TIBCO LogLogic LMI Management Station will not connect to remote appliances due to error "Algorithm constraints check failed" in /loglogic/tomcat/logs/logapp.log
Article ID: KB0077681
Updated On:
| Products | Versions |
|---|---|
| TIBCO LogLogic Enterprise Virtual Appliance | 5.7.0 and higher |
Description
After installing LMI 5.7.0, you may be unable to contact your remote appliances from the Management Station appliance. In addition, the following error is logged to /loglogic/tomcat/logs/logapp.log:
WARN com.loglogic.logapp.remoteControl.HttpClient31RequestSender - HttpClient method execution failed for URL: /logapp20/remoteControl/getRemoteTargetInfo. Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Algorithm constraints check failed: MD5withRSA.
The error message relates to the hashing algorithm that one or more of your chain of SSL certificates uses. MD5withRSA is now deprecated and so it has been added to the disabled ciphers list in the version of Java running in LMI 5.7.0.
WARN com.loglogic.logapp.remoteControl.HttpClient31RequestSender - HttpClient method execution failed for URL: /logapp20/remoteControl/getRemoteTargetInfo. Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Algorithm constraints check failed: MD5withRSA.
The error message relates to the hashing algorithm that one or more of your chain of SSL certificates uses. MD5withRSA is now deprecated and so it has been added to the disabled ciphers list in the version of Java running in LMI 5.7.0.
Issue/Introduction
After installing LMI 5.7.0, communication between the Management Station appliance and remote appliances may be lost. In addition an error message containing the phrase "Algorithm constraints check failed" is logged to the logapp.log. This is due to a deprecated hashing algorithm being used by one or more of the SSL certificates you have installed.
Resolution
There are two options open in respect to a fix. They are:
1) Reissue any certificate in the chain (back to and including the root certificate) that uses MD5withRSA hashing, this time using a hashing algorithm such as SHA-1 or SHA256, then reimport them into the appliance.
2) If you are unable to issue new SSL certificates, you can edit the java.security file and remove the algorithms from the block list. The file you need is /loglogic/java/lib/security/java.security
There are two sections you need to edit. Firstly, search for jdk.tls.disabledAlgorithms. That should bring you to this section:
# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, EC, ECDHE, ECDH
Remove MD5withRSA from that list. Then search for jdk.certpath.disabledAlgorithms. You may have to search a couple of times before you find the right section - it should look like this:
# Example:
# jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
#
#
jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
Remove MD5 from the list, then save and exit. You'll need to do this on all of the appliances. Restart engine_tomcat on the Management Station and then on the remote appliances using the following command at the toor command prompt:
$ mtask -s engine_tomcat restart
You should now be able to connect to your remote appliances from the Management Station appliance as normal.
1) Reissue any certificate in the chain (back to and including the root certificate) that uses MD5withRSA hashing, this time using a hashing algorithm such as SHA-1 or SHA256, then reimport them into the appliance.
2) If you are unable to issue new SSL certificates, you can edit the java.security file and remove the algorithms from the block list. The file you need is /loglogic/java/lib/security/java.security
There are two sections you need to edit. Firstly, search for jdk.tls.disabledAlgorithms. That should bring you to this section:
# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, EC, ECDHE, ECDH
Remove MD5withRSA from that list. Then search for jdk.certpath.disabledAlgorithms. You may have to search a couple of times before you find the right section - it should look like this:
# Example:
# jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
#
#
jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
Remove MD5 from the list, then save and exit. You'll need to do this on all of the appliances. Restart engine_tomcat on the Management Station and then on the remote appliances using the following command at the toor command prompt:
$ mtask -s engine_tomcat restart
You should now be able to connect to your remote appliances from the Management Station appliance as normal.
Feedback
Yes
No
Powered by
