Environment
- NetIQ Access Manager 3.2
- NetIQ Access Manager 4.0
- NetIQ Access Manager 4.0.1
Situation
- NetIQ Access Manager has been upgraded from 3.2SP2IR2 to 4.0SP1
- NIDP server reports:
Unable to load metadata for Embedded Service Provider: https://esp-emea.corp:443/nesp/idff/metadata, error: java.security.cert.CertificateException: Certificates does not conform to algorithm constraints - Access Gateway does not start up anymore
- Apache reports the error:
httpd: Syntax error on line 497 of /etc/opt/novell/apache2/conf/httpd.conf: Syntax error on line 22 of /etc/opt/novell/ag/ag_hook.conf: Syntax error on line 6 of /etc/opt/novell/ag/mod_novell_ag.conf: Cannot load /opt/novell/ag/lib/mod_novell_ag.so into server: /opt/novell/ag/lib/mod_novell_ag.so: undefined symbol: ap_get_sb_worker - JCC on the Access Gateway reports:
Oct XX, 2014 10:56:48 PM com.novell.jcc.util.JCCUtils logSevere SEVERE: AM#100706034: Exception - get key failed com.novell.jcc.cert.CertificateClient getKeyForServiceWithRetry No data getting key: esp-emea_corp in ag-XXXXXXXXXXX-proxy to /opt/novell/apache2/certs com.novell.jcc.JCCException: No data getting key: esp-emea_corp in ag-XXXXXXXXXXX-proxy to /opt/novell/apache2/certs
Resolution
- modify the "/opt/novell/jdk1.7.0_25/jre/lib/security/java.security" file commenting out the directive: "jdk.certpath.disabledAlgorithms=MD2" on all devices (NIDP and Access Gateways)
- restart all devices
Cause
The trust chain of the certificate which has been assigned to the Embedded Service Provider has a Root Certificate which has been signed using the MD2 cipher. With tomcat7 MD2 has been excluded due to its security weakness. MD4 MD5 and SHA-1 are still supported but will be discontinued like MD2 soon. For the future SHA-2 (256Bit) should be used. Certificates with SHA-2 are supported with the latest versions of Access manager. Note: The GUI (iManager) can still not create a signing request for SHA-2 nor properly disaply imported certificates with a SHA-2 hash. This has been already addressed ti engineering