search cancel

Team Center shows blank page with 'Certificates does not conform to algorithm constraints' error in IntroscopeWebView.log when accessed via HTTPs


Article ID: 5478


Updated On:


CA Application Performance Management Agent (APM / Wily / Introscope) INTROSCOPE


After upgrading from a previous CA APM version to 10.3 or 10.5, the existing SSL configuration no longer seems to work. When we access the Team Center via HTTPs, it returns a blank page after successfully logging in, with message "Error retrieving permissions. Status code: 503".

The following exception was thrown in the IntroscopeWebView.log file:


[ERROR] [WebView] Unable to establish connection with remote resource at https://<host_name>:8081/apm/appmap/private/follower! Certificates does not conform to algorithm constraints
        at Source)
        at Source)
Caused by: Certificates does not conform to algorithm constraints
        at Source)
       at Source)
      at Source)
       ... 47 more



CA Application Performance Management 10.3, 10.5 with SSL communication enabled between Team Center and EM


The CertificateException implies that the currently used certificate may no longer meet the latest Java 1.8.0_74 standards in security, which is the jre version bundled in APM 10.5 (from 10.3 onward). For example, MD5 has been added to the disabled Algorithms list in the <EM_Home>\jre\lib\security\ for APM 10.5, compared to APM 10.1:

jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024

The reason it has worked fine before could be because in the previous pre-10.3 versions, a lower JRE version with lower security requirement was used, hence it has not been affected by this issue.


There are 2 options to address this issue:

1. First and recommended option is to substitute the certificate with one from a recognized Certificate Authority (CA), which does not contain the disabled algorithms stated above, or in other words, comply to the security standard of Java 1.8.0_74.

2. Modify the security settings in the APM 10.5 file to be less strict/allow more algorithms (according to the security standard of the existing certificate used). For example, these were the settings in the jre bundled with 10.1 that uses java 1.8u45:

jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024

Additional Information

Tuesdays Tips: Certificates does not conform to algorithm constraints