IBM Support

ACS LAN Console MSGSSL004 and/or MSGSSL007

Troubleshooting


Problem

This typically occurs when Oracle JRE is updated from an older release to a new release; however, it can occur out of the box with new JRE. There is message text along with the MSGSSL004 and MSGSSL007 regarding problem with algorithm.

Symptom

ACS (Access Client Solutions) console can not connect and generates the following security errors:

o MSGSSL004 - An error was encountered during the handshake phase of establishing a secure connection. (java.security.cert.CertificateException: Certificates does not conform to algorithm
constraints)

o MSGSSL007 - An error occurred with an SSL certificate. (Certificate does not conform to algorithm constraints.)

Cause

The new version of Oracles JRE implemented new security policies that prohibit the use of a certificate using MD5 or lower and RSA cipher specs. This was done because these ciphers are considered not safe and can be cracked, exposing your data.

Environment

Windows PCs running Oracle new JREs and using ACS (Access Client Solutions).

Diagnosing The Problem

A communications trace will show use of the old ciphers; typically, a Wireshark trace is all that is needed.

Resolving The Problem

This issue is present in all supported releases at the time this document was authored. The fixes are as follows:

o V6R1M1 -- PTF is MF60292 (there are no TRs in that release)
o V7R1M0 -- PTF is MF60291 (requires MF99010)
o V7R2M0 -- PTF is MF60290 (requires MF99102)

The Save and Restore team should be involved for assistance meeting these requirements.

Note: Applying the above PTFs MF60290, MF60291 and MF60292 will make the default key size used
by the LIC Service Tools servers be 4096 in size. Oracle JRE will not allow that key size until the JCE(Java Cryptography Extension) policy is updated.
The following link is to the download of the policy files for Java JRE 1.8:
http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html?ssSourceSiteId=otnes
Instructions for installing the JCE are in the README.txt file included in the zip file.



The circumvention is to modify the JRE's java.security file and comment out two lines. Doing this affects anything that uses the JRE on the PC and exposes you to sites that use the older ciphers where data could be compromised.

The java.security file will be located in the path of your JRE installation. The path will be under the base directory structure Oracle creates; however, when the JRE is installed, the user could specify a different location.

64-bit PCs:
Typically, the path is c:\Program Files\Java\<JRE version>\Lib\security

If you are using a JDK with the JRE, the path is slightly different:
c:\Program Files\Java\<JDK version>\JRE\Lib\security

The above would be for 64-bit versions of Java; 32-bit versions of Java would be in the Program Files (x86) directory.

Note: 32-bit PCs have only the Program Files directory.

The file to edit for a circumvention is the java.security file. At the time of this writing, the following two lines were modified to remove the MD5 and MD5withRSA:

o jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize <1024
o jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DHkeySize < 768

[{"Product":{"code":"SWG60","label":"IBM i"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":"Access Client Solutions","Platform":[{"code":"PF012","label":"IBM i"}],"Version":"Version Independent","Edition":"Enterprise","Line of Business":{"code":"LOB57","label":"Power"}},{"Product":{"code":"SWG60","label":"IBM i"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"LOB57","label":"Power"}}]

Document Information

Modified date:
18 December 2019

UID

nas8N1021124

Page Feedback