PowerFlex:尝试向 Secure Remote Services (SRS) 注册系统时出现错误“证书不符合算法约束”

Summary: 无法使用 IM 网关的“FOSGWTool.sh”向 Secure Remote Services 注册 PowerFlex 系统

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Symptoms

当 IM 网关证书不是自签名的,而是由第三方 CA 颁发机构签名时,可能会发生此问题。根据 PowerFlex 文档,CA 证书已导入到 IM 网关信任库中。

 

症状

Secure Remote Services 注册尝试引发以下错误:

# /opt/emc/scaleio/gateway/bin/FOSGWTool.sh --register_esrs_gateway --scaleio_gateway_ip $gw_ip --scaleio_gateway_user admin --scaleio_gateway_password $gw_pass --esrs_gateway_ip $esrs_hostname --connect_in_ip $gw_ip --esrs_gateway_user $esrs_user --esrs_gateway_password <PASSWORD>
 Exception in thread "main" org.springframework.web.client.ResourceAccessException: I/O error on GET request for "https://10.10.10.11/api/gatewayLogin": java.security.cert.CertificateException: Certificates do not conform to algorithm constraints; nested exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificates do not conform to algorithm constraints
 at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:525)
 at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:473)
 at org.springframework.web.client.RestTemplate.exchange(RestTemplate.java:421)
 at com.emc.s3g.scaleio.installation.cli.SioGWTool.loginToRestGateway(SioGWTool.java:2563)
 at com.emc.s3g.scaleio.installation.cli.SioGWTool.main(SioGWTool.java:1754)
 Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificates do not conform to algorithm constraints
        at sun.security.ssl.Alert.createSSLException(Alert.java:131)
        at sun.security.ssl.TransportContext.fatal(TransportContext.java:370)
        at sun.security.ssl.TransportContext.fatal(TransportContext.java:313)
        at sun.security.ssl.TransportContext.fatal(TransportContext.java:308)
        at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:652)
        at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:471)
        at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:367)
        at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:376)
        at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:479)
        at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:457)
        at sun.security.ssl.TransportContext.dispatch(TransportContext.java:200)
        at sun.security.ssl.SSLTransport.decode(SSLTransport.java:154)
        at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1290)
        at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1199)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:401)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:373)
        at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:587)
        at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:197)
        at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:167)
        at org.springframework.http.client.SimpleBufferingClientHttpRequest.executeInternal(SimpleBufferingClientHttpRequest.java:76)
        at org.springframework.http.client.AbstractBufferingClientHttpRequest.executeInternal(AbstractBufferingClientHttpRequest.java:48)
        at org.springframework.http.client.AbstractClientHttpRequest.execute(AbstractClientHttpRequest.java:49)
        at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:510)
        ... 4 more
Caused by: java.security.cert.CertificateException: Certificates do not conform to algorithm constraints
        at sun.security.ssl.AbstractTrustManagerWrapper.checkAlgorithmConstraints(SSLContextImpl.java:1387)
        at sun.security.ssl.AbstractTrustManagerWrapper.checkAdditionalTrust(SSLContextImpl.java:1312)
        at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:1256)
        at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:636)
        ... 22 more
Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on signature algorithm: SHA1withRSA                             < =============================== this is an issue
        at sun.security.provider.certpath.AlgorithmChecker.check(AlgorithmChecker.java:237)
        at sun.security.ssl.AbstractTrustManagerWrapper.checkAlgorithmConstraints(SSLContextImpl.java:1383)
        ... 25 more

 

影响

无法向 Secure Remote Services 注册 PowerFlex 系统。

Cause

IM 网关证书由旧 CA 证书使用 SHA1 作为签名哈希算法进行签名。默认情况下,由于潜在的安全问题,Java 不允许在证书路径中使用 SHA1 和其他一些较旧的算法。

PowerFlex CA 证书 

Resolution

 

作为一种解决方法,可以将 Java 配置为暂时接受旧类型的哈希算法 - 编辑 java.security 文件并注释掉与 “jdk.certpath.disabledAlgorithms” 条目对应的行:

#
jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
    RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224

对于永久解决方案,请使用新式安全哈希算法向 CA 签署 IM 网关证书

 

 

Affected Products

PowerFlex rack, PowerFlex Software, VxFlex Product Family, VxFlex Ready Node, Ready Node Series
Article Properties
Article Number: 000193823
Article Type: Solution
Last Modified: 13 Nov 2025
Version:  4
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.