PowerFlex:嘗試向 Secure Remote Services (SRS) 註冊系統時出現錯誤「憑證不符合演算法約束」

Summary: 無法使用 IM 閘道的「FOSGWTool.sh」將 PowerFlex 系統註冊至 Secure Remote Services

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Symptoms

當 IM 閘道證書不是自簽名,而是由第三方 CA 頒發機構簽名時,可能會出現此問題。根據 PowerFlex 說明文件,CA 憑證已匯入 IM 閘道信任存放區。

 

症狀

Secure Remote Services 註冊嘗試會擲回以下錯誤:

# /opt/emc/scaleio/gateway/bin/FOSGWTool.sh --register_esrs_gateway --scaleio_gateway_ip $gw_ip --scaleio_gateway_user admin --scaleio_gateway_password $gw_pass --esrs_gateway_ip $esrs_hostname --connect_in_ip $gw_ip --esrs_gateway_user $esrs_user --esrs_gateway_password <PASSWORD>
 Exception in thread "main" org.springframework.web.client.ResourceAccessException: I/O error on GET request for "https://10.10.10.11/api/gatewayLogin": java.security.cert.CertificateException: Certificates do not conform to algorithm constraints; nested exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificates do not conform to algorithm constraints
 at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:525)
 at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:473)
 at org.springframework.web.client.RestTemplate.exchange(RestTemplate.java:421)
 at com.emc.s3g.scaleio.installation.cli.SioGWTool.loginToRestGateway(SioGWTool.java:2563)
 at com.emc.s3g.scaleio.installation.cli.SioGWTool.main(SioGWTool.java:1754)
 Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificates do not conform to algorithm constraints
        at sun.security.ssl.Alert.createSSLException(Alert.java:131)
        at sun.security.ssl.TransportContext.fatal(TransportContext.java:370)
        at sun.security.ssl.TransportContext.fatal(TransportContext.java:313)
        at sun.security.ssl.TransportContext.fatal(TransportContext.java:308)
        at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:652)
        at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:471)
        at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:367)
        at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:376)
        at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:479)
        at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:457)
        at sun.security.ssl.TransportContext.dispatch(TransportContext.java:200)
        at sun.security.ssl.SSLTransport.decode(SSLTransport.java:154)
        at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1290)
        at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1199)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:401)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:373)
        at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:587)
        at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:197)
        at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:167)
        at org.springframework.http.client.SimpleBufferingClientHttpRequest.executeInternal(SimpleBufferingClientHttpRequest.java:76)
        at org.springframework.http.client.AbstractBufferingClientHttpRequest.executeInternal(AbstractBufferingClientHttpRequest.java:48)
        at org.springframework.http.client.AbstractClientHttpRequest.execute(AbstractClientHttpRequest.java:49)
        at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:510)
        ... 4 more
Caused by: java.security.cert.CertificateException: Certificates do not conform to algorithm constraints
        at sun.security.ssl.AbstractTrustManagerWrapper.checkAlgorithmConstraints(SSLContextImpl.java:1387)
        at sun.security.ssl.AbstractTrustManagerWrapper.checkAdditionalTrust(SSLContextImpl.java:1312)
        at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:1256)
        at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:636)
        ... 22 more
Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on signature algorithm: SHA1withRSA                             < =============================== this is an issue
        at sun.security.provider.certpath.AlgorithmChecker.check(AlgorithmChecker.java:237)
        at sun.security.ssl.AbstractTrustManagerWrapper.checkAlgorithmConstraints(SSLContextImpl.java:1383)
        ... 25 more

 

影響

無法向 Secure Remote Services 註冊 PowerFlex 系統。

Cause

IM 閘道證書由 SHA1 作為簽名哈希演演演算法的舊 CA 證書簽名。默認情況下,由於潛在的安全問題,Java 不允許在證書路徑中使用SHA1和其他一些舊演演演算法。

PowerFlex CA 憑證 

Resolution

 

作為因應措施,可以將 Java 設定為暫時接受舊類型的雜湊演算法 - 編輯 java.security 檔案,並註解掉與「jdk.certpath.disabledAlgorithms」項目對應的行:

#
jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
    RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224

如需永久解決方案,請使用現代且安全的雜湊演算法,使用 CA 簽署 IM 閘道憑證

 

 

Affected Products

PowerFlex rack, PowerFlex Software, VxFlex Product Family, VxFlex Ready Node, Ready Node Series
Article Properties
Article Number: 000193823
Article Type: Solution
Last Modified: 13 Nov 2025
Version:  4
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.