Certificate does not conform to algorithm constraints

1795
3
Jump to solution
03-19-2019 11:25 AM
DeanMoiler
Occasional Contributor

Hello fellow mappers!

I'm having an issue with Portal/Server (10.5.1) federation validation when using certificates signed with the RSASSA-PSS (SHA1withRSAandMGF1) signature algorithm.

The certificates along with root and intermediate certificates installed fine, so no problems there.

The system operates within a Windows Domain so i'm assuming that it's an MS CA doing the signing.

The error i'm receiving when validating is the following:

Error: javax.net.ssl.SSLHanshakeException: java.security.cert.CertificateException: Certificate does not conform to algorithm constraints

I believe this is causing some other issues relating to CPU flooding from the javaw.exe process over time, causing the Portal server to become unresponsive as well as not being able to contact the ArcGIS DataStore due to the issues validating the hosting server.

From what I can tell the RSASSA-PSS cipher suite has been updated in JDK as part of TLS 1.3 rollout, though I can't seem to find reference in the JRE crypto roadmap.

So I've got two questions:

  1. Does anyone know when Java/Esri will support the above algorithm constraints?
  2. Is it possible for the CA to "simply" sign the CSR with a supported algorithm to establish normal operations?

Thanks!

Dean

1 Solution

Accepted Solutions
DeanMoiler
Occasional Contributor

As an update in case anyone comes across a similar issue, certificates signed with PKCS #1 Version 2.1 will be shown as RSASSA-PSS.

A CA was configured with an SHA256 (rather than SHA1) hash algorithm and :

CNGEncryptionAlgorithm 3DES
CNGPublicKeyAlgorithm RSA 

Generating the CSR's in AGS and being signed by new CA worked a treat.

View solution in original post

0 Kudos
3 Replies
DeanMoiler
Occasional Contributor

As an update in case anyone comes across a similar issue, certificates signed with PKCS #1 Version 2.1 will be shown as RSASSA-PSS.

A CA was configured with an SHA256 (rather than SHA1) hash algorithm and :

CNGEncryptionAlgorithm 3DES
CNGPublicKeyAlgorithm RSA 

Generating the CSR's in AGS and being signed by new CA worked a treat.

0 Kudos
MichaelVolz
Esteemed Contributor

You mention a TLS 1.3 rollout in your original post.  I thought ESRI software only recognized up to TLS 1.2 at this point in time.  Do you have any ESRI documentation that mentions TLS 1.3 that you can provide links to?

0 Kudos
DeanMoiler
Occasional Contributor

Hi Michael,

Yes that is correct, only supports TLS 1.2 at this stage.

There is no such Esri documentation as yet that I'm aware of.

My statement regarding TLS 1.3 was in relation to JRE / Java security roadmap / roll outs / bug fixes that I discovered in the Oracle Java Bug Database.

Thanks,


Dean

0 Kudos