DB Connect Certificates do not conform to algorithm constraints Error

splunkkitty — Fri, 22 Sep 2023 18:27:10 GMT

Insight on my problem below is appreciated!

I am using DB Connect to attempt to connect to a MSSQL database. When I Save/Edit the connection I get the following error from Splunkweb:

The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: "Certificates do not conform to algorithm constraints". ClientConnectionId:XXXXXXXXXXXXXXXXXX

And the following (combination) error from splunk_app_db_connect_server.log and splunk_app_db_connect_audit_server.log:

com.microsoft.sqlserver.jdbc.SQLServerException: The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: "Certificates do not conform to algorithm constraints". ClientConnectionId:XXXXXXXXXXXXXXXXXX ........................... Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints check failed on signature algorithm: SHA1withRSA at java.base/sun.security.provider.certpath.AlgorithmChecker.check(AlgorithmChecker.java:237) at java.base/sun.security.ssl.AbstractTrustManagerWrapper.checkAlgorithmConstraints(SSLContextImpl.java:1661) ... 99 common frames omitted Collapse

I have tried the following to resolve the problem with no luck:

Added the following to the DB Connect Task Server JVM Options:
-Djdk.tls.client.protocols="TLSv1,TLSv1.1,TLSv1.2"
Added the following parameters to the JDBC url:
encrypt=true;trustServerCertificate=true;
I have also installed and attempted to run the DB Connect troubleshooting tool (ran using the following command: python3 -m troubleshooting_tools.start)

|----|----|----|----|----| | DB Connect | | Troubleshooting Tools | |----|----|----|----|----| Which tool do you want to use? 1. Troubleshoot Starts 2. Services Status 3. Troubleshoot Connections 4. Troubleshoot Inputs : 3 Troubleshoot Connections Splunk URL: localhost Splunk management port: 8089 Splunk username (Default value is <admin>): admin admin Splunk password: ******** Connection name: MY_CONNECTION Connector path: %PATH_TO_CONNECTOR_JAR% JDBC path: %PATH_TO_JDBC_DRIVER_JAR%

Which leads to the following output

An error occurred while trying to get the connection with the name : MY_CONNECTION. Error message: Data must be padded to 16 byte boundary in CBC mode

In addition, here is some information regarding my environment:

OS Oracle Linux 9
Splunk Enterprise Splunk 9.1.0.2
- Splunk DB Connect 3.14.1
- Splunk DBX Add-on for Microsoft SQL Server JDBC 1.2.0
- Manually installed additional Microsoft JDBC Driver 12.4 for SQL Server driver mssql-jdbc-12.4.1.jre11.jar
JAVA openjdk 11.0.20

Re: DB Connect Certificates do not conform to algorithm constraints Error

Imadam — Wed, 22 Nov 2023 09:05:21 GMT

Hello,

I have the same problem. Anyone can help?

Re: DB Connect Certificates do not conform to algorithm constraints Error

splunkkitty — Wed, 22 Nov 2023 13:32:40 GMT

Here are my findings from a case I opened on this issue a while back. This fixed it for me.

Splunk verifies the TLS certificates using SHA-1 cryptography. The default policy on the Linux server needed to be updated to SHA-1.

update-crypto-policies --set DEFAULT:SHA1

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening

Re: DB Connect Certificates do not conform to algorithm constraints Error

flakshack — Tue, 02 Jul 2024 18:25:11 GMT

Thank you for posting your solution. This was our problem after migration to RHEL9 and your solution fixed it.

topic DB Connect Certificates do not conform to algorithm constraints Error in All Apps and Add-ons

DB Connect Certificates do not conform to algorithm constraints Error

Re: DB Connect Certificates do not conform to algorithm constraints Error

Re: DB Connect Certificates do not conform to algorithm constraints Error

Re: DB Connect Certificates do not conform to algorithm constraints Error