Team Center shows blank page with 'Certificates does not conform to algorithm constraints' error in IntroscopeWebView.log when accessed via HTTPs

book

Article ID: 5478

calendar_today

Updated On:

Products

APP PERF MANAGEMENT CA Application Performance Management Agent (APM / Wily / Introscope) CUSTOMER EXPERIENCE MANAGER INTROSCOPE

Issue/Introduction

After upgrading from a previous CA APM version to 10.3 or 10.5, the existing SSL configuration no longer seems to work. When we access the Team Center via HTTPs, it returns a blank page after successfully logging in, with message "Error retrieving permissions. Status code: 503".

The following exception was thrown in the IntroscopeWebView.log file:

 

[ERROR] [WebView] Unable to establish connection with remote resource at https://<host_name>:8081/apm/appmap/private/follower!
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificates does not conform to algorithm constraints
        at sun.security.ssl.Alerts.getSSLException(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
        ...
Caused by: java.security.cert.CertificateException: Certificates does not conform to algorithm constraints
        at sun.security.ssl.AbstractTrustManagerWrapper.checkAlgorithmConstraints(Unknown Source)
       at sun.security.ssl.AbstractTrustManagerWrapper.checkAdditionalTrust(Unknown Source)
      at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(Unknown Source)
       ... 47 more

 

Cause

The CertificateException implies that the currently used certificate may no longer meet the latest Java 1.8.0_74 standards in security, which is the jre version bundled in APM 10.5 (from 10.3 onward). For example, MD5 has been added to the disabled Algorithms list in the <EM_Home>\jre\lib\security\java.security for APM 10.5, compared to APM 10.1:

jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024

The reason it has worked fine before could be because in the previous pre-10.3 versions, a lower JRE version with lower security requirement was used, hence it has not been affected by this issue.

Environment

CA Application Performance Management 10.3, 10.5 with SSL communication enabled between Team Center and EM

Resolution

There are 2 options to address this issue:

1. First and recommended option is to substitute the certificate with one from a recognized Certificate Authority (CA), which does not contain the disabled algorithms stated above, or in other words, comply to the security standard of Java 1.8.0_74.

2. Modify the security settings in the APM 10.5 java.security file to be less strict/allow more algorithms (according to the security standard of the existing certificate used). For example, these were the settings in the jre bundled with 10.1 that uses java 1.8u45:

jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
jdk.tls.disabledAlgorithms=SSLv3

Additional Information

Tuesdays Tips: Certificates does not conform to algorithm constraints