Martin, Thanks for providing the detailed background.
Based on the error message and configuration, it sounds like the MS SQL server has a certificate signed with SHA-1. SHA-1 is not secure for cryptographic operations, provisioning a new database server certificate and restoring the default Java security policy is highly recommended. Regards, David Handermann On Wed, Aug 23, 2023 at 10:34 AM Martin Fong <[email protected]> wrote: > > We have an MS SQL connection that worked fine with RH7. > > Once we upgraded to RH9 and the crypto policies=DEFAULT > (https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/considerations_in_adopting_rhel_9/assembly_security_considerations-in-adopting-rhel-9) > > We are getting the following errors: > > Failed to establish Database Connection: java.sql.SQLException: Cannot create > PoolableConnectionFactory ("encrypt" property is set to "true" and > "trustServerCertificate" property is set to "true" but the driver could not > establish a secure connection to SQL Server by using Secure Sockets Layer > (SSL) encryption: Error: Certificates do not conform to algorithm > constraints. ClientConnectionId:b844ea35-c351-43e7-8645-5c676d2b3cce) > > From the log java trace got this at the end: > Caused by: java.security.cert.CertPathValidatorException: Algorithm > constraints check failed on signature algorithm: SHA1withRSA > > We have searched many areas and found similar issue: > https://github.com/keycloak/keycloak/issues/19185 > > People are saying to put SHA1 back to > /etc/crypto-policies/back-ends/java.config > > When we set crypto policies = LEGACY, NiFi SQL connection worked again. > Meaning SHA1 is back. > > We have set the following in NiFi: > nifi.web.https.ciphersuites.include=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 > > Also verified the keystore/truststore that NiFi uses is SHA256. > > The SQL driver we are using: mssql-jdbc-12.4.0.jre8.jar > > Is there a way to find out where that SHA1withRSA is coming from? > > Please advise, > Martin Fong > Enterprise Technical Support Specialist, Infrastructure & Platform (IAG) > Technology Services Division, Technology Infrastructure Services > City of Toronto > 703 Don Mills Road, 2nd Floor > Toronto, ON > M3C 3N3 > Tel: 416-397-7565 > e-mail: [email protected]<mailto:[email protected]> > > This e-mail message is confidential and subject to copyright. Any > unauthorized use or disclosure is prohibited. If you have received this email > and are not the intended recipient, please advise and delete it. Thank you. >
