000036930 - RSA Identity Governance and Lifecycle SSL connectivity fails and throws 'Certificates does not conform to algorithm constraints' error when connecting to Active Directory

Document created by RSA Customer Support Employee on Dec 26, 2018
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000036930
Applies ToRSA Product Set: Identity Governance and Lifecycle
RSA Version/Condition: ALL

 
IssueSSL connectivity to Active Directory fails and throws the following error.

LDAPException: I/O Exception on host xx.xx.xx.xx, port 636 (91) Connect Error
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificates does not conform to algorithm constraints
            at com.novell.ldap.Connection.writeMessage(Unknown Source)
            at com.novell.ldap.Connection.writeMessage(Unknown Source)
            at com.novell.ldap.Message.sendMessage(Unknown Source)
            at com.novell.ldap.MessageAgent.sendMessage(Unknown Source)
            at com.novell.ldap.LDAPConnection.sendRequestToServer(Unknown Source)
            at com.novell.ldap.LDAPConnection.bind(Unknown Source)
            at com.novell.ldap.LDAPConnection.bind(Unknown Source)
            at com.novell.ldap.LDAPConnection.bind(Unknown Source)
            at org.mule.transport.ldapx.LdapxConnector.doConnect(LdapxConnector.java:166)
            at com.aveksa.AFX.transport.ldap.LdapSettingsTest.runTest(LdapSettingsTest.java:68)
            at com.aveksa.afx.server.component.SettingsTestExecutorComponent.onCall(SettingsTestExecutorComponent.java:29)
            at org.mule.model.resolvers.CallableEntryPointResolver.invoke(CallableEntryPointResolver.java:46)
            at org.mule.model.resolvers.DefaultEntryPointResolverSet.invoke(DefaultEntryPointResolverSet.java:36)
            at org.mule.component.DefaultComponentLifecycleAdapter.invoke(DefaultComponentLifecycleAdapter.java:339)
            at org.mule.component.AbstractJavaComponent.invokeComponentInstance(AbstractJavaComponent.java:82)
            at org.mule.component.AbstractJavaComponent.doInvoke(AbstractJavaComponent.java:73)
            at org.mule.component.AbstractComponent.invokeInternal(AbstractComponent.java:122)
            at org.mule.component.AbstractComponent.access$000(AbstractComponent.java:57)
            at org.mule.component.AbstractComponent$1$1.process(AbstractComponent.java:238)
            at org.mule.execution.ExceptionToMessagingExceptionExecutionInterceptor.execute(ExceptionToMessagingExceptionExecutionInterceptor.java:24)
            at org.mule.execution.MessageProcessorNotificationExecutionInterceptor.execute(MessageProcessorNotificationExecutionInterceptor.java:58)
            at org.mule.execution.MessageProcessorExecutionTemplate.execute(MessageProcessorExecutionTemplate.java:44)
            at org.mule.processor.chain.DefaultMessageProcessorChain.doProcess(DefaultMessageProcessorChain.java:94)
            at org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMessageProcessorChain.java:67)
            at org.mule.processor.chain.InterceptingChainLifecycleWrapper.doProcess(InterceptingChainLifecycleWrapper.java:50)
            at org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMessageProcessorChain.java:67)
            at org.mule.processor.chain.InterceptingChainLifecycleWrapper.access$001(InterceptingChainLifecycleWrapper.java:22)
            at org.mule.processor.chain.InterceptingChainLifecycleWrapper$1.process(InterceptingChainLifecycleWrapper.java:66)
            at org.mule.execution.ExceptionToMessagingExceptionExecutionInterceptor.execute(ExceptionToMessagingExceptionExecutionInterceptor.java:24)
            at org.mule.execution.MessageProcessorNotificationExecutionInterceptor.execute(MessageProcessorNotificationExecutionInterceptor.java:58)
            at org.mule.execution.MessageProcessorExecutionTemplate.execute(MessageProcessorExecutionTemplate.java:44)
            at org.mule.processor.chain.InterceptingChainLifecycleWrapper.process(InterceptingChainLifecycleWrapper.java:61)
            at org.mule.component.AbstractComponent.process(AbstractComponent.java:156)
            at org.mule.execution.ExceptionToMessagingExceptionExecutionInterceptor.execute(ExceptionToMessagingExceptionExecutionInterceptor.java:24)
            at org.mule.execution.MessageProcessorNotificationExecutionInterceptor.execute(MessageProcessorNotificationExecutionInterceptor.java:58)
            at org.mule.execution.MessageProcessorExecutionTemplate.execute(MessageProcessorExecutionTemplate.java:44)
            at org.mule.processor.chain.DefaultMessageProcessorChain.doProcess(DefaultMessageProcessorChain.java:94)
            at org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMessageProcessorChain.java:67)
            at org.mule.execution.ExceptionToMessagingExceptionExecutionInterceptor.execute(ExceptionToMessagingExceptionExecutionInterceptor.java:24)
            at org.mule.execution.MessageProcessorExecutionTemplate.execute(MessageProcessorExecutionTemplate.java:44)
            at org.mule.processor.AbstractInterceptingMessageProcessorBase.processNext(AbstractInterceptingMessageProcessorBase.java:102)
            at org.mule.interceptor.AbstractEnvelopeInterceptor.process(AbstractEnvelopeInterceptor.java:51)
            at org.mule.processor.AsyncInterceptingMessageProcessor.processNextTimed(AsyncInterceptingMessageProcessor.java:118)
