Whilst I was with a customer recently, I hit an SSL related issue whilst trying to put together a vRO workflow to orchestrate the creation of a load-balancer configuration on a Citrix Netscaler VPX.
Adding the REST host(s) to vRO was accomplished without any issue, but when I came to use them my workflow failed with the following error:
Cannot execute request: ; java.security.cert.CertificateException: Certificates does not conform to algorithm constraintsCertificates does not conform to algorithm constraints
As this vRO instance was running on a vRA appliance, my first port of call was starting the vRO Control Center service and make sure that the REST host certificates had indeed been imported in to vRO and were trusted. They were.
Looking at the certificates themselves (as I had blindly accepted them up until that point) I noticed that they were self-signed and the cause of the error became clearer. Some software solutions generate fairly weak SSL certificates by default to maintain backwards compatibility with other legacy solutions, and in some instances because it’s easier and cheaper perhaps. Some of the algorithms used to generate and / or sign these certificates are weak or have know vulnerabilities and are increasingly untrusted by default. You only have to fire up an up-to-date version of the Chrome browser and point it at something using such a certificate to see that happen – Chrome says no!
The java implementation on a vRA 7 appliance is no different, there are certain untrusted algorithms. Should you need to, you can enable them again.
- SSH to the vRA appliance using either the root account or an account capable of using sudo
- Navigate to the directory /usr/java/jre-vmware/lib/security
- Copy java.security to java.security.old (always take a backup!)
- Use vim to edit the java.security file
- Comment out the line jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
- Comment out the line jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768
- Save the file
- Restart the vRO service (service vco-server restart)
I should stress that this is very much a short-term solution. The preferred solution would be to replace the SSL certificates on the problematic solution and re-enable the settings adjusted above. If that isn’t practical, use trail and error to work out which specific algorithm is causing the issue and remove only that from the setting.