After upgrading to Applications Manager 9.6 or above, SQL server connections are failing
Article ID: 404546
Updated On:
Products
Issue/Introduction
After upgrading Applications Manager to version 9.6 or above, SQL Server connections may fail with the below error:
Details: "encrypt" property is set to "true" and "trustServerCertificate" property is set to "false" but the driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption:
Error: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target.
Additional errors observed are:
com.microsoft.sqlserver.jdbc.SQLServerException: "encrypt" property is set to "false" and "trustServerCertificate" property is set to "false" but the driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption:
Error: Certificates do not conform to algorithm constraints.
Or
com.microsoft.sqlserver.jdbc.SQLServerException: "encrypt" property is set to "false" and "trustServerCertificate" property is set to "true" but the driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption:
Error: Certificates do not conform to algorithm constraints.
Environment
Applications Manager 9.5.3+
Java 17 or 21
Cause
Applications Manager 9.6 newly supports Java 17 and 21. These Java versions introduces additional SSL changes that results in the error. Please refer to Oracle for more information.
Additionally, a system setting may cause the connection to fail.Resolution
Solution 1:
Edit the SQL Server connection object and add the below line to the "Additional Params" field. Please note that this setting makes it so the Java will always trust the certificate from the SQL Server. You may need to refer to your SQL Server admin or OS admin if the above setting is acceptable. If not, they may need to import the SQL Server certificates into Java's cacerts. Again, please refer to your SQL Server or OS admin regarding this topic.
If MSSQLSERVER's SQL Server Network Configuration has 'Force Encryption' enabled:
encrypt=true;trustServerCertificate=true;
If MSSQLSERVER's SQL Server Network Configuration has 'Force Encryption' disabled:
encrypt=false;trustServerCertificate=true;
Solution 2:
If MSSQLSERVER's SQL Server Network Configuration has 'Force Encryption' disabled but the above suggestion does not fix the issue, a Java or OS level setting may be the cause of the issue. Refer to your OS admin to review the Applications Manager master server for the following parameters:
jdk.tls.disabledAlgorithms
jdk.certpath.disabledAlgorithms
These parameters may be set in, but not limited to, the following locations:
$JAVA_HOME/jre/lib/security/java.security
$JAVA_HOME/conf/security/java.security
/etc/crypto-policies/back-ends
If the jdk.tls.disabledAlgorithms or jdk.certpath.disabledAlgorithms parameter(s) is found within on ore more of these files, review it for possible values that have been recently added or updated.
For example, a common cause of this issue is seen when jdk.tls.disabledAlgorithms disables SHA1withRSA (jdk.tls.disabledAlgorithms=SHA1withRSA).
Feedback
