorithm constraints

Anyone run into this using Java to access the Isilon API?

java.security.cert.CertificateException: Certificates does not conform to algorithm constraints

I think it might have something to do with the JVM's disabled algorithms option, where the Java 8 JVM is more restrictive. See this. What I don't understand is what about the certificate is the problem? IOW, what to set the disabled algorithms to.  The cert has this in it:  TLS 1.2, ECDHE RSA P256 AES 128 GCM   All these are the same as the standard self-signed one that comes in the simulator and my program doesn't have a problem here, but it does with the customer.

sjones51

252 Posts

August 1st, 2017 13:00

Hi Adam,

I haven't personally done much with API or certificates so I ran this by a colleague. He had the following questions:
Does webui work correctly especially from the browser of the client machine? Some firewall, or virus scanners will block certs depending on settings defined by the network/security admins.

Are these the certifications that came with the cluster or are they custom generated? Are they CA certs?


Isilon Support does have some options for testing API and certs in their lab as well if you were interested in opening a service request for assistance.  https://onlinesupport.emc.com/SRCreate

RobChang-Isilon

136 Posts

August 1st, 2017 14:00

This looks like an issue happening during TLS/SSL handshake, before the traffic hits the API.

I've forwarded your question to an SME.  I'll keep you updated when I hear back.

In the meantime, what is your OneFS version and your customer's OneFS version?

amarcionek

1 Rookie

 • 

56 Posts

August 2nd, 2017 07:00

RobChang-Isilon, We are on 8.1.0.0. The customer is on 8.0.0.4.

sjones5, yes, the Web UI works fine from the client machine. I don't know if the certificate is the original or not. My feeling is that it is because if you open it up in Chrome debug you can see the following two errors:

Certificate Error

There are issues with the site's certificate chain (net::ERR_CERT_AUTHORITY_INVALID).

Subject Alternative Name Missing

The certificate for this site does not contain a Subject Alternative Name extension containing a domain name or IP address.

Which is the same as our virtual appliance and I think pretty typical of self-signed certificates.

One thing that I don't get from my testing is how the HTTP settings work via the UI. I've gone so far as to disable HTTP (protocols -> http -> Disable Http) and the API still works in my lab, even after rebooting the cluster. Is that intentional? Do these settings only control namespace access, not management access? I ask because the customer has this disabled and I thought that was the problem, but I don't think it was, UNLESS I have to ask them to reboot their cluster, which I'd rather not do.

Anyway, at this point, I won't be able to engage the customer until Monday (8/7) and unless I hear back from you, we are going to attempt to muck with the JVM settings to see if I can allow it to accept that algorithm.  If that doesn't work, I'll ask the customer to open a support ticket.

Thank you both!

Adam

Was this post helpful?

View All

No Events found!

Top