Certificates does not conform to algorithm constraints
search cancel

Certificates does not conform to algorithm constraints

book

Article ID: 123109

calendar_today

Updated On:

Products

CA Privileged Access Manager - Cloakware Password Authority (PA) CA Privileged Access Manager (PAM)

Issue/Introduction

PAM is connecting to a SQL server trying to verify a target account but getting the following error:

SEVERE: UpdateTargetAccountCmd.invoke -1: The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: "java.security.cert.CertificateException: Certificates does not conform to algorithm constraints". 

Environment

Release:
Component: PAGUI

Resolution

The server side certificate might be using SHA1 algorithm.

Try openssl command against your MSSQL server service port to check the server certificate.

openssl s_client -connect <MSSQL IP>:<Port>

This should list your server certificate.

Copy the certificate part where it starts(and including) -----BEGING CERTIFICATE----- and until(and including) -----END CERTIFICATE----- and an empty line after that in to a text file

For example, save the certificate below.
=====BEGIN SAMPLE=====
-----BEGIN CERTIFICATE-----
AAAABBBBCCCCDDDD
EEEEFFFF1111222233==
-----END CERTIFICATE-----

=====END SAMPLE=====

Let's say you saved the certificate as cert.txt
Then run the following command against that file to confirm if it is SHA1 or SHA2.

openssl x509 -text -in cert.txt

This will output something like below:

Certificate: Data: Version: 3 (0x2)
Serial Number: 47:2b:43:a2:d3:8b:77:ea
Signature Algorithm: sha256WithRSAEncryption

In the above sample, you can see it is using SHA2
SHA1 is obsolete so you need to ensure your server certificate is SHA2.

Possible resolution 2

There was a report where  the primary PAM server was pinned to the old certificate still. Even when they installed the new certs it was still using the old certificate. Deleted all the old certificates and reapplied the new certificates.  This fixed the java algorithm error.
 

Additional Information

https://www.tbs-certificates.co.uk/FAQ/en/microsoft_depreciation_sha1.html