PowerFlex: Erro "Os certificados não estão em conformidade com a restrição do algoritmo" ao tentar registrar o sistema com o Secure Remote Services (SRS)
Summary: Não é possível registrar o sistema PowerFlex com o Secure Remote Services usando o "FOSGWTool.sh" do gateway de IM
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Symptoms
Esse problema pode ocorrer quando o certificado do gateway de IM não é auto-assinado, em vez disso, assinado por uma autoridade de autoridade de certificação de terceiros. Os certificados CA já são importados para o truststore do gateway de IM, de acordo com a documentação do PowerFlex.
Sintomas
A tentativa de registro do Secure Remote Services gera o seguinte erro:
# /opt/emc/scaleio/gateway/bin/FOSGWTool.sh --register_esrs_gateway --scaleio_gateway_ip $gw_ip --scaleio_gateway_user admin --scaleio_gateway_password $gw_pass --esrs_gateway_ip $esrs_hostname --connect_in_ip $gw_ip --esrs_gateway_user $esrs_user --esrs_gateway_password <PASSWORD>
Exception in thread "main" org.springframework.web.client.ResourceAccessException: I/O error on GET request for "https://10.10.10.11/api/gatewayLogin": java.security.cert.CertificateException: Certificates do not conform to algorithm constraints; nested exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificates do not conform to algorithm constraints
at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:525)
at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:473)
at org.springframework.web.client.RestTemplate.exchange(RestTemplate.java:421)
at com.emc.s3g.scaleio.installation.cli.SioGWTool.loginToRestGateway(SioGWTool.java:2563)
at com.emc.s3g.scaleio.installation.cli.SioGWTool.main(SioGWTool.java:1754)
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificates do not conform to algorithm constraints
at sun.security.ssl.Alert.createSSLException(Alert.java:131)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:370)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:313)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:308)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:652)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:471)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:367)
at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:376)
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:479)
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:457)
at sun.security.ssl.TransportContext.dispatch(TransportContext.java:200)
at sun.security.ssl.SSLTransport.decode(SSLTransport.java:154)
at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1290)
at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1199)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:401)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:373)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:587)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:197)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:167)
at org.springframework.http.client.SimpleBufferingClientHttpRequest.executeInternal(SimpleBufferingClientHttpRequest.java:76)
at org.springframework.http.client.AbstractBufferingClientHttpRequest.executeInternal(AbstractBufferingClientHttpRequest.java:48)
at org.springframework.http.client.AbstractClientHttpRequest.execute(AbstractClientHttpRequest.java:49)
at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:510)
... 4 more
Caused by: java.security.cert.CertificateException: Certificates do not conform to algorithm constraints
at sun.security.ssl.AbstractTrustManagerWrapper.checkAlgorithmConstraints(SSLContextImpl.java:1387)
at sun.security.ssl.AbstractTrustManagerWrapper.checkAdditionalTrust(SSLContextImpl.java:1312)
at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:1256)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:636)
... 22 more
Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on signature algorithm: SHA1withRSA < =============================== this is an issue
at sun.security.provider.certpath.AlgorithmChecker.check(AlgorithmChecker.java:237)
at sun.security.ssl.AbstractTrustManagerWrapper.checkAlgorithmConstraints(SSLContextImpl.java:1383)
... 25 moreImpacto
Não é possível registrar o sistema PowerFlex com o Secure Remote Services.
Cause
O certificado do IM Gateway foi assinado por um certificado antigo da CA usando SHA1 como algoritmo de hash de assinatura. Por padrão, o Java não permite que SHA1 e alguns outros algoritmos mais antigos sejam usados no caminho do certificado devido a possíveis problemas de segurança.
Resolution
Como solução temporária, o Java pode ser configurado para aceitar temporariamente tipos antigos de algoritmos de hash: edite o arquivo java.security e comente as linhas correspondentes à entrada "jdk.certpath.disabledAlgorithms":
#
jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224Para obter uma solução permanente, assine o certificado do IM Gateway com a CA usando algoritmos de hash modernos e seguros
Affected Products
PowerFlex rack, PowerFlex Software, VxFlex Product Family, VxFlex Ready Node, Ready Node SeriesArticle Properties
Article Number: 000193823
Article Type: Solution
Last Modified: 13 Nov 2025
Version: 4
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.