Troubleshooting
Problem
When trying to connect the CICS Explorer, you receive the error IZE0106E Connect failed with error "java.security.cert.CertificateException: Certificates does not conform to algorithm constraints". This occurs after changing the version of Java™ that you are using for CICS Explorer. You are probably using the CICS Explorer SDK and therefore providing your own Java.
Symptom
IZE0106E Connect failed with error "java.security.cert.CertificateException: Certificates does not conform to algorithm constraints"
Cause
The host SSL certificate does not meet the more stringent security requirements of newer Java Virtual Machines (JVMs).
Diagnosing The Problem
Verify that the problem occurs with an Oracle JRE version 7 update 40 or newer, or an IBM Runtime Environment for Java 1.7 SR6 or newer. The problem will not occur with older versions of the Java Runtime.
You receive message IZE0106E because from these versions of Java onwards, the use of x.509 certificate with RSA keys of less than 1024 bits in length is disallowed. This was achieved by adjusting the value in jre/lib/security/java.security file as follows:
jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
This means that any certificate signed with MD2 or with a RSA key of length less than 1024 bits, is not acceptable.
Resolving The Problem
It is recommended that you update your certificates to include stronger keys. As a workaround, at your own risk, you can edit the keysize in the jdk.certpath.disabledAlgorithms property to permit smaller key sizes.
See "Default x.509 Certificates Have Longer Key Length" in the SE Development Kit 7 Update 40 Release Notes - Oracle for more information.
Product Synonym
CICS/TS CICS TS CICS Transaction Server
Was this topic helpful?
Document Information
Modified date:
15 June 2018
UID
swg21656944