Problem

After applying Patch 5 on SecureTransport 5.3.1, all certificates signed with the MD5withRSA algorithm are not trusted anymore and are causing a "Not chained to a trusted root" error.

In case a certificate of this type is used for the ST streaming (communication between the TM service and other ST servers), it will malfunction. In effect this will render the TM service unusable.

Resolution

In order to resolve the described problem, you can use one of the following options.

Recommended Option

Generate a new certificate signed with the SHA1withRSA signature algorithm and setting it up for the streaming communication. The new certificate can be generated in the Admin UI, under Setup → Certificates → Local Certificates page.

Re-configure the streaming configuration if needed.

Alternative Option

This options is not recommended and the change below will be overwritten by installing a patch or upgrading ST to a higher version.

Re-enable the support for MD5withRSA signature algorithm on all ST servers and ST Edges participating in the streaming configuration. For this purpose follow the steps below.

Make a backup of the $FILEDRIVEHOME/jre/lib/security/java.security file.

Open the file and change the following lines:

From

jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024

To

jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024

and

From

jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768

To

jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 768

Restart all ST services.