DXmanager Error: Certificates does not conform to algorithm constraints

book

Article ID: 5834

calendar_today

Updated On:

Products

DIRECTORY

Issue/Introduction

The error message “DXadmind host 'Hostname' is unreachable - java.security.cert.CertificateException: Certificates does not conform to algorithm constraints .” appears within DXmanager under alerts.

Cause

Java recently increased their security measures and stopped allowing the MD5 as a valid algorithm.

Environment

CA Directory / DXmanager 12.0 SP1xEstimated: Java 1.8u100+

Resolution

Remove the declaration of the MD5 Algorithm.

 

Example Steps:

Navigate to File Path: "\jre\lib\security\java.security"

 

Open java.security, then modify the following disabledAlgorithms.

 

Replace

      jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \ DSA keySize < 1024, EC keySize < 224

With:

   jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024, \ DSA keySize < 1024, EC keySize < 224

 

i.e. remove reference of MD5 from the list.

 

Once the change is made you will need to restart DXwebserver and DXadmind processes and then you will no longer receive the error "DXadmind host 'Hostname' is unreachable - java.security.cert.CertificateException: Certificates does not conform to algorithm constraints .”

 

If the problem persist, please also:

 

Replace

    jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768

With

    jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768

 

i.e. remove reference of MD5WithRSA from the list.

  

Once again restart DXwebserver and DXadmind processes.