The Directory Data Service (DDS) fails to search LDAP or Active Directory data sources. The Control Center or DDS logs display the following error:

com.symantec.sms.dds.api.exception.DataAccessSearchFailureException: Permanent failure while attempting to search data source: [Source Name] Reason: Algorithm constraints check failed on signature algorithm: SHA1withRSA

The Control Center or DDS service may also report DDS error code: 800402.

• Messaging Gateway (SMG) 10.9.1 and higher
• LDAP or Active Directory servers using SHA1withRSA certificates or 1024-bit RSA keys.

Messaging Gateway enforces strict certificate and TLS algorithm requirements to align with modern security standards. Secure LDAP (LDAPS) connections fail if the LDAP server certificate chain uses deprecated or insecure algorithms, such as SHA1withRSA or RSA keys smaller than 2048 bits.

To resolve this issue, recreate the TLS certificate on the LDAP/AD server using secure parameters.

1. Generate a new certificate for the LDAP/AD server.
2. Ensure the certificate uses an RSA key size of 2048 bits or larger.
3. Ensure the signature algorithm is SHA256 or higher.
4. Update the certificate chain on the LDAP server.

Once the certificate is updated to meet modern security constraints, the Messaging Gateway DDS connections will resume normally.

For information on Active Directory certificate management, consult with the Active Directory administrators and/or the Active Directory manual.