Error: "Certificates does not conform to algorithm constraints" after upgrade to Sentinel 7.1.1 or Sentinel 7.2

  • 7014219
  • 04-Dec-2013
  • 02-Jul-2014


NetIQ Sentinel 7.1
NetIQ Sentinel 7.1 SP1
NetIQ Sentinel 7.2
eDirectory 8.x
IDM 4.x


After upgrading to Sentinel 7.1 SP1 or later, event sources connecting via the NetIQ Audit connector may fail to connect to Sentinel with this error:

Thu Nov 28 06:07:20 EST 2013|SEVERE|Thread-120|esecurity.ccs.comp.evtsrcmgt.connector.auditserver.DeviceSensorAuditListener$LEngine.sendClient
 / Error encountered in sendClient(1): Certificates does not conform to algorithm constraints

This is happening on servers where default certificates are used in the logging applications like eDir, IDM, NAM and these certificates have a key size of  less than 1024 bits.


The reason for this is twofold:
 - Sentinel 7.1 SP1 or later ships with a newer Java version that has a restriction to not allow RSA keySizes of less than 1024
 - The default certificates used in the logging applications have a key size of less than 1024 and don't comply to this restriction. Because of this, the server rejects the connection with the error message shown above.

The fastest way to get the system working is to revert back this change. Edit the file jre/lib/security/ and look for this line:
jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024

Remove the last restriction, the line will look like this:

Restart Sentinel for the changes to take effect.

This would not be a solution but a workaround to get things working after the upgrade.

A proper resolution is to use custom certificates on the logging applications that use strong encryption (key sizes of 1024 or more). Once all applications have been updated, the restriction can be put back in place.

IDM 4.5 includes an instrumentation upgrade with certificates to a key size larger than 1024 to fix this problem.
eDirectory 88SP8 Patch 2 and eDirectory 88SP7 Patch 6 have Instrumentation upgrades with certificates to a key size larger than 1024 to fix the problem.  (Note: Instrumentation is not automatically upgraded with eDirectory, you must also manually install the instrumentation package within the eDir patch.)