Unable to launch Live Health applications with "Failed to validate certificate, The application will not be executed." error.

Failed to validate certificate,

The application will not be executed.

sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: algorithm constraints check failed

at sun.security.validator.PKIXValidator.doValidate(Unknown Source)

at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)

 

 

 

Microsoft Windows 7 and Windows 2008 Server with Java 1.7u40 and later

eHealth version 6.3.0 and above.

 

 

 

Starting with Java/JRE 7u40, Java requires the application (the jar file executed via jnlp) to be signed by a certificate with a minimum public key size of 1024 bits. 

At this time the Live Health jnlps are signed with a certificate of less than 1024 bits (we use 512 bits), causing a security validation failure.

 

 

 

The minimum public key size is the default value specified in Java/JRE's java.security file. It can be edited to allow a higher or lower required public key size. 

The java.security file is located in your client machine's Java/JRE installed directory (jre/lib/security/java.security). If you have previously installed various versions of JRE, open the Java control panel and click on the Java tab. Click on the View button to see the path of the JRE version that is configured with your Internet Explorer (IE) or Firefox. 

 

In JRE 7u40 the java.security by default has this setting: 

 

jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024 

 

Changing the value 1024 to 256 solves the issue in eHealth Live clients (as they are currently signed by a certificate with a 512-bit key). This change in java.security has to be done by a user with the administrator role, and java must be restarted in order for changes to take effect.