The CA API Gateway ensures the security of message traffic by requiring that protected services using SSL or TLS?are using suitably strong hashing algorithms?and use adequately long private key sizes. Attempts to consume a protected service that uses a server certificate that is issued by a certificate authority?using weak algorithms or small?keys in the issuing certificate?may?be rejected under a specific set of circumstances.?Message rejection will occur when:
This article will prescribe any necessary changes to address this behavior.
The following error message may be present in the Gateway audits or logs. The presence of this message indicates that the issuer of a server certificate is not adhering to a specific
Problem routing to https://service.domain.com/path/to/service.?Error msg: Unable to obtain HTTP response from https://service.domain.com/path/to/service: java.security.cert.CertificateException: Certificates does not conform to algorithm constraints. Caused by: Certificates does not conform to algorithm constraints
This message indicates that the issuer of a server certificate is using disallowed settings such as hash algorithm or key length. The default setting of the Gateway disallows issuer certificates that use MD2 as a hashing algorithm or that have a key length of less than 1024 bits. For example--Server certificates that are stored in the?Manage Certificates?trust store of the Gateway may have the following displayed values:
Signature algorithm: MD2withRSA
RSA strength: 512 bits
If the issue is presenting as documented above then?it will be necessary to gather some diagnostic data before determining how to resolve this issue. Two system configuration files may contain directives that directly impact the observed behavior. If both of the following files contain the specified directive and value then the Gateway will need to be reconfigured to accommodate. Make a note of these settings as they will be used in later steps.
|/opt/SecureSpan/JDK/jre/lib/security/java.security||jdk.certpath.disabledAlgorithms||MD2, RSA keySize < 1024|
There are three resolution paths that can be leveraged to address this issue:
Any one of the three changes recommended in the previous section can resolve the issue. Adding an additional level of trust above the impacted server certificate will allow the Gateway to establish trust regardless of any disabled algorithms or key lengths. Avoiding the use of SunJSSE will result in the algorithm restriction being unenforced. Modifying the security settings of the JDK will make the rules more permissive for issuing certificates.
This solution is predicated on the fact that an issuer certificate has a parent issuer. Some commercial certificate authorities or government agencies leverage?multi-tiered certificate authority infrastructures. If an issuing certificate has a parent issuer that does not violate the constraints specified previously then the higher issuing certificate can be added. Perform the following procedure to add a higher issuing certificate and trust it as a trust anchor
This will add a valid issuer certificate that does not fail any constraints. If a higher level issuing certificate is not available then the disallowed algorithms and/or minimum key length must be adjusted
This process will disable the security requirements for?trusted certificates. This should only be done if a certificate of a higher certificate authority or a higher-security issuing certificate cannot be obtained from the applicable certificate authority. Perform the following procedure to disable the security requirements:
It may be desirable to lower the requirements instead of disabling them outright. If an administrator is aware of the allowed algorithms and/or lengths then the?jdk.certpath.disallowedAlgorithms line in /opt/SecureSpan/JDK/jre/lib/security/java.security can be changed to meet those organizational requirements. Please consult a security engineer for more information on the internal security requirements of your organization.
The most drastic method of bypassing this behavior is to disable SunJSSE if it is currently in use. SunJSSE is not the default cryptographic suite used by the Gateway application. If SunJSSE is currently in use as the active cryptographic provider then it may have been enabled for a specific purpose. An administrator should ensure that documentation exists for why this property was changed and if that change can and should be reverted. If the change can be reverted safely then perform the following procedure in order to do so: