Hi Joerg,

yes I am trying it do it manually over the configuration page, I'm just thinking if hsould helps me if I import cert signed by CA for my destination server.

Have you ever seen this between this two version of vRO?

Rgds,

Jan

I've seen such behavior when manually importing certificate from vRO 6.x to vCO 5.1.x when I used an URL/IP without a port number.

BTW, server.log is vCO server log file. When you import a certificate from vCO Web Configurator, you should look at configuration log file. For vCO 5.1.x, it is located at /opt/vmo/configuration/jetty/logs/jetty.log

Hi Illian,

even in jetty.log file I haven't found relevant warning, just plug-ins and vcenter extensions testers and all seems OK.

I found some message in vco-rochestrator.log, could you please check it for me, it is attached

I have imported cer file to my 5.1 but it doesn't help.

thks for your reply, do you have another tips?

Jan

Yes, this SSL handshake exception is exactly the reason why the certificate import fails.

Usually, such error is caused by incompatible cipher suites or incompatible SSL versions, for example if client uses only SSLv2 or SSLv3 and server accepts only TLSv1 or higher (which is the case with the latest release of vRO 6.0.3 and upcoming 7.0).

What are the exact versions/builds of vCO 5.1.x and vRO 6.0.x that you use? This should tell us which ciphers/SSL versions are in use.

This page https://blogs.oracle.com/java-platform-group/entry/diagnosing_tls_ssl_and_https contains some useful tips for diagnosing such issues, for example how to print debugging info for connections using javax.net.debug parameter. You may try to add it to file /opt/vmo/configuration/jetty/start_jetty.sh (within JETTY_JVM_OPTS variable) and check the logs for info related to SSL connections.

Hi Ilian,

my win instances I am trying to connect are in versions 6.0.2.2730887 & 5.1.1 build 2980

I will check url you suggested and let you know if it will help me.

Thx

Jan

I tried to add debug properties to bat also to sh file, but any log contains debug messages.

I tried to follow link you sent but now chance to test or investigate more deeply now.

Do you have any other tips regarding my versions?

thx

A couple of other things come to mind:

(1) You can try to enable SSLv3 support on your vRO 6 side. Open the files /etc/vco/configuration/server.xml (vRO configurator) and /etc/vco/app-server/server.xml (vRO server), and change the following attribute

  sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2"

to

   sslEnabledProtocols="SSLv3, TLSv1, TLSv1.1, TLSv1.2"

after this change, restart the corresponding vRO services for changes to take effect.

(2) Check which Java version is used by vCO 5.1. I think vCO 5.1.x uses Java 1.6 which can send SSLv2 client hello messages. I'd suggest to try with latest version of Java 1.7 where SSLv2 client hello messages are removed.

Well I've done your suggestions about SSLv3 and it didn't help, do you think that it is enough to copy java.exe from vRO6 where is 1.7 to vCO5.1?

I've checked server.xml on 5.1 side and here I have diffie-helmans ciphers and sslProtocol="TLS", should I do any change here also?

My issue was solved by open ports on Firewall so I mark this as answered