VC Target Fails to Validate: 'Validation failed due to Security' error

Symptoms

When attempting to add or validate vCenter targets via the Admin, Target Configuration utility an error “Failed to validate <target address>: RemoteException” is returned, or, depending on the Operations Manager version, you may also see an error

"Security Exception:java.security.cert.CertificateException: Certificates does not conform to algorithm constraints"

remote_exception.JPG

Cause

One cause of this error may be due to the use of legacy MD2 encryption on the vCenter server side.  Java version 7 has disabled MD2 on the client side due to identified security risks.  To confirm if this is the issue being encountered follow the below steps:

  1. Try to Validate or Add the target via the Admin, Target Configuration page in the UI to confirm that the RemoteException error will appear.
  2. Log into the appliance via SSH or on the VM console using the ‘root’ account with default password ‘vmturbo’.
  3. Execute the following command:
     grep -i 'Validation failed due to Security' /var/log/tomcat/catalina.out
  4. If output similar to one of the following is returned, then proceed to the Resolution section for steps to resolve the issue:
    2013-09-03 07:14:49,995 ERROR [VIM] : <vCenter host or IP>: unable to find valid certification path to requested target

    2013-09-03 07:14:49,995 ERROR [VIM] : <vCenter host or IP>: Validation failed due to Security: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificates does not conform to algorithm constraints
  5. If no output is returned from the command issued in Step 2 then the issue may not be caused by the MD2 digest algorithm and you should open a support ticket with VMTurbo Support for further assistance.  This can be done by visiting support.vmturbo.com and clicking the link to ‘Submit a Request’. 

Resolution

 

Method 1:  Upgrade vCenter Server certificate to RSA SHA1 (Preferred Method)

The recommended method to resolve this issue is to upgrade the encryption algorithm which vCenter uses from the legacy MD2/MD5 encryption to RSA SHA1.

Instructions to perform this change are provided in the following KB article from VMWare:

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2013087 

 

Method 2:  Enable legacy MD2 encryption handling in Java 7 within Operations Manager

NOTE:  The below procedure will reduce the default security level for Java 7.  Proceed with these steps only if you completely understand the risks associated with using legacy MD2 encryption in your environment.

The following steps will modify the Java security configuration on the Operations Manager appliance to re-enable MD2 encryption permitting Operations Manager to communicate with vCenter hosts that are utilizing the insecure MD2 digest algorithm:

  1. Log into the appliance via SSH or on the VM console using the ‘root’ user.
  2. Open the file /usr/lib64/jvm/java-1.7.0-openjdk-1.7.0/jre/lib/security/java.security using the vi text editor.
  3. Search for the following text within the file:
     jdk.certpath.disabledAlgorithms
  4. Comment out this line by adding a ‘#’ to the beginning of the line, so it looks like this:
     # jdk.certpath.disabledAlgorithms
  5. Save and close the file.
  6. Restart the tomcat web server by issuing the command ‘service tomcat restart’
  7. Wait approximately 5 minutes for the Web UI to come back up, and then log in and attempt to add the vCenter target again.  

More Information

  • This article applies to Operations Manager version 4.0 or later.
  • This article applies to VMTurbo customers managing VMWare vCenter targets with Operations Manager.  To-date VMTurbo is not aware of this issue occurring with the other supported hypervisors.
  • For more information regarding the update to Java 7 disabling support for MD2 encryption, refer to the following article:
    http://docs.oracle.com/javase/7/docs/technotes/guides/security/enhancements-7.html
Have more questions? Submit a request

Comments