OracleVM Manager Console Failing with ERR_SSL_VERSION_OR_CIPHER_MISMATCH

Google Chrome version 48 dropped out the support for RC4 algorithm. This causes problems with OracleVM Manager 3.3 that uses RC4 as one of the default cipher suites.

The error is occuring once you try to access OVM Manager console. You will get

To fix this, you need to add a new cipher suite to the OVM Manager weblogic configuration file.

1. Login as oracle –user
2. cd /u01/app/oracle/ovm-manager-3/domains/ovm_domain/config
3. Back up the config.xml (e.g. copy it to config.xml.2016-02-04 or something)
4. Edit config.xml, add “<ciphersuite>TLS_RSA_WITH_AES_128_CBC_SHA</ciphersuite>” to the end of the AdminServer ciphersuite listing.

Should look something like this:

5. Restart the OVM Manager server as root:
service ovmm restart

After this you should be able to connect to OVM Manager console.

If you tried to use AES256 ciphersuite instead of AES128 you will get:

"java.lang.IllegalArgumentException: Cannot support TLS_RSA_WITH_AES_256_CBC_SHA with currently installed providers"
This is due to export restrictions, so you should use AES128 if you haven't updated the needed jars to support AES256.


remmerd said...

Making this change won't affect running virtual machines, will it?

Harri Kaukovuo said...

No this does not affect running virtual machines.

-- Harri

TEST said...
This comment has been removed by the author.
TEST said...
This comment has been removed by a blog administrator.
Anonymous said...

Adding the line stopped my OVMM service from starting, even after a reboot of the server. Removing the line allowed the service to start. Is there something I need to download/install/configure to make this work?

Thank you,

Computing professional, Linux noob

Anonymous said...

This has been fixed with latest maintenance pack 3.3.4

Harri Kaukovuo said...

Yes, this has been fixed with the latest 3.3.4.
An answer to Matt, this should not require any special other configurations. If there is an error with the XML element, this will prevent the admin server to startup.

-- Harri