Connectrix Brocade B-Series: CMCNE Fabric Discovery failed because the SSL certificate of the seed switch use a weak algorithm

           

   Article Number:     521075                                   Article Version: 3     Article Type:    Break Fix 
   

 


Product:

 

Connectrix Manager Converged Network Edition,Connectrix

 

Issue:

 

 

When discover fabric in CMCNE:  Fabric Discovery failed because the SSL certificate of the seed switch use a weak algorithm.   
   
    User-added image
                                                           

 

 

Cause:

 

 

In release notes :   
    When hosts, vCenters, SMIA clients or SSL/TLS email servers do not have certificates with SHA2 algorithm and RSA keySize > 2048, the discovery and management of the hosts and vCenters, connections from SMIA clients, and email notifications (when CMCNE is configured with SSL/TLS) will fail due to disabling of all weak hashing algorithms in CMCNE 14.3.1 to make it more secure.     
     
                                                           

 

 

Change:

 

 

Migrate from 14.2.2 to 14.4.1                                                           

 

 

Resolution:

 

 

Fix:   
    1. If switch is using the self-signed certificate. Re-generate the self-signed certificate according to the requirement in the release notes.    
    - Check Connectrix Brocade B-Series: How to enable HTTPS webtools GUI access on Brocade switches with self-signed certificates in Fabric OS 8.1.x and above. for how to generate self-signed certificates in Fabric OS 8.1.x and above.   
   
    - Check Connectrix Brocade B-Series: How to enable HTTPS webtools GUI access on Brocade switches with self-signed certificates in Fabric OS 8.0.x and lower. for how to generate self-signed certificates in Fabric OS 8.0.x and lower.   
   
    2. If use official or other companies' CA, request new one according to the requirements in the release notes.    
   
    Workaround:   
     If users wish to continue using certificates with weaker algorithms   
    1) Stop all CMCNE services using Service Management Console   
    2) Browse to the folder <CMNCE Home>\jre64\lib\security\java.security   
    3) Copy the file java.security to another non-CMCNE folder to save the original.   
    4) Edit the current java.security file and change the following lines to remove "SHA1" and "RSA keysize < 2048" in order to re-enable them:   
    Example:    
    original:   
    jdk.tls.disabledAlgorithms=MD5, DES, 3DES, DESede, RC2, DHE, DH, ECDH, SSLv3, RC4, MD5withRSA, SHA1, DSA, DH keySize < 768, EC keySize < 224, RSA keySize < 2048   
    after remove:   
    jdk.tls.disabledAlgorithms=MD5, DES, 3DES, DESede, RC2, DHE, DH, ECDH, SSLv3, RC4, MD5withRSA,  DSA, DH keySize < 768,  EC keySize < 224    
    5) Save the file   
    6) Restart all CMCNE services