After upgrading from a previous CA APM version to 10.3 or 10.5, the existing SSL configuration no longer seems to work. When we access the Team Center via HTTPs, it returns a blank page after successfully logging in, with message "Error retrieving permissions. Status code: 503".
The following exception was thrown in the IntroscopeWebView.log file:
[ERROR] [WebView] Unable to establish connection with remote resource at https://<host_name>:8081/apm/appmap/private/follower!
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificates does not conform to algorithm constraints
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
Caused by: java.security.cert.CertificateException: Certificates does not conform to algorithm constraints
at sun.security.ssl.AbstractTrustManagerWrapper.checkAlgorithmConstraints(Unknown Source)
at sun.security.ssl.AbstractTrustManagerWrapper.checkAdditionalTrust(Unknown Source)
at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(Unknown Source)
... 47 more
The CertificateException implies that the currently used certificate may no longer meet the latest Java 1.8.0_74 standards in security, which is the jre version bundled in APM 10.5 (from 10.3 onward). For example, MD5 has been added to the disabled Algorithms list in the <EM_Home>\jre\lib\security\java.security for APM 10.5, compared to APM 10.1:
jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
The reason it has worked fine before could be because in the previous pre-10.3 versions, a lower JRE version with lower security requirement was used, hence it has not been affected by this issue.
CA Application Performance Management 10.3, 10.5 with SSL communication enabled between Team Center and EM
There are 2 options to address this issue:
1. First and recommended option is to substitute the certificate with one from a recognized Certificate Authority (CA), which does not contain the disabled algorithms stated above, or in other words, comply to the security standard of Java 1.8.0_74.
2. Modify the security settings in the APM 10.5 java.security file to be less strict/allow more algorithms (according to the security standard of the existing certificate used). For example, these were the settings in the jre bundled with 10.1 that uses java 1.8u45:
jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024