If Java-based client applications connecting to DCM-secured IBM servers
(e.g., Secured Telnet) start refusing (typically after a Java update) to
establish secured connections, with the somewhat ungrammatical error,
java.security.cert.CertificateException: Certificates does not
conform to algorithm constraints
you need to go into DCM and update your certificate(s) on the affected
server(s), and (if they came out of the internal CA) probably its
certificate as well. These are the instructions for a V6 box.
Start by going into DCM.
If the affected certificates came from your Internal CA, then start
there. Click <Select a Certificate Store>, select "Local Certificate
Authority," and click <Continue>. Enter the password for the CA, and
click <Continue> again.
A "Manage Local CA" group will appear in the sidebar. Click "View." Look
for the key length. It should be at least 2048. If it's less than 2048,
the newest JVMs are going to turn up their noses at it.
If it's not at least 2048, click "Renew." You will probably need to
manually change the key size to 2048 or more (top of the form), and you
might also want to set a nice generous validity period (bottom of the form).
Once you've renewed the certificate, it will give you an opportunity to
export your CA certificate, if any of your client boxes need copies of
it. If your clients are only using the certificate for privacy, they
might not care. And you can always export it later.
Once you have a local CA with keylength >= 2048, click <Select a
Certificate Store> again, and this time go into the SYSTEM certificate
store. Note that once you're in, the "Manage Local CA" group changes to
"Manage Certificates." You can either click "Create Certificate" (in its
own group, at the top of the sidebar), or "Renew Certificate" (in the
Manage Certificates" group.
For "Create Certificate," select "Server Certificate," and click
<Continue>. Select "Local Certificate Authority," and click <Continue>.
You'll be presented with a blank form in which to enter the parameters.
BE SURE TO MANUALLY SET THE KEYSIZE TO >= 2048!
For "Renew Certificate," select the existing certificate you wish to
renew, and click <Continue>. Select "Local Certificate Authority," and
click <Continue>. You'll be presented with a form in which most of the
parameters are taken from the existing certificate. Enter a new
certificate label, and BE SURE TO MANUALLY SET THE KEYSIZE TO >= 2048!
For certificates signed by a public CA, you would skip the Local CA
update, and when creating or renewing the certificate, you would select
"VeriSign or other Internet Certificate Authority" instead of "Local
Certificate Authority." This time, when you fill out the form, the
response will be a CSR, which you will then need to submit to your CA.
Once you have your shiny new keylength >= 2048 certificate installed in
your SYSTEM keystore, you may be taken directly to the "Assign
Certificate" form; if not, then click "Assign Certificate." Select the
application(s) to which you need to assign the certificate, and click
<Continue>.
Then you will need to stop and restart the affected server(s). If you're
restarting your Telnet server, make sure you do so from Systems
Director, iNav, HMC, Lan Console, or an actual terminal, NOT from a
Telnet session! Likewise, if you're restarting something that iNav
depends on, do it from something other than iNav. And so forth. Don't
saw off the limb you're sitting on.
--
James H. H. Lampert
midrange.com
