Environment
NetIQ Sentinel 7.1
NetIQ Sentinel 7.1 SP1
NetIQ Sentinel 7.1 SP1
NetIQ Sentinel 7.2
eDirectory 8.x
IDM 4.x
NAM
Situation
After upgrading to Sentinel 7.1 SP1 or later, event sources connecting via the NetIQ Audit connector may fail to connect to Sentinel with this error:
This is happening on servers where default certificates are used in the logging applications like eDir, IDM, NAM and these certificates have a key size of less than 1024 bits.
Thu Nov 28 06:07:20 EST
2013|SEVERE|Thread-120|esecurity.ccs.comp.evtsrcmgt.connector.auditserver.DeviceSensorAuditListener$LEngine.sendClient
/172.27.192.71:42245: Error encountered in sendClient(1): javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificates does not conform to algorithm constraints
/172.27.192.71:42245: Error encountered in sendClient(1): javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificates does not conform to algorithm constraints
This is happening on servers where default certificates are used in the logging applications like eDir, IDM, NAM and these certificates have a key size of less than 1024 bits.
Resolution
The reason for this is twofold:
- Sentinel 7.1 SP1 or later ships with a newer Java version that has a restriction to not allow RSA keySizes of less than 1024
- The default certificates used in the logging applications have a key size of less than 1024 and don't comply to this restriction. Because of this, the server rejects the connection with the error message shown above.
The fastest way to get the system working is to revert back this change. Edit the file jre/lib/security/java.security and look for this line:
Remove the last restriction, the line will look like this:
This would not be a solution but a workaround to get things working after the upgrade.
A proper resolution is to use custom certificates on the logging applications that use strong encryption (key sizes of 1024 or more). Once all applications have been updated, the restriction can be put back in place.
- Sentinel 7.1 SP1 or later ships with a newer Java version that has a restriction to not allow RSA keySizes of less than 1024
- The default certificates used in the logging applications have a key size of less than 1024 and don't comply to this restriction. Because of this, the server rejects the connection with the error message shown above.
The fastest way to get the system working is to revert back this change. Edit the file jre/lib/security/java.security and look for this line:
jdk.certpath.disabledAlgorithms=MD2, RSA keySize <
1024
Remove the last restriction, the line will look like this:
jdk.certpath.disabledAlgorithms=MD2
Restart Sentinel for the changes to take effect.This would not be a solution but a workaround to get things working after the upgrade.
A proper resolution is to use custom certificates on the logging applications that use strong encryption (key sizes of 1024 or more). Once all applications have been updated, the restriction can be put back in place.
IDM 4.5 includes an instrumentation upgrade with certificates to a key size larger than 1024 to fix this problem.
eDirectory 88SP8 Patch 2 and eDirectory 88SP7 Patch 6 have Instrumentation upgrades with certificates to a key size larger than 1024 to fix the problem. (Note: Instrumentation is not automatically upgraded with eDirectory, you must also manually install the instrumentation package within the eDir patch.)