Summary
When you try to synchronize LDAP users with Deep Security or when you change certificate, the following error appears:
Error on Re-Synchronize
Unable to connect to the computer 'computer.name.fqdn' on port 636: SSL Handshake error
At the same time, the Deep Security Manager (DSM) main log located under \Deep Security Manager\Server0.log shows the following:
Nov 20, 2016 1:00:04 PM com.thirdbrigade.manager.core.scheduler.jobschedulers.jobs.UserSynchronizeJob onRun SEVERE: ThID:1227|TID:0|TNAME:Primary|UID:-1|UNAME:|Administrator Synchronize Job Failed: javax.naming.CommunicationException: simple bind failed: server.name.fqdn [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificates does not conform to algorithm constraints]
Based on the log above, the certificate in use seems valid and has a RSASSA-PSS signature algorithm.
As a standard, TLS has no corresponding signature algorithm for RSASSA-PSS. Hence, RSASSA-PSS cannot be used on Deep Security. Although there are instances when AD servers and Windows CA may use and generate them.
Since RSASSA-PSS is not part of TLS standard, it is deemed unsecure and unsupported in Deep Security.
To resolve the error:
- Generate a certificate for Deep Security using a TLS-compatible signature algorithm such as SHA256 or SHA512.
- Rebuild the CA with the new signature algorithm. This is necassary since the signature algorithm is a base setting of CA.
- Renew all the published certificates for the system.
Alternatively, you may consider a self-signed certificate for your Active Directory only.
