Summary
In some cases, after upgrading DPX to DPX 4.5.0 and later, communication with vCenter may fail with error SSLHandshakeException. This can happen during an agentless backup job or while scanning vCenter into the Enterprise. There are two possible solutions to resolve this issue: Increase the keySize to have 1024-bit SSL on the vCenter. Change the keySize minimum limit to 512-bit in DPX.
Symptoms
The agentless backup job log may display:
x.x.x.x 6/2/2014 7:58:17 pm SNBSVH_941E Other error, caused by Failed to get the Job Definition Selection from Catalogic DPX Catalog, caused byThere has been a problem in obtaining vmware connection for addr (x.x.x.x) with user name (aaa\bbb), reason (com.sun.xml.internal.ws.client.ClientTransportException: HTTP transport error: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificates does not conform to algorithm constraints)
Resolution
This communication issue may occur if vCenter is still using 512-bit SSL keySize. While vCenter Server 5.5 supports only SSL certificates with greater than or equal to 1024-bits (https://www.vmware.com/support/vsphere5/doc/vsphere-vcenter-server-55u1-release-notes.html), it is possible to upgrade from the prior version of vCenter without upgrading 512-bit SSL keySize.
There are two possible solutions:
- Increase the keySize to have 1024-bit SSL on the vCenter.
- Change the keySize minimum limit to 512-bit in DPX:
- On DPX Master server and any Agentless proxy nodes involved in the backup or restore operations to the vCenter , locate the file ssprodir\tools\jre\lib\security\java.security.
- Open this file to edit it.
- Locate the line "jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024".
- Edit it as "jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 512".
- Save the file.
- Restart DPX CMAGENT on the nodes that have been modified and restart the management console.