PowerFlex 3.x: El servidor de presentación falla con la excepción de Java: "Los almacenes de claves con varios certificados no son compatibles"

Summary: El servidor de presentación de PowerFlex 3.x falla con la excepción de Java: "Los almacenes de claves con varios certificados no son compatibles" si los certificados SSL importados en el almacén de claves tienen varias entradas en la extensión SAN (nombre alternativo del sujeto). ...

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Symptoms

El servicio del servidor de presentación de PowerFlex 3.x (mgmt-server) no responde y no se puede acceder a él desde el cliente web.

Se observa el siguiente error en los registros:

Caused by: java.lang.IllegalStateException: KeyStores with multiple certificates are not supported on the base class org.eclipse.jetty.util.ssl.SslContextFactory. (Use org.eclipse.jetty.util.ssl.SslContextFactory$Server or org.eclipse.jetty.util.ssl.SslContextFactory$Client instead)

El estado del servicio informa errores de Java:

# systemctl status mgmt-server.service
● mgmt-server.service - Scaleio MGMT Server
   Loaded: loaded (/etc/systemd/system/mgmt-server.service; enabled; vendor preset: disabled)
   Active: active (running) since Mon 2022-12-12 04:17:48 EST; 2min 36s ago
 Main PID: 27178 (java)
   CGroup: /system.slice/mgmt-server.service
           └─27178 /bin/java -Xmx4g -Djna.tmpdir=/opt/emc/scaleio/mgmt-server/tmp -Djava.io.tmpdir=/opt/emc/scaleio/mgmt-server/tmp -Dstorage.diskCache.bufferSize=2000 -Dlog4j2.configurationFile=...

Dec 12 04:18:10 presentation startup.sh[27178]: at org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:321)
...
Dec 12 04:18:10 presentation startup.sh[27178]: at java.lang.Thread.run(Thread.java:750)

Todos los eventos de registro relacionados son:

