Cannot Create a PoolableConnectionFactory (The driver could not establish a secure connection to SQL Server using a Secure Sockets Layer (SSL) encryption.)

Problem

IBM Manta Data Lineage validation or extraction has failed with an error message stating that

Connect to database failed. Cannot create PoolableConnectionFactory (The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption.  
Error: "Certificates do not conform to algorithm constraints".  ClientConnectionId:1234565789) 
Algorithm constraints check failed on keysize limits: RSA 1024 bit key used with certificate: CN=...

or

java.sql.SQLException: Cannot create PoolableConnectionFactory (The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. 
Error: "SQL Server did not return a response. The connection has been closed."  ClientConnectionId: 123456789)

or

Caused by: javax.net.ssl.SSLHandshakeException: Certificates do not conform to algorithm constraints
...
Caused by: java.security.cert.CertificateException: Certificates do not conform to algorithm constraints
...
Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on keysize limits: RSA 1024 bit key used with certificate: CN=...

More Details about the Issue

The error message above means that the level of security (in this case the certificate key size) for the SSL/TLS encrypted connection required by Java used by Manta Data Lineage is higher than the certificate provided by the target application.

The security requirements for Java on Manta Server are defined:

Solution

There are a number of ways to resolve this issue. Here are a few options.

Important: Note that reducing the security measures is not the recommended solution to this issue as both reduce the minimum required level of security for the connections for any applications that use this Java VM.
When updating Java on the machine that Manta Data Lineage is installed on, the java.security file will be replaced during the update and all configuration changes will be lost. The above changes will need to be reapplied to reestablish a connection. To avoid this, you have the option of creating a custom Java security file and placing it outside the java directory. This will reduce the chances of needing to make the above changes after each Java upgrade on the server. Implementing this however requires support/automation from administrators who upgrade JVM. Essentially, it is needed to specify the following two properties (the second one points to the custom security file). security.overridePropertiesFile=true java.security.properties=/etc/sysconfig/jvm1.java.security See, for example, https://dzone.com/articles/how-override-java-security for more details.