We have an MS SQL connection that worked fine with RH7.
Once we upgraded to RH9 and the crypto policies=DEFAULT
(https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/considerations_in_adopting_rhel_9/assembly_security_considerations-in-adopting-rhel-9)
We are getting the following errors:
Failed to establish Database Connection: java.sql.SQLException: Cannot create
PoolableConnectionFactory ("encrypt" property is set to "true" and
"trustServerCertificate" property is set to "true" but the driver could not
establish a secure connection to SQL Server by using Secure Sockets Layer (SSL)
encryption: Error: Certificates do not conform to algorithm constraints.
ClientConnectionId:b844ea35-c351-43e7-8645-5c676d2b3cce)
>From the log java trace got this at the end:
Caused by: java.security.cert.CertPathValidatorException: Algorithm constraints
check failed on signature algorithm: SHA1withRSA
We have searched many areas and found similar issue:
https://github.com/keycloak/keycloak/issues/19185
People are saying to put SHA1 back to /etc/crypto-policies/back-ends/java.config
When we set crypto policies = LEGACY, NiFi SQL connection worked again.
Meaning SHA1 is back.
We have set the following in NiFi:
nifi.web.https.ciphersuites.include=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Also verified the keystore/truststore that NiFi uses is SHA256.
The SQL driver we are using: mssql-jdbc-12.4.0.jre8.jar
Is there a way to find out where that SHA1withRSA is coming from?
Please advise,
Martin Fong
Enterprise Technical Support Specialist, Infrastructure & Platform (IAG)
Technology Services Division, Technology Infrastructure Services
City of Toronto
703 Don Mills Road, 2nd Floor
Toronto, ON
M3C 3N3
Tel: 416-397-7565
e-mail: [email protected]<mailto:[email protected]>
This e-mail message is confidential and subject to copyright. Any unauthorized
use or disclosure is prohibited. If you have received this email and are not
the intended recipient, please advise and delete it. Thank you.
