PowerFlex: Felet "Certifikat överensstämmer inte med algoritmbegränsningen" vid försök att registrera systemet med SRS (Secure Remote Services)
Summary: Det går inte att registrera PowerFlex-systemet med Secure Remote Services med IM Gateways FOSGWTool.sh
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Symptoms
Det här problemet kan uppstå när IM Gateway-certifikatet inte är självsignerat, utan snarare signerat av en tredjepartscertifikatutfärdare. CA-certifikaten är redan importerade till IM Gateway truststore, enligt PowerFlex-dokumentationen.
Symptom
Registreringsförsöket för Secure Remote Services genererar följande fel:
# /opt/emc/scaleio/gateway/bin/FOSGWTool.sh --register_esrs_gateway --scaleio_gateway_ip $gw_ip --scaleio_gateway_user admin --scaleio_gateway_password $gw_pass --esrs_gateway_ip $esrs_hostname --connect_in_ip $gw_ip --esrs_gateway_user $esrs_user --esrs_gateway_password <PASSWORD>
Exception in thread "main" org.springframework.web.client.ResourceAccessException: I/O error on GET request for "https://10.10.10.11/api/gatewayLogin": java.security.cert.CertificateException: Certificates do not conform to algorithm constraints; nested exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificates do not conform to algorithm constraints
at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:525)
at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:473)
at org.springframework.web.client.RestTemplate.exchange(RestTemplate.java:421)
at com.emc.s3g.scaleio.installation.cli.SioGWTool.loginToRestGateway(SioGWTool.java:2563)
at com.emc.s3g.scaleio.installation.cli.SioGWTool.main(SioGWTool.java:1754)
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificates do not conform to algorithm constraints
at sun.security.ssl.Alert.createSSLException(Alert.java:131)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:370)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:313)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:308)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:652)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:471)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:367)
at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:376)
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:479)
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:457)
at sun.security.ssl.TransportContext.dispatch(TransportContext.java:200)
at sun.security.ssl.SSLTransport.decode(SSLTransport.java:154)
at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1290)
at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1199)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:401)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:373)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:587)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:197)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:167)
at org.springframework.http.client.SimpleBufferingClientHttpRequest.executeInternal(SimpleBufferingClientHttpRequest.java:76)
at org.springframework.http.client.AbstractBufferingClientHttpRequest.executeInternal(AbstractBufferingClientHttpRequest.java:48)
at org.springframework.http.client.AbstractClientHttpRequest.execute(AbstractClientHttpRequest.java:49)
at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:510)
... 4 more
Caused by: java.security.cert.CertificateException: Certificates do not conform to algorithm constraints
at sun.security.ssl.AbstractTrustManagerWrapper.checkAlgorithmConstraints(SSLContextImpl.java:1387)
at sun.security.ssl.AbstractTrustManagerWrapper.checkAdditionalTrust(SSLContextImpl.java:1312)
at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:1256)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:636)
... 22 more
Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on signature algorithm: SHA1withRSA < =============================== this is an issue
at sun.security.provider.certpath.AlgorithmChecker.check(AlgorithmChecker.java:237)
at sun.security.ssl.AbstractTrustManagerWrapper.checkAlgorithmConstraints(SSLContextImpl.java:1383)
... 25 morePåverkan
Det gick inte att registrera PowerFlex-systemet med Secure Remote Services.
Cause
IM Gateway-certifikatet signerades av ett gammalt CA-certifikat med SHA1 som signaturhashalgoritm. Som standard tillåter Java inte att SHA1 och några andra äldre algoritmer används i certifikatsökvägen på grund av potentiella säkerhetsproblem.
Resolution
Som en tillfällig lösning kan Java konfigureras för att tillfälligt acceptera gamla typer av hash-algoritmer – redigera filen java.security och kommentera ut raderna som motsvarar posten "jdk.certpath.disabledAlgorithms":
#
jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224Om du vill ha en permanent lösning signerar du IM Gateway-certifikatet med certifikatutfärdaren med hjälp av moderna och säkra hash-algoritmer
Affected Products
PowerFlex rack, PowerFlex Software, VxFlex Product Family, VxFlex Ready Node, Ready Node SeriesArticle Properties
Article Number: 000193823
Article Type: Solution
Last Modified: 13 Nov 2025
Version: 4
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.