Troubleshooting
Problem
When collecting Guardium application mustgather by CLI command "support must_gather app_issues", after inputting application debugger's timeout value, got following exception: java.security.cert.CertificateException: Certificates does not conform to algorithm constraints
Symptom
Following exceptions appear after inputting application debugger's timeout value:
GuardiumTest001.ibmtest>support must_gather app_issues
This operation may take several minutes to complete.
Please enter numeric value for debugger's timeout in minutes (no more than 1440) or 0 to stop debugger.
Starting application debugger.
The application debug timeout is set to 5 min.
Please reproduce the problem for debugger.
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificates does not conform to algorithm constraints
at com.ibm.jsse2.j.a(j.java:7)
at com.ibm.jsse2.qc.a(qc.java:483)
at com.ibm.jsse2.ab.a(ab.java:167)
at com.ibm.jsse2.ab.a(ab.java:542)
at com.ibm.jsse2.bb.a(bb.java:234)
at com.ibm.jsse2.bb.a(bb.java:412)
at com.ibm.jsse2.ab.t(ab.java:338)
at com.ibm.jsse2.ab.a(ab.java:416)
at com.ibm.jsse2.qc.a(qc.java:435)
at com.ibm.jsse2.qc.h(qc.java:714)
at com.ibm.jsse2.qc.a(qc.java:831)
at com.ibm.jsse2.qc.startHandshake(qc.java:828)
at com.ibm.net.ssl.www2.protocol.https.c.afterConnect(c.java:90)
at com.ibm.net.ssl.www2.protocol.https.d.connect(d.java:17)
at com.ibm.net.ssl.www2.protocol.https.b.connect(b.java:97)
at com.guardium.utils.TimingoutHttpConnection.handleRequest(TimingoutHttpConnection.java:58)
at com.guardium.utils.TimingoutHttpConnection.sendRequest(TimingoutHttpConnection.java:95)
at com.guardium.utils.TimingoutHttpConnection.send(TimingoutHttpConnection.java:150)
at com.guardium.utils.EnableDebugRequest.main(EnableDebugRequest.java:47)
Caused by: java.security.cert.CertificateException: Certificates does not conform to algorithm constraints
at com.ibm.jsse2.wc.a(wc.java:30)
at com.ibm.jsse2.wc.checkServerTrusted(wc.java:76)
at com.ibm.jsse2.bb.a(bb.java:477)
... 14 more
Cause
Customer's Guardium appliance used default Guardium self-signed certificate for GUI, but the certificate is expired and its algorithm is no longer supported. This usually happens after applying latest Guardium GPU patch; the supported certificate algorithm list has been updated with the latest GPU.
Diagnosing The Problem
Run the cli commands to check the certificate information:
show certificate gui
For example:
GuardiumTest001.ibmtest> show certificate gui
Certificate keystore file .keystore
Alias name: tomcat
Creation date: Apr 21, 2004
Entry type: keyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=Guardium, OU=Guardium, O=Guardium, L=Waltham, ST=MA, C=MA
Issuer: CN=Guardium, OU=Guardium, O=Guardium, L=Waltham, ST=MA, C=MA
Serial number: xxxxxxx
Valid from: 4/21/04 10:34 PM until: 4/19/14 10:34 PM
Certificate fingerprints:
MD5: xxx
SHA1: xxx
SHA256:xxx
Signature algorithm name: MD5withRSA
Version: 1
ok
It's the above MD5withRSA algorithm caused the subject exception; the MD5withRSA algorithm is no longer supported after applying latest GPU, e.g. v9 GPU750.
Resolving The Problem
Run the following cli command to restore the certificate keystore to the default value that was supplied with the latest GPU:
restore certificate keystore default
Then run cli command: restart gui
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg22011693