× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.



If Java-based client applications connecting to DCM-secured IBM servers
(e.g., Secured Telnet) start refusing (typically after a Java update) to
establish secured connections, with the somewhat ungrammatical error,

java.security.cert.CertificateException: Certificates does not
conform to algorithm constraints

you need to go into DCM and update your certificate(s) on the affected server(s), and (if they came out of the internal CA) probably its certificate as well. These are the instructions for a V6 box.

Start by going into DCM.

If the affected certificates came from your Internal CA, then start there. Click <Select a Certificate Store>, select "Local Certificate Authority," and click <Continue>. Enter the password for the CA, and click <Continue> again.

A "Manage Local CA" group will appear in the sidebar. Click "View." Look for the key length. It should be at least 2048. If it's less than 2048, the newest JVMs are going to turn up their noses at it.

If it's not at least 2048, click "Renew." You will probably need to manually change the key size to 2048 or more (top of the form), and you might also want to set a nice generous validity period (bottom of the form).

Once you've renewed the certificate, it will give you an opportunity to export your CA certificate, if any of your client boxes need copies of it. If your clients are only using the certificate for privacy, they might not care. And you can always export it later.

Once you have a local CA with keylength >= 2048, click <Select a Certificate Store> again, and this time go into the SYSTEM certificate store. Note that once you're in, the "Manage Local CA" group changes to "Manage Certificates." You can either click "Create Certificate" (in its own group, at the top of the sidebar), or "Renew Certificate" (in the Manage Certificates" group.

For "Create Certificate," select "Server Certificate," and click <Continue>. Select "Local Certificate Authority," and click <Continue>. You'll be presented with a blank form in which to enter the parameters. BE SURE TO MANUALLY SET THE KEYSIZE TO >= 2048!

For "Renew Certificate," select the existing certificate you wish to renew, and click <Continue>. Select "Local Certificate Authority," and click <Continue>. You'll be presented with a form in which most of the parameters are taken from the existing certificate. Enter a new certificate label, and BE SURE TO MANUALLY SET THE KEYSIZE TO >= 2048!

For certificates signed by a public CA, you would skip the Local CA update, and when creating or renewing the certificate, you would select "VeriSign or other Internet Certificate Authority" instead of "Local Certificate Authority." This time, when you fill out the form, the response will be a CSR, which you will then need to submit to your CA.

Once you have your shiny new keylength >= 2048 certificate installed in your SYSTEM keystore, you may be taken directly to the "Assign Certificate" form; if not, then click "Assign Certificate." Select the application(s) to which you need to assign the certificate, and click <Continue>.

Then you will need to stop and restart the affected server(s). If you're restarting your Telnet server, make sure you do so from Systems Director, iNav, HMC, Lan Console, or an actual terminal, NOT from a Telnet session! Likewise, if you're restarting something that iNav depends on, do it from something other than iNav. And so forth. Don't saw off the limb you're sitting on.

--
James H. H. Lampert

As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.