IBM Support

Java Error "java.security.cert.CertificateException: Certificates does not conform to algorithm constraints"

Troubleshooting


Problem

When a Java program using JDK v6.0 or later connects to a remote SSL/TLS server, the following error message is thrown: java.security.cert.CertificateException: Certificates does not conform to algorithm constraints

Symptom

The JVM"s standard out/error log displays the error "java.security.cert.CertificateException: Certificates does not conform to algorithm constraints".

Cause

The IBM i JDK at v6.0 and later now contains the following java property in the /QOpenSys/QIBM/ProdData/JavaVM/jdkXX/YYbit/jre/lib/security/java.security file to disable weak signature algorithms and key lengths for certification path building and validation. NOTE: This applies to all certificates in the certification path.


    jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024

The above property prevents the use of SSL certificates anywhere in the SSL certificate chain created with the MD2 signature algorithm or the RSA signature algorithm when the key length is less than 1024 bits. If this constraint is hit, Java will throw the following error:
    java.security.cert.CertificateException: Certificates does not conform to algorithm constraints

Resolving The Problem

The following can be done to resolve the issue:

    1) Renew the server or CA certificate(s) in the certificate chain to make sure it using a signature algorithm other than MD2 or make sure the key length is equal to or greater than 1024 when the RSA signature algorithm is used.

    2) Modify the /QOpenSys/QIBM/ProdData/JavaVM/jdkXX/YYbit/jre/lib/security/java.security file to comment out the property or remove the section that is causing the error. The property can be commented out by specifying a pound symbol (#) as the first character in the line.

    For example, if the server we are connecting to has a certificate in the certificate chain with a MD2 signature algorithm, then we could modify the line to be the following:
      jdk.certpath.disabledAlgorithms=RSA keySize < 1024
    Once this change is made the JVM job would need to be ended and restarted. By removing the MD2 signature algorithm from the property, the JDK will now allow SSL certificates created with the MD2 signature algorithm to be used in the SSL certification path.

    NOTE: Any changes to the global java.security file can be potentially overwritten back to the default value when applying an IBM i Java Group PTF. As a result, IBM recommends you copy the java.security file to a custom location , edit the file, and then implement the java.security.properties=<custom java.security file> Java property to customize your java.security configuration. Please refer to the "How to Customize Java Security Configuration Properties for JDKs on the IBM i OS" document for more information.

[{"Type":"MASTER","Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"Platform":[{"code":"PF012","label":"IBM i"}],"Version":"7.1.0"}]

Document Information

Modified date:
18 December 2019

UID

nas8N1020722

Page Feedback