Validated Sync Fails after Updating Security Certificates in MSSQL dSource (KBA6292)
KBA
KBA# 6292
Issue
When using Delphix Engine 6.0.4.2 or earlier, SQL Server dSource operations may fail if a custom security certificate has been applied to the SQL Server instance, and a certificate in the certificate chain uses the RSASSA-PSS algorithm.
Affected dSource operations, including Linking, Validated Sync and Snapshots, will fail with the following error:
Error: The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: "java.security.cert.CertificateException: Certificates do not conform to algorithm constraints". ClientConnectionId:2faebfbf-bf1f-48a2-90dc-217720c16786
This happens regardless of whether the Force Encryption flag is set for the instance in SQL Server Configuration Manager.
This error occurs because the versions of Java used in Delphix Engine 6.0.4.2 and earlier do not support the RSASSA-PSS signature algorithm.
Applicable Delphix Versions
- Click here to view the versions of the Delphix engine to which this article applies
-
Major Release All Sub Releases 6.0 6.0.0.0, 6.0.1.0, 6.0.1.1, 6.0.2.0 5.3
5.3.0.0, 5.3.0.1, 5.3.0.2, 5.3.0.3, 5.3.1.0, 5.3.1.1, 5.3.1.2, 5.3.2.0, 5.3.3.0, 5.3.3.1, 5.3.4.0, 5.3.5.0 5.3.6.0, 5.3.7.0, 5.3.7.1, 5.3.8.0, 5.3.8.1, 5.3.9.0 5.2
5.2.2.0, 5.2.2.1, 5.2.3.0, 5.2.4.0, 5.2.5.0, 5.2.5.1, 5.2.6.0, 5.2.6.1
5.1
5.1.0.0, 5.1.1.0, 5.1.2.0, 5.1.3.0, 5.1.4.0, 5.1.5.0, 5.1.5.1, 5.1.6.0, 5.1.7.0, 5.1.8.0, 5.1.8.1, 5.1.9.0, 5.1.10.0
5.0
5.0.1.0, 5.0.1.1, 5.0.2.0, 5.0.2.1, 5.0.2.2, 5.0.2.3, 5.0.3.0, 5.0.3.1, 5.0.4.0, 5.0.4.1 ,5.0.5.0, 5.0.5.1, 5.0.5.2, 5.0.5.3, 5.0.5.4
4.3
4.3.1.0, 4.3.2.0, 4.3.2.1, 4.3.3.0, 4.3.4.0, 4.3.4.1, 4.3.5.0
4.2
4.2.0.0, 4.2.0.3, 4.2.1.0, 4.2.1.1, 4.2.2.0, 4.2.2.1, 4.2.3.0, 4.2.4.0 , 4.2.5.0, 4.2.5.1
4.1
4.1.0.0, 4.1.2.0, 4.1.3.0, 4.1.3.1, 4.1.3.2, 4.1.4.0, 4.1.5.0, 4.1.6.0
Resolution
To resolve this issue, upgrade to Delphix Engine version 6.0.5.0 or later. These versions of the Delphix Engine use a newer version of the Java Development Kit (JDK), which supports the RSASSA-PSS algorithm.
If an upgrade is not possible, you may need to replace the certificate chain with certificates that are not signed using the RSASSA-PSS signature algorithm.
Related Articles
The following articles may provide more information or related information to this article: