ImageMaster uses the cryptographic service provider “IAIK” (also see Third-party drivers and libraries). It can happen that secure connections are denied, if underlying certificates are assessed as too weak by this internal component. An example error message of such a scenario is given below, where the connection to an MS SQL database is denied and the database ping command in the administration console of the application server fails:
Ping Connection Pool failed for IS_DB_POOL. Connection could not be allocated because: The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: "java.security.cert.CertificateException: Certificates does not conform to algorithm constraints". ClientConnectionId:a94847eb-c787-40f8-86eb-b17a7a68569e Check the server.log for more details.
A scenario which seems confusing can arise from this:
Before deploying the ImageMaster EAR file, the IAIK provider is not active, but the default Java implementation is used, which does not require as strict security as IAIK. As a consequence it can happen that connections seem OK before the deployment but eventually fail after the deployment of the ImageMaster EAR file.
In the concrete case from above it was observed that a database ping to an MS SQL database first succeeded before the deployment of ImageMaster but then failed after the deployment of the ImageMaster EAR file.
To analyze related errors based on more detailed error log messages, you can use the Java SSL debug option “-Djavax.net.debug=ssl” (also see Optional or conditional settings: system settings).
Once the IAIK is active (by deploying ImageMaster) it affects all communication channels in the JVM of the application server. IAIK can only be deactivated by first undeploying ImageMaster and then restarting the application server.