Skip to main content
Delphix

Validated Sync Fails after Updating Security Certificates in MSSQL dSource (KBA6292)

 

KBA

KBA# 6292

 

Issue

When using Delphix Engine 6.0.4.2 or earlier, SQL Server dSource operations may fail if a custom security certificate has been applied to the SQL Server instance, and a certificate in the certificate chain uses the RSASSA-PSS algorithm.

Affected dSource operations, including Linking, Validated Sync and Snapshots, will fail with the following error:

Error: The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: "java.security.cert.CertificateException: Certificates do not conform to algorithm constraints". ClientConnectionId:2faebfbf-bf1f-48a2-90dc-217720c16786

This happens regardless of whether the Force Encryption flag is set for the instance in SQL Server Configuration Manager.

This error occurs because the versions of Java used in Delphix Engine 6.0.4.2 and earlier do not support the RSASSA-PSS signature algorithm.

Applicable Delphix Versions

Click here to view the versions of the Delphix engine to which this article applies
Major Release All Sub Releases
6.0 6.0.0.0, 6.0.1.0, 6.0.1.1, 6.0.2.0

5.3

5.3.0.0, 5.3.0.1, 5.3.0.2, 5.3.0.3, 5.3.1.0, 5.3.1.1, 5.3.1.2, 5.3.2.0, 5.3.3.0, 5.3.3.1, 5.3.4.0, 5.3.5.0 5.3.6.0, 5.3.7.0, 5.3.7.1, 5.3.8.0, 5.3.8.1, 5.3.9.0

5.2

5.2.2.0, 5.2.2.1, 5.2.3.0, 5.2.4.0, 5.2.5.0, 5.2.5.1, 5.2.6.0, 5.2.6.1

5.1

5.1.0.0, 5.1.1.0, 5.1.2.0, 5.1.3.0, 5.1.4.0, 5.1.5.0, 5.1.5.1, 5.1.6.0, 5.1.7.0, 5.1.8.0, 5.1.8.1, 5.1.9.0, 5.1.10.0

5.0

5.0.1.0, 5.0.1.1, 5.0.2.0, 5.0.2.1, 5.0.2.2, 5.0.2.3, 5.0.3.0, 5.0.3.1, 5.0.4.0, 5.0.4.1 ,5.0.5.0, 5.0.5.1, 5.0.5.2, 5.0.5.3, 5.0.5.4

4.3

4.3.1.0, 4.3.2.0, 4.3.2.1, 4.3.3.0, 4.3.4.0, 4.3.4.1, 4.3.5.0

4.2

4.2.0.0, 4.2.0.3, 4.2.1.0, 4.2.1.1, 4.2.2.0, 4.2.2.1, 4.2.3.0, 4.2.4.0 , 4.2.5.0, 4.2.5.1

4.1

4.1.0.0, 4.1.2.0, 4.1.3.0, 4.1.3.1, 4.1.3.2, 4.1.4.0, 4.1.5.0, 4.1.6.0

Resolution

To resolve this issue, upgrade to Delphix Engine version 6.0.5.0 or later. These versions of the Delphix Engine use a newer version of the Java Development Kit (JDK), which supports the RSASSA-PSS algorithm.

If an upgrade is not possible, you may need to replace the certificate chain with certificates that are not signed using the RSASSA-PSS signature algorithm.

 

Related Articles

The following articles may provide more information or related information to this article: