SSL Handshake failure using IDz with IBM security provider IBMCAC
book
Article ID: 144520
calendar_today
Updated On:
Products
Endevor
Endevor - ECLIPSE Plugin
Show More
Show Less
Issue/Introduction
IDz 14.1.5 with Endevor Eclipse UI plugin 18.1.4, create repository using SSL, get the following error in Endevor Tomcat: EWS0422E Communication Error, CciWebsapi internal code : "-2000" "getConnection() Error" EWS0422E PRC="8" SRC="23" DRC="-1493172224" EWS0422E Jobname="" ServerId=" " EWS0422E CCIMES="SPAWN SERVICE UNAVAILABLE " After adding -Djavax.net.debug=ssl JVM option to WSTOMENV, Tomcat log shows handshake_failure: https-jsse-nio-1857-exec-8, fatal error: 40: Client requested protocol TLSv1 not enabled or not supported javax.net.ssl.SSLHandshakeException: Client requested protocol TLSv1 not enabled or not supported https-jsse-nio-1857-exec-8, SEND TLSv1.2 ALERT: fatal, description = handshake_failure https-jsse-nio-1857-exec-8, WRITE: TLSv1.2 Alert, length = 2 https-jsse-nio-1857-exec-8, fatal: engine already closed. Rethrowing javax.net.ssl.SSLHandshakeException: Client requested protocol TLSv1 not enabled or not supported
Environment
Release : 18.0.12
Component : CA Endevor Software Change Manager
Cause
Endevot Tomcat is configired to use TLS1.2 only: <Connector port="XXXX" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1.2" keystoreType="JCERACFKS" keystoreFile="safkeyring://keyringowner/keyring" sslImplementationName="com.ca.sslsocket.CASSLImplementation" /> IDz start up command: C:\Users\a587531\IBM\SDPV14.1.7\eclipse.exe -product com.ibm.rational.developer.systemz.product.ide -vmargs -DrdzCryptoProviderClass=com.ibm.security.capi.IBMCAC -Djavax.net.ssl.trustStoreprovider=IBMCAC -Djavax.net.ssl.trustStoreType=Windows-ROOT This command use IBM security provider (IBMCAC) and somehow cause JVM/JSSEs default setting to TLS1.0.
Resolution
Option 1: Add vm paramter -Dhttps.protocols=TLSv1.2 and remove the -Djavax.net.ssl.trustStoreprovider=IBMCAC from IDz start up command: C:\Users\a587531\IBM\SDPV14.1.7\eclipse.exe -product com.ibm.rational.developer.systemz.product.ide -vmargs -DrdzCryptoProviderClass=com.ibm.security.capi.IBMCAC -Djavax.net.ssl.trustStoreType=Windows-ROOT -Dhttps.protocols=TLSv1.2 Option 2: Add paramter --launcher.appendVmargs before -vmargs parameter in IDz start up, and modify eclipse.ini (remove -Djavax.net.ssl.trustStoreprovider=IBMCAC, add -Dhttps.protocols=TLSv1.2) sample eclipse.ini: -vm jdk/jre/bin/j9vm/jvm.dll -startup plugins/org.eclipse.equinox.launcher_1.3.201.v20161025-1711.jar --launcher.library plugins/org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.401.v20161122-1740 --launcher.appendVmargs -install C:/Program Files/CA/DEz -vmargs -Dhttps.protocols=TLSv1.2 -Djavax.net.debug=all -Djavax.net.ssl.trustStoreType=Windows-MY -DrdzCryptoProviderClass=com.ibm.security.capi.IBMCAC -Xquickstart -Xms40m -Xmx1024m -Xmnx64m -Xgcpolicy:gencon -Xscmx96m -Xshareclasses:name=IBMSDP_%u -Xcompressedrefs
Feedback
thumb_up
Yes
thumb_down
No