            at org.mule.processor.AsyncInterceptingMessageProcessor$AsyncMessageProcessorWorker$1.process(AsyncInterceptingMessageProcessor.java:189)
            at org.mule.processor.AsyncInterceptingMessageProcessor$AsyncMessageProcessorWorker$1.process(AsyncInterceptingMessageProcessor.java:182)
            at org.mule.execution.ExecuteCallbackInterceptor.execute(ExecuteCallbackInterceptor.java:16)
            at org.mule.execution.HandleExceptionInterceptor.execute(HandleExceptionInterceptor.java:30)
            at org.mule.execution.HandleExceptionInterceptor.execute(HandleExceptionInterceptor.java:14)
            at org.mule.execution.BeginAndResolveTransactionInterceptor.execute(BeginAndResolveTransactionInterceptor.java:54)
            at org.mule.execution.ResolvePreviousTransactionInterceptor.execute(ResolvePreviousTransactionInterceptor.java:44)
            at org.mule.execution.SuspendXaTransactionInterceptor.execute(SuspendXaTransactionInterceptor.java:50)
            at org.mule.execution.ValidateTransactionalStateInterceptor.execute(ValidateTransactionalStateInterceptor.java:40)
            at org.mule.execution.IsolateCurrentTransactionInterceptor.execute(IsolateCurrentTransactionInterceptor.java:41)
            at org.mule.execution.ExternalTransactionInterceptor.execute(ExternalTransactionInterceptor.java:48)
            at org.mule.execution.RethrowExceptionInterceptor.execute(RethrowExceptionInterceptor.java:28)
            at org.mule.execution.RethrowExceptionInterceptor.execute(RethrowExceptionInterceptor.java:13)
            at org.mule.execution.TransactionalErrorHandlingExecutionTemplate.execute(TransactionalErrorHandlingExecutionTemplate.java:109)
            at org.mule.execution.TransactionalErrorHandlingExecutionTemplate.execute(TransactionalErrorHandlingExecutionTemplate.java:30)
            at org.mule.processor.AsyncInterceptingMessageProcessor$AsyncMessageProcessorWorker.doRun(AsyncInterceptingMessageProcessor.java:181)
            at org.mule.work.AbstractMuleEventWork.run(AbstractMuleEventWork.java:39)
            at org.mule.work.WorkerContext.run(WorkerContext.java:286)
            at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
            at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
            at java.lang.Thread.run(Thread.java:745)
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificates does not conform to algorithm constraints
            at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
            at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1914)
            at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:279)
            at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:273)
            at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1472)
            at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:213)
            at sun.security.ssl.Handshaker.processLoop(Handshaker.java:913)
            at sun.security.ssl.Handshaker.process_record(Handshaker.java:849)
            at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1033)
            at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1342)
            at sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:899)
            at sun.security.ssl.AppInputStream.read(AppInputStream.java:102)
            at sun.security.ssl.AppInputStream.read(AppInputStream.java:69)
            at com.novell.ldap.asn1.ASN1Identifier.(Unknown Source)
            at com.novell.ldap.Connection$ReaderThread.run(Unknown Source)
            ... 1 more
Caused by: java.security.cert.CertificateException: Certificates does not conform to algorithm constraints
            at sun.security.ssl.AbstractTrustManagerWrapper.checkAlgorithmConstraints(SSLContextImpl.java:1018)
            at sun.security.ssl.AbstractTrustManagerWrapper.checkAdditionalTrust(SSLContextImpl.java:944)
            at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:886)
            at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1454)
            ... 11 more
CauseThe Active Directory server certificate was signed by CA with RSASSA-PSS signature algorithm as confirmed from the following screenshot:
Active Directory server certificate

JDK version 8 and earlier versions don't support RSASSA-PSS signature algorithm. The support for RSASSA-PSS signature algorithm was added in the later JDK version 11. See below URLs for your reference.

Add support for RSASSA-PSS Signature algorithm
https://bugs.openjdk.java.net/browse/JDK-8146293

JEP 332 Transport Layer Security (TLS) 1.3 
https://www.oracle.com/technetwork/java/javase/11-relnote-issues-5012449.html#JDK-8145252
 
ResolutionActive Directory server certificate must be signed with CA's signing algorithms supported by JDK. Support for certificate signature algorithms is provided by JDK and not provided by RSA Identity Governance and Lifecycle. Unfortunately, there are no other options. 
WorkaroundRSA advise not to use CA with RSASSA-PSS signing algorithm. If Active Directory server has been signed with CA with RSASSA-PSS signing algorithm, you need to re-generate Active Directory server certificate with CA's signing algorithms supported by JDK.

See JDK supported signature algorithms from below link:

Algorithms
https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#alg

Attachments

    Outcomes