NetIQ Audit connector is not working as expected

  • 7017764
  • 22-Jun-2016
  • 12-Apr-2017

Environment

NetIQ Sentinel 7.4.2x Sentinel Server

Situation

The audit connector is not able to connect to Sentinel.

The following error is appearing in the server0.0.log


Error encountered in sendClient(1): javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificates does not conform to algorithm constraints
Thu Jun 16 16:42:58 IST 2016|SEVERE|Thread-370|esecurity.ccs.comp.evtsrcmgt.connector.auditserver.DeviceSensorAuditListener$LEngine.sendClient

        Root cause: Certificates does not conform to algorithm constraints (java.security.cert.CertificateException)
        javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificates does not conform to algorithm constraints
                at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
                at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
                at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
                at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
                at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1909)
                at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:230)
                at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
                at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
                at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
                at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
                at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:747)
                at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123)
                at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:138)
                at java.io.DataOutputStream.write(DataOutputStream.java:88)
                at esecurity.ccs.comp.evtsrcmgt.connector.auditserver.DeviceSensorAuditListener$LEngine.sendClient(DeviceSensorAuditListener.java:949)
                at esecurity.ccs.comp.evtsrcmgt.connector.auditserver.DeviceSensorAuditListener$LEngine.handle_LE_CMD_STARTTLS(DeviceSensorAuditListener.java:666)
                at esecurity.ccs.comp.evtsrcmgt.connector.auditserver.DeviceSensorAuditListener$LEngine.performHandShake(DeviceSensorAuditListener.java:607)
                at esecurity.ccs.comp.evtsrcmgt.connector.auditserver.DeviceSensorAuditListener$LEngine.run(DeviceSensorAuditListener.java:462)
        Caused by: java.security.cert.CertificateException: Certificates does not conform to algorithm constraints
                at sun.security.ssl.AbstractTrustManagerWrapper.checkAlgorithmConstraints(SSLContextImpl.java:1055)
                at sun.security.ssl.AbstractTrustManagerWrapper.checkAdditionalTrust(SSLContextImpl.java:981)
                at sun.security.ssl.AbstractTrustManagerWrapper.checkClientTrusted(SSLContextImpl.java:916)
                at sun.security.ssl.ServerHandshaker.clientCertificate

Resolution

Preferred solution

On Sentinel update to 
Sentinel Audit connector 2011.1r4 build Jan 2017

On eDirectory update to
Edirectory 8.8 SP8 Patch 9 Hotfix 2 or later





OR






Disable the security improvements added to Sentinel

1. On the Sentinel box go to the location of the file where the settings need to be changed:  /opt/novell/sentinel/jdk/jre/lib/security/java.security

2. Below lines existed previously:

jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768

Comment out the above two lines and add the below two new lines:

jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768

3. After the above modifications the settings in the java.security file will look like below:

#jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024

#jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768
jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768

4. To reflect the changes, the sentinel service needs to be restarted by using rcsentinel restart or /etc/init.d/sentinel restart.
















Cause

eDirectory uses MD5 RSA certificate algorithm and that has been depreciated by latest java version 1.8 which is used on Sentinel.   Java has deprecated the MD5 RSA certificate algorithm to improve security.