Highlighted
Enthusiast
Enthusiast

vCO - Adding vCenter

Jump to solution

When adding a vCenter 5.5 Server to Orchestrator 5.5u1 I get the error:

InternalError: java.security.cert.CertificateException: Certificates does not conform to algorithm constraints (Workflow:Import a certificate from URL / Validate (item1)#6)

This vCenter server has been upgraded to 5.5 from numerous previous versions of vCenter.

Any suggestions on how I can add this server?

The Google machine references SSL, MD5 compatibility issues.

Thoughts?

~Alex

1 Solution

Accepted Solutions
Highlighted
VMware Employee
VMware Employee

Maybe some of the certificates has too short key, or uses an algorithm which is not supported anymore. You may try to somewhat relax the restrictions.

Look for a file named java.security (in vCO appliance, it is located at /usr/java/jre-vmware/lib/security/java.security. Open it with a text editor and look for the property jdk.certpath.disabledAlgorithms. Its default value is something like

   jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024

which disables short keys (< 1024 bits). Check if your certificates violates some of the restrictions defined by this property, and if yes, remove the restriction from the property value. Save the file and restart the vCO appliance for change to take effect.

I haven't actually tried these steps, but in theory they should work.

View solution in original post

3 Replies
Highlighted
VMware Employee
VMware Employee

Maybe some of the certificates has too short key, or uses an algorithm which is not supported anymore. You may try to somewhat relax the restrictions.

Look for a file named java.security (in vCO appliance, it is located at /usr/java/jre-vmware/lib/security/java.security. Open it with a text editor and look for the property jdk.certpath.disabledAlgorithms. Its default value is something like

   jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024

which disables short keys (< 1024 bits). Check if your certificates violates some of the restrictions defined by this property, and if yes, remove the restriction from the property value. Save the file and restart the vCO appliance for change to take effect.

I haven't actually tried these steps, but in theory they should work.

View solution in original post

Highlighted
Enthusiast
Enthusiast

I verified that the vCenter was using an old 512 size certificate. I changed the file as described here and I was able to successfully add the vCenter server to vCO.

Marked as Resolved

Thank You

~Alex Allen C.

0 Kudos
Highlighted
VMware Employee
VMware Employee

If the error is seen in VMware Horizon follow KB76348.

0 Kudos