Symptoms


In order to function, the Zerto Virtual Manager (ZVM) must be able to properly communicate with its site vCenter.  Prior to ZVR 3.1, there are several situations in which configurations of the Windows OS on which the ZVM runs may interfere with this communication.  This article outlines some of the situations that can affect ZVM-to-vCenter communications prior to ZVR 3.1, and provides reference to solutions. Starting with ZVR 3.1, the issues described below will not have an effect on ZVM-to-vCenter communications.  



  

Solution


Windows Server 2003/2008:

Microsoft Hotfix KB2661254 may have been installed on Windows Server 2003 or Windows Server 2008. Windows machines that are running the Zerto Virtual Manager and installed with this Microsoft Update might get disconnected from their respective vCenter instances, if the vCenter certificate was generated with a key length of 512 bits. A ZVR administrator may notice that Zerto Virtual Replication GUI failed to load, while vSphere Client has no trouble connecting to vCenter. Also, attempts at connecting to vCenter from the ZVM using the Internet Explorer web browser may fail (i.e. https://vcserver/mob).

The recommended solutions for this problem are as follows:

  • Follow VMware KB 2037082 for further instructions on how to regenerate the certificate to be at least 1024 bits long

  • Follow Microsoft KB 2661254 to allow Windows to accept weaker certificates - namely, run the following command on the ZVM to allow 512 bit certificate key lengths to be accepted:

    • certutil -setreg chainminRSAPubKeyBitLength 512

  • Follow Microsoft KB 2661254 to enable an RSA root certificate that has a key length of less than 1024 bits:

    • certutil -setreg chainEnableWeakSignatureFlags 2

  • Uninstall the hotfix from the Windows OS running the ZVM

For more information about this hotfix, and instructions to workaround the issues it causes, refer to the following articles:

 

Windows Server 2012:

The vCenter certificate may have been generated with a key length of 512 bits. As a result, a ZVR administrator may notice that Zerto Virtual Replication GUI failed to load, while vSphere Client has no trouble connecting to vCenter. Also, attempts at connecting to vCenter from the ZVM using the Internet Explorer web browser may fail (i.e. https://vcserver/mob).

The recommended solutions for this problem are as follows:

  • Follow VMware KB 2037082 for further instructions on how to regenerate the certificate to be at least 1024 bits long

  • Follow Microsoft KB 2661254 to allow Windows to accept weaker certificates - namely, run the following command on the ZVM to allow 512 bit certificate key lengths to be accepted:

    • certutil -setreg chainminRSAPubKeyBitLength 512

  • Follow Microsoft KB 2661254 to enable an RSA root certificate that has a key length of less than 1024 bits:

    • certutil -setreg chainEnableWeakSignatureFlags 2

Windows Server 2003:

The vCenter certificate may not be able to be validated by by the ZVM when the certificate is of form X.509, or the certification authority (CA) is configured with SHA2 256 or greater encryption.