This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SecurID® Governance & Lifecycle Knowledge Base

Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID Governance & Lifecycle experts.

RSA Identity Governance and Lifecycle SSL connectivity fails and throws 'Certificates does not conform to algorithm constraints' error when connecting to Active Directory

Article Number

000036930

Applies To

RSA Product Set: Identity Governance and Lifecycle
RSA Version/Condition: ALL

 

Issue

SSL connectivity to Active Directory fails and throws the following error. 
LDAPException: I/O Exception on host xx.xx.xx.xx, port 636 (91) Connect Error
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificates does not conform to algorithm constraints
            at com.novell.ldap.Connection.writeMessage(Unknown Source)
            at com.novell.ldap.Connection.writeMessage(Unknown Source)
            at com.novell.ldap.Message.sendMessage(Unknown Source)
            at com.novell.ldap.MessageAgent.sendMessage(Unknown Source)
            at com.novell.ldap.LDAPConnection.sendRequestToServer(Unknown Source)
            at com.novell.ldap.LDAPConnection.bind(Unknown Source)
            at com.novell.ldap.LDAPConnection.bind(Unknown Source)
            at com.novell.ldap.LDAPConnection.bind(Unknown Source)
            at org.mule.transport.ldapx.LdapxConnector.doConnect(LdapxConnector.java:166)
            at com.aveksa.AFX.transport.ldap.LdapSettingsTest.runTest(LdapSettingsTest.java:68)
            at com.aveksa.afx.server.component.SettingsTestExecutorComponent.onCall(SettingsTestExecutorComponent.java:29)
            at org.mule.model.resolvers.CallableEntryPointResolver.invoke(CallableEntryPointResolver.java:46)
            at org.mule.model.resolvers.DefaultEntryPointResolverSet.invoke(DefaultEntryPointResolverSet.java:36)
            at org.mule.component.DefaultComponentLifecycleAdapter.invoke(DefaultComponentLifecycleAdapter.java:339)
            at org.mule.component.AbstractJavaComponent.invokeComponentInstance(AbstractJavaComponent.java:82)
            at org.mule.component.AbstractJavaComponent.doInvoke(AbstractJavaComponent.java:73)
            at org.mule.component.AbstractComponent.invokeInternal(AbstractComponent.java:122)
            at org.mule.component.AbstractComponent.access$000(AbstractComponent.java:57)
            at org.mule.component.AbstractComponent$1$1.process(AbstractComponent.java:238)
            at org.mule.execution.ExceptionToMessagingExceptionExecutionInterceptor.execute(ExceptionToMessagingExceptionExecutionInterceptor.java:24)
            at org.mule.execution.MessageProcessorNotificationExecutionInterceptor.execute(MessageProcessorNotificationExecutionInterceptor.java:58)
            at org.mule.execution.MessageProcessorExecutionTemplate.execute(MessageProcessorExecutionTemplate.java:44)
            at org.mule.processor.chain.DefaultMessageProcessorChain.doProcess(DefaultMessageProcessorChain.java:94)
            at org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMessageProcessorChain.java:67)
            at org.mule.processor.chain.InterceptingChainLifecycleWrapper.doProcess(InterceptingChainLifecycleWrapper.java:50)
            at org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMessageProcessorChain.java:67)
            at org.mule.processor.chain.InterceptingChainLifecycleWrapper.access$001(InterceptingChainLifecycleWrapper.java:22)
            at org.mule.processor.chain.InterceptingChainLifecycleWrapper$1.process(InterceptingChainLifecycleWrapper.java:66)
            at org.mule.execution.ExceptionToMessagingExceptionExecutionInterceptor.execute(ExceptionToMessagingExceptionExecutionInterceptor.java:24)
            at org.mule.execution.MessageProcessorNotificationExecutionInterceptor.execute(MessageProcessorNotificationExecutionInterceptor.java:58)
            at org.mule.execution.MessageProcessorExecutionTemplate.execute(MessageProcessorExecutionTemplate.java:44)
            at org.mule.processor.chain.InterceptingChainLifecycleWrapper.process(InterceptingChainLifecycleWrapper.java:61)
            at org.mule.component.AbstractComponent.process(AbstractComponent.java:156)
            at org.mule.execution.ExceptionToMessagingExceptionExecutionInterceptor.execute(ExceptionToMessagingExceptionExecutionInterceptor.java:24)
            at org.mule.execution.MessageProcessorNotificationExecutionInterceptor.execute(MessageProcessorNotificationExecutionInterceptor.java:58)
            at org.mule.execution.MessageProcessorExecutionTemplate.execute(MessageProcessorExecutionTemplate.java:44)
            at org.mule.processor.chain.DefaultMessageProcessorChain.doProcess(DefaultMessageProcessorChain.java:94)
            at org.mule.processor.chain.AbstractMessageProcessorChain.process(AbstractMessageProcessorChain.java:67)
            at org.mule.execution.ExceptionToMessagingExceptionExecutionInterceptor.execute(ExceptionToMessagingExceptionExecutionInterceptor.java:24)
            at org.mule.execution.MessageProcessorExecutionTemplate.execute(MessageProcessorExecutionTemplate.java:44)
            at org.mule.processor.AbstractInterceptingMessageProcessorBase.processNext(AbstractInterceptingMessageProcessorBase.java:102)
            at org.mule.interceptor.AbstractEnvelopeInterceptor.process(AbstractEnvelopeInterceptor.java:51)
            at org.mule.processor.AsyncInterceptingMessageProcessor.processNextTimed(AsyncInterceptingMessageProcessor.java:118)
            at org.mule.processor.AsyncInterceptingMessageProcessor$AsyncMessageProcessorWorker$1.process(AsyncInterceptingMessageProcessor.java:189)
            at org.mule.processor.AsyncInterceptingMessageProcessor$AsyncMessageProcessorWorker$1.process(AsyncInterceptingMessageProcessor.java:182)
            at org.mule.execution.ExecuteCallbackInterceptor.execute(ExecuteCallbackInterceptor.java:16)
            at org.mule.execution.HandleExceptionInterceptor.execute(HandleExceptionInterceptor.java:30)
            at org.mule.execution.HandleExceptionInterceptor.execute(HandleExceptionInterceptor.java:14)
            at org.mule.execution.BeginAndResolveTransactionInterceptor.execute(BeginAndResolveTransactionInterceptor.java:54)
            at org.mule.execution.ResolvePreviousTransactionInterceptor.execute(ResolvePreviousTransactionInterceptor.java:44)
            at org.mule.execution.SuspendXaTransactionInterceptor.execute(SuspendXaTransactionInterceptor.java:50)
            at org.mule.execution.ValidateTransactionalStateInterceptor.execute(ValidateTransactionalStateInterceptor.java:40)
            at org.mule.execution.IsolateCurrentTransactionInterceptor.execute(IsolateCurrentTransactionInterceptor.java:41)
            at org.mule.execution.ExternalTransactionInterceptor.execute(ExternalTransactionInterceptor.java:48)
            at org.mule.execution.RethrowExceptionInterceptor.execute(RethrowExceptionInterceptor.java:28)
            at org.mule.execution.RethrowExceptionInterceptor.execute(RethrowExceptionInterceptor.java:13)
            at org.mule.execution.TransactionalErrorHandlingExecutionTemplate.execute(TransactionalErrorHandlingExecutionTemplate.java:109)
            at org.mule.execution.TransactionalErrorHandlingExecutionTemplate.execute(TransactionalErrorHandlingExecutionTemplate.java:30)
            at org.mule.processor.AsyncInterceptingMessageProcessor$AsyncMessageProcessorWorker.doRun(AsyncInterceptingMessageProcessor.java:181)
            at org.mule.work.AbstractMuleEventWork.run(AbstractMuleEventWork.java:39)
            at org.mule.work.WorkerContext.run(WorkerContext.java:286)
            at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
            at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
            at java.lang.Thread.run(Thread.java:745)
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificates does not conform to algorithm constraints
            at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
            at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1914)
            at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:279)
            at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:273)
            at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1472)
            at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:213)
            at sun.security.ssl.Handshaker.processLoop(Handshaker.java:913)
            at sun.security.ssl.Handshaker.process_record(Handshaker.java:849)
            at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1033)
            at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1342)
            at sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:899)
            at sun.security.ssl.AppInputStream.read(AppInputStream.java:102)
            at sun.security.ssl.AppInputStream.read(AppInputStream.java:69)
            at com.novell.ldap.asn1.ASN1Identifier.(Unknown Source)
            at com.novell.ldap.Connection$ReaderThread.run(Unknown Source)
            ... 1 more
Caused by: java.security.cert.CertificateException: Certificates does not conform to algorithm constraints
            at sun.security.ssl.AbstractTrustManagerWrapper.checkAlgorithmConstraints(SSLContextImpl.java:1018)
            at sun.security.ssl.AbstractTrustManagerWrapper.checkAdditionalTrust(SSLContextImpl.java:944)
            at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:886)
            at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1454)
            ... 11 more