# journalctl -u mgmt-server.service -n 30 --no-pager
-- Logs begin at Thu 2022-10-13 15:44:18 EDT, end at Mon 2022-12-12 04:20:01 EST. --
Dec 12 04:17:48 presentation systemd[1]: Started Scaleio MGMT Server.
Dec 12 04:18:10 presentation startup.sh[27178]: Exception in thread "main" java.lang.IllegalStateException: Expected to be healthy after starting. The following services are not running: {STARTING=[DisconnectingEventService [STARTING]], FAILED=[HttpdService [FAILED]]}
Dec 12 04:18:10 presentation startup.sh[27178]: at com.google.common.util.concurrent.ServiceManager$ServiceManagerState.checkHealthy(ServiceManager.java:773)
Dec 12 04:18:10 presentation startup.sh[27178]: at com.google.common.util.concurrent.ServiceManager$ServiceManagerState.awaitHealthy(ServiceManager.java:585)
Dec 12 04:18:10 presentation startup.sh[27178]: at com.google.common.util.concurrent.ServiceManager.awaitHealthy(ServiceManager.java:316)
Dec 12 04:18:10 presentation startup.sh[27178]: at com.emc.vxflexos.webui.backend.Server.start(Server.java:69)
Dec 12 04:18:10 presentation startup.sh[27178]: at com.emc.vxflexos.webui.backend.Server.main(Server.java:147)
Dec 12 04:18:10 presentation startup.sh[27178]: Suppressed: com.google.common.util.concurrent.ServiceManager$FailedService: HttpdService [FAILED]
Dec 12 04:18:10 presentation startup.sh[27178]: Caused by: java.lang.IllegalStateException: KeyStores with multiple certificates are not supported on the base class org.eclipse.jetty.util.ssl.SslContextFactory. (Use org.eclipse.jetty.util.ssl.SslContextFactory$Server or org.eclipse.jetty.util.ssl.SslContextFactory$Client instead)
Dec 12 04:18:10 presentation startup.sh[27178]: at org.eclipse.jetty.util.ssl.SslContextFactory.newSniX509ExtendedKeyManager(SslContextFactory.java:1288)
Dec 12 04:18:10 presentation startup.sh[27178]: at org.eclipse.jetty.util.ssl.SslContextFactory.getKeyManagers(SslContextFactory.java:1270)
Dec 12 04:18:10 presentation startup.sh[27178]: at org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:372)
Dec 12 04:18:10 presentation startup.sh[27178]: at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:243)
Dec 12 04:18:10 presentation startup.sh[27178]: at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
Dec 12 04:18:10 presentation startup.sh[27178]: at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
Dec 12 04:18:10 presentation startup.sh[27178]: at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
Dec 12 04:18:10 presentation startup.sh[27178]: at org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:97)
Dec 12 04:18:10 presentation startup.sh[27178]: at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
Dec 12 04:18:10 presentation startup.sh[27178]: at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
Dec 12 04:18:10 presentation startup.sh[27178]: at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
Dec 12 04:18:10 presentation startup.sh[27178]: at org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:321)
Dec 12 04:18:10 presentation startup.sh[27178]: at org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:81)
Dec 12 04:18:10 presentation startup.sh[27178]: at org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:234)
Dec 12 04:18:10 presentation startup.sh[27178]: at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
Dec 12 04:18:10 presentation startup.sh[27178]: at org.eclipse.jetty.server.Server.doStart(Server.java:401)
Dec 12 04:18:10 presentation startup.sh[27178]: at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
Dec 12 04:18:10 presentation startup.sh[27178]: at com.emc.vxflexos.webui.backend.httpd.HttpdService.startUp(HttpdService.java:31)
Dec 12 04:18:10 presentation startup.sh[27178]: at com.google.common.util.concurrent.AbstractIdleService$DelegateService$1.run(AbstractIdleService.java:62)
Dec 12 04:18:10 presentation startup.sh[27178]: at com.google.common.util.concurrent.Callables$4.run(Callables.java:119)
Dec 12 04:18:10 presentation startup.sh[27178]: at java.lang.Thread.run(Thread.java:750)

Cause

La versión < 3.6.1 del servidor de presentación de PowerFlex no es compatible con certificados SSL con varias entradas en la extensión de SAN (nombre alternativo del sujeto).

Los certificados SSL y el almacén de claves se pueden comprobar con los siguientes comandos:

# openssl x509 -noout -text -in cert.pem | grep -A1 'Subject Alternative Name'
            X509v3 Subject Alternative Name:
                DNS:example.plex.lab.dell.com, DNS:example.cork.lab
# keytool -list -v -keystore /etc/mgmt-server/.config/keystore.jks | grep -A4 SubjectAlternativeName
SubjectAlternativeName [
  DNSName: example.plex.lab.dell.com
  DNSName: example.cork.lab]

 Este problema se informó en la versión 3.6-500.101 de PowerFlex, pero se puede observar en versiones 3.x anteriores.

Resolution

El problema se resolvió en la versión 3.6.1 (3.6.1000.134) de PowerFlex. Actualice a esta versión o a una superior.

De lo contrario, utilice un certificado SSL firmado externamente sin extensión SAN (nombre alternativo del sujeto) o con una sola entrada. Esta regla se aplica a cualquier certificado importado en el almacén de claves (incluidas las CA raíz e intermedias).

Affected Products

PowerFlex rack, VxFlex Ready Nodes, PowerFlex custom node, ScaleIO, PowerFlex appliance connectivity, PowerFlex appliance R650, PowerFlex appliance R6525, PowerFlex appliance R660, PowerFlex appliance R6625, Powerflex appliance R750 , PowerFlex appliance R760, PowerFlex appliance R7625, PowerFlex Software, PowerFlex appliance R640, PowerFlex appliance R740XD, PowerFlex appliance R7525, PowerFlex appliance R840 ...
Article Properties
Article Number: 000206321
Article Type: Solution
Last Modified: 11 Apr 2025
Version:  4
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.