286 views

Connection to a LDAP Server Fails With Error "Certificate does not conform to algorithm constraints."

 

Problem

An LDAP connection fails with the error "Certificate does not conform to algorithm constraints" and although you have gone through the troubleshooting steps in the articles KB0597327 and KB0621974, the same error remains.

Cause

The LDAP certificate Signature Algorithm is using an older algorithm that is no longer compatible with Java JDK 1.8.

To determine whether this is the case:

  1. From a terminal window, SSH to one of the application server nodes of the instance that is having the issue.

  2. Execute the following from the terminal window command line:

    openssl s_client -connect <LDAP Server IP address or hostname>:<LDAP Port> -servername sha1.badssl.com 2>/dev/null | openssl x509 -noout -text | grep 'Signature Algorithm'

    Note whether the following is returned:

    Signature Algorithm: rsassaPss
    Signature Algorithm: rsassaPss

    This result confirms that this is an out-of-date signature algorithm that will not be compatible with JDK 1.8. For example:

    $ openssl s_client -connect 66.109.88.6:636 -servername sha1.badssl.com 2>/dev/null | openssl x509 -noout -text | grep 'Signature Algorithm'
    Signature Algorithm: rsassaPss
    Signature Algorithm: rsassaPss

Java 8 does not support the RSA-PSS signature signing algorithm, which can be used by Microsoft CAs.

The following organizations have documented problems for this signature algorithm:

https://bugs.openjdk.java.net/browse/JDK-8166595
https://support.mozilla.org/en-US/questions/986085

The following example shows a compatible JDK 1.8 signature algorithm:

$ openssl s_client -connect 66.109.88.6:636 -servername sha1.badssl.com 2>/dev/null | openssl x509 -noout -text | grep 'Signature Algorithm'

Signature Algorithm: sha256WithRSAEncryption
Signature Algorithm: sha256WithRSAEncryption

If the command returns a different Signature Algorithm than the unsupported rsassaPss, check online to determine whether the returned Signature Algorithm is supported in Java 8.


Resolution

Apply a new or updated certificate on your LDAP that uses a Signature Algorithm that is supported by Java 8, for example, sha256WithRSAEncryption.

If the certificate is updated on the LDAP server, you also need to import the certificate into ServiceNow. For more information, refer to the documentation topic Certificates.

Article Information

Last Updated:2017-11-09 02:30:41
Published:2017-11-09