When attempting to validate an AutoSys server in the WebUI, the AEWS validation fails with an error that states "Certificates do not conform to algorithm constraints"

Autosys 12.x
WCC 12.x

Component: WebUI

The certificates for AEWS and the WebUI will need to  be regenerated with a 2048 keylength.

For AE WebServer (On Scheduler server):

Note: Replace the <hostname_fqn> with fully qualified host name of AE WebServer.

1) Stop the AE  web server.

2) Backup the keystore file of AE webserver

mkdir /backupDir
cp $AUTOUSER/webserver/conf/.keystore /backupDir/.keystoreRestWebServer

3) Generate 2048 key length certificates

$AUTOSYS_INSTALL_LOCATION/JRE_WA/bin/keytool -delete -alias tomcat  -keystore $AUTOUSER/webserver/conf/.keystore -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath $AUTOSYS/lib/bc-fips.jar -storepass changeit -storetype BCFKS

$AUTOSYS_INSTALL_LOCATION/JRE_WA/bin/keytool -genkey -alias tomcat -keyalg RSA -keystore $AUTOUSER/webserver/conf/.keystore -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath $AUTOSYS/lib/bc-fips.jar -storepass changeit -keypass changeit -dname "CN=<hostname_fqn>, OU=WAAE, O=CA" -validity 14600 -keysize 2048 -storetype BCFKS

4) Start the AE Rest Web server

5) Check validate the server under Configuration tab of WCC.

For WebUI:

Note: Replace the <hostname_fqn> with fully qualified host name of WCC Server.

1) Stop WebUI services

2) Backup existing keystore of WCC

mkdir -p /backupDir
cp /opt/CA/WorkloadAutomationAE/wcc/data/config/.keystore /backupDir/.keystoreUITomcat

3) Generate 2048 key lengths for WCC Tomcat

$CA_WCC_INSTALL_LOCATION/jre/bin/keytool -delete -alias tomcat -keystore $CA_WCC_INSTALL_LOCATION/data/config/.keystore -storepass changeit

$CA_WCC_INSTALL_LOCATION/jre/bin/keytool -genkey -alias tomcat -keyalg RSA -keystore $CA_WCC_INSTALL_LOCATION/data/config/.keystore -storepass changeit -keypass changeit -keysize 2048 -dname "cn=<hostname_fqn>" -ext san=dns:<hostname_fqn> -validity 14600

Note: You will receive below warning message. This is expected and can be ignored.

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore /opt/CA/WorkloadAutomationAE/wcc/data/config/.keystore -destkeystore /opt/CA/WorkloadAutomationAE/wcc/data/config/.keystore -deststoretype pkcs12".

4) Start the WebUI services

Customize SSL for Web Services

Customize Secure Access to AutoSys Web UI

Configuring a vendor issued or custom SSL certificate for WebUI/WCC, Autosys Web Server (AEWS), CA Directory (dxserver) and EEM (iGateway)Configuring a vendor issued or custom SSL certificate for WebUI/WCC, Autosys Web Server (AEWS), CA Directory (dxserver) and EEM (iGateway)