CA Spectrum OneClick fails to launch with a SSLHandshakeException: PKIX path validation failed

Document ID : KB000030194
Last Modified Date : 14/02/2018
Show Technical Document Details

Issue:  When launching a CA Spectrum OneClick client with a newer versions of java against older versions of CA Spectrum, the OneClick client fails to launch.  The following error shows:

"Failed to validate certificate, The application will not be executed." 


When reviewing the Details in the java window, the following exception shows: PKIX path validation failed: algorithm constraints check failed: SHA1withRSA

at Source)

at Source)

at Source)



Starting with Java/JRE 7u40, Java requires the application (the jar file executed via jnlp) to be signed by a certificate with a minimum public key size of 1024 bits.

CA Spectrum jnlps are signed with a certificate of less than 1024 bits (we use 512 bits), causing a security validation failure.



The minimum public key size is the default value specified in Java/JRE's file and is set too high. It can be edited to allow a higher or lower required public key size.

The file is located in your client machine's Java/JRE installed directory (jre/lib/security/ If you have previously installed various versions of JRE, open the Java control panel and click on the Java tab. Click on the View button to see the path of the JRE version that is configured with your Internet Explorer (IE) or Firefox.

 This change in has to be done by a user with the administrator role, and java must be restarted in order for changes to take effect. 

In JRE 1.7u40 the by default has this setting:

jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024


To resolve the issue, change the value to 256:

jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 256

Close and relaunch your java client.

This applies to JRE 1.8 as well.