Team Center shows blank page with 'Certificates does not conform to algorithm constraints' error in IntroscopeWebView.log when accessed via HTTPs

Document ID : KB000005478
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

After upgrading from a previous CA APM version to 10.3 or 10.5, the existing SSL configuration no longer seems to work. When we access the Team Center via HTTPs, it returns a blank page after successfully logging in, with message "Error retrieving permissions. Status code: 503".

The following exception was thrown in the IntroscopeWebView.log file:

 

[ERROR] [WebView] Unable to establish connection with remote resource at https://<host_name>:8081/apm/appmap/private/follower!
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificates does not conform to algorithm constraints
        at sun.security.ssl.Alerts.getSSLException(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
        ...
Caused by: java.security.cert.CertificateException: Certificates does not conform to algorithm constraints
        at sun.security.ssl.AbstractTrustManagerWrapper.checkAlgorithmConstraints(Unknown Source)
       at sun.security.ssl.AbstractTrustManagerWrapper.checkAdditionalTrust(Unknown Source)
      at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(Unknown Source)
       ... 47 more

 

Environment:
CA Application Performance Management 10.3, 10.5 with SSL communication enabled between Team Center and EM
Cause:

The CertificateException implies that the currently used certificate may no longer meet the latest Java 1.8.0_74 standards in security, which is the jre version bundled in APM 10.5 (from 10.3 onward). For example, MD5 has been added to the disabled Algorithms list in the <EM_Home>\jre\lib\security\java.security for APM 10.5, compared to APM 10.1:

jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024

The reason it has worked fine before could be because in the previous pre-10.3 versions, a lower JRE version with lower security requirement was used, hence it has not been affected by this issue.

Resolution:

There are 2 options to address this issue:

1. First and recommended option is to substitute the certificate with one from a recognized Certificate Authority (CA), which does not contain the disabled algorithms stated above, or in other words, comply to the security standard of Java 1.8.0_74.

2. Modify the security settings in the APM 10.5 java.security file to be less strict/allow more algorithms (according to the security standard of the existing certificate used). For example, these were the settings in the jre bundled with 10.1 that uses java 1.8u45:

jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
jdk.tls.disabledAlgorithms=SSLv3

Additional Information:

Tuesdays Tips: Certificates does not conform to algorithm constraints