Cause

The Active Directory server certificate was signed by CA with RSASSA-PSS signature algorithm as confirmed from the following screenshot:
Image descriptionImage description

JDK version 8 and earlier versions don't support RSASSA-PSS signature algorithm. The support for RSASSA-PSS signature algorithm was added in the later JDK version 11. See below URLs for your reference.

Add support for RSASSA-PSS Signature algorithm
https://bugs.openjdk.java.net/browse/JDK-8146293

JEP 332 Transport Layer Security (TLS) 1.3 
https://www.oracle.com/technetwork/java/javase/11-relnote-issues-5012449.html#JDK-8145252
 

Resolution

Active Directory server certificate must be signed with CA's signing algorithms supported by JDK. Support for certificate signature algorithms is provided by JDK and not provided by RSA Identity Governance and Lifecycle. Unfortunately, there are no other options. 

Workaround

RSA advise not to use CA with RSASSA-PSS signing algorithm. If Active Directory server has been signed with CA with RSASSA-PSS signing algorithm, you need to re-generate Active Directory server certificate with CA's signing algorithms supported by JDK.

See JDK supported signature algorithms from below link:

Algorithms
https://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html#alg
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2020-12-12 07:12 PM
Updated by:
Administrator Administrator

Related Content

© 2023 RSA Security LLC or its affiliates. All rights reserved.