After upgrading from a previous CA APM version to 10.3 or 10.5, the existing SSL configuration no longer seems to work. When we access the Team Center via HTTPs, it returns a blank page after successfully logging in, with message "Error retrieving permissions. Status code: 503".
The following exception was thrown in the IntroscopeWebView.log file:
[ERROR] [WebView] Unable to establish connection with remote resource at https://<host_name>:8081/apm/appmap/private/follower!
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificates does not conform to algorithm constraints
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
Caused by: java.security.cert.CertificateException: Certificates does not conform to algorithm constraints
at sun.security.ssl.AbstractTrustManagerWrapper.checkAlgorithmConstraints(Unknown Source)
at sun.security.ssl.AbstractTrustManagerWrapper.checkAdditionalTrust(Unknown Source)
at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(Unknown Source)
... 47 more
The CertificateException implies that the currently used certificate may no longer meet the latest Java 1.8.0_74 standards in security, which is the jre version bundled in APM 10.5 (from 10.3 onward). For example, MD5 has been added to the disabled Algorithms list in the <EM_Home>\jre\lib\security\java.security for APM 10.5, compared to APM 10.1:
jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
The reason it has worked fine before could be because in the previous pre-10.3 versions, a lower JRE version with lower security requirement was used, hence it has not been affected by this issue.
There are 2 options to address this issue:
1. First and recommended option is to substitute the certificate with one from a recognized Certificate Authority (CA), which does not contain the disabled algorithms stated above, or in other words, comply to the security standard of Java 1.8.0_74.
2. Modify the security settings in the APM 10.5 java.security file to be less strict/allow more algorithms (according to the security standard of the existing certificate used). For example, these were the settings in the jre bundled with 10.1 that uses java 1.8u45:
jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024