DXmanager Error: Certificates does not conform to algorithm constraints

Document ID : KB000005834
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

The error message “DXadmind host 'Hostname' is unreachable - java.security.cert.CertificateException: Certificates does not conform to algorithm constraints .” appears within DXmanager under alerts.

Environment:
CA Directory / DXmanager 12.0 SP1xEstimated: Java 1.8u100+
Cause:

Java recently increased their security measures and stopped allowing the MD5 as a valid algorithm.

Resolution:

Remove the declaration of the MD5 Algorithm.

 

Example Steps:

Navigate to File Path: "\jre\lib\security\java.security"

 

Open java.security, then modify the following disabledAlgorithms.

 

Replace

      jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \ DSA keySize < 1024, EC keySize < 224

With:

   jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024, \ DSA keySize < 1024, EC keySize < 224

 

i.e. remove reference of MD5 from the list.

 

Once the change is made you will need to restart DXwebserver and DXadmind processes and then you will no longer receive the error "DXadmind host 'Hostname' is unreachable - java.security.cert.CertificateException: Certificates does not conform to algorithm constraints .”

 

If the problem persist, please also:

 

Replace

    jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768

With

    jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768

 

i.e. remove reference of MD5WithRSA from the list.

  

Once again restart DXwebserver and DXadmind processes.