Pairing vRealize Operations Manager 6.x with a VMware vSphere vCenter that has a weak certificate fails with the error: Certificates does not conform to algorithm constraints
search cancel

Pairing vRealize Operations Manager 6.x with a VMware vSphere vCenter that has a weak certificate fails with the error: Certificates does not conform to algorithm constraints

book

Article ID: 343691

calendar_today

Updated On:

Products

VMware Aria Suite

Issue/Introduction

Symptoms:
  • When pairing a VMware vCenter Server adapter with VMware vRealize Operations manager it fails with the error:
Certificates does not conform to algorithm constraints.
  • In the /storage/vcops/log/collector.log file, you see entries similar to:

    ERROR [Task Processor worker thread 3] com.integrien.alive.common.adapter3.AdapterBase.onCheckCertificate - Error trying to make connection javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificates does not conform to algorithm constraints
If the error is seen in VMware Horizon follow The connection server fails to establish an SSL connection with the event database (76348).


Environment

VMware vRealize Operations Manager 6.1.x
VMware vRealize Operations Manager 6.0.x
VMware vRealize Operations Manager 6.2.x

Cause

This issue occurs when VMware vCenter Server certificate has an RSA key size lower than 1028.

Resolution

This is an expected behavior in VMware vRealize Operations Manager.

To work around this issue, the RSA key size requirement needs to be lowered or disabled:
 
  1. Log in to the Master node as root through console or a SSH session.
  2. Open $VMWARE_JAVA_HOME/lib/security/java.security file using a text editor.
  3. Change this line to reduce the key restriction, or comment out the entire line to disable the restrictions:

    jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024 </font>

    For example:
    Reducing the key size: jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 512</font>
    Removing restraints: #jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024<br>
  4. Save and close the file.
  5. Repeat steps 1-3 on each node in the cluster.
  6. Attempt to pair your vCenter Server adapter.

    Note: It may be necessary to wait for a few minutes before trying the pairing again, or restart the collector service on each node by running this command:

    service vmware-vcops restart collector