search cancel

Gateway version 9.4 does not accept certificates with MD5 signature algorithm

book

Article ID: 188888

calendar_today

Updated On:

Products

CA API Gateway API SECURITY CA API Gateway Precision API Monitoring Module for API Gateway (Layer 7) CA API Gateway Enterprise Service Manager (Layer 7) STARTER PACK-7 CA Microgateway

Issue/Introduction

Version 9.4 does not accept certificates with MD5 signature algorithm.

In version 9.2, we had a configuration on:

/opt/SecureSpan/JDK/jre/lib/security/java.security

jdk.certpath.disabledAlgorithms=MD2 keySize < 1024

 

With which we accepted this type of certificate.

But when we update to version 9.4, these certificates, when we double click on them, we get a window with this error:

The Policy Manager encountered an internal error or mis-configuration and was unable to complete the operation

We apply the same configuration in java:

/opt/SecureSpan/JDK/jre/lib/security/java.security

jdk.certpath.disabledAlgorithms=MD2 keySize < 1024

With the same error result.

Env Details:

We use a virtual appliance.

 

In version 9.4:

~]$ rpm -qa | grep -i ssg

ssg-platform-1.8.00-346.noarch

ssg-9.4.00-9807_CR03.noarch

ssg-nshieldpci-12.40.2-3.el6.x86_64

ssg-appliance-9.4.00-9807_CR03.x86_64

 

~]$ /opt/SecureSpan/JDK/bin/java -versión

versión openjdk "1.8.0_222"

OpenJDK Runtime Environment (AdoptOpenJDK)(build 1.8.0_222-b10)

OpenJDK 64-Bit Server VM (AdoptOpenJDK)(build 25.222-b10, mixed mode)

 

In version 9.2:

~]# rpm -qa | grep -i ssg

ssg-appliance-9.2.00-6904.x86_64

ssg-nshieldpci-8.0-12.10.el6.x86_64

ssg-platform-1.6.00-97.noarch

ssg-9.2.00-6904.noarch


~]# /opt/SecureSpan/JDK/bin/java -versión

versión de java "1.8.0_102"

Entorno de ejecución Java(TM) SE (build 1.8.0_102-b14)

Java HotSpot(TM) 64-Bit Server VM (build 25.102-b14, mixed mode)

Environment

Release : 9.4

Component : API GATEWAY

Resolution

If we use correct version of Policy Manager (Released with individual CR), then this issue will not be present. The root cause of the issue is because this cert does not have any extensions, MD5 signature Algorithm has nothing to do with this; however, it is fixed in Gateway 10.


The solution is to use 9.4 CR03 Policy Manager as the Gateway version is 9.4 CR03