SSL Handshake failure using IDz with IBM security provider IBMCAC

book

Article ID: 144520

calendar_today

Updated On:

Products

CA Endevor Software Change Manager (SCM) CA Endevor Software Change Manager - ECLIPSE Plugin (SCM)

Issue/Introduction

IDz 14.1.5 with Endevor Eclipse UI plugin 18.1.4, create repository using SSL, get the following error in Endevor Tomcat: 

EWS0422E  Communication Error, CciWebsapi internal code : "-2000" "getConnection() Error"
EWS0422E  PRC="8" SRC="23" DRC="-1493172224"
EWS0422E  Jobname="" ServerId="                                "
EWS0422E  CCIMES="SPAWN SERVICE UNAVAILABLE               "

After adding -Djavax.net.debug=ssl JVM option to WSTOMENV, Tomcat log shows handshake_failure: 

 https-jsse-nio-1857-exec-8, fatal error: 40: Client requested protocol TLSv1 not enabled or not supported
 javax.net.ssl.SSLHandshakeException: Client requested protocol TLSv1 not enabled or not supported
 https-jsse-nio-1857-exec-8, SEND TLSv1.2 ALERT:  fatal, description = handshake_failure
 https-jsse-nio-1857-exec-8, WRITE: TLSv1.2 Alert, length = 2
 https-jsse-nio-1857-exec-8, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLHandshakeException: Client requested protocol TLSv1 not enabled or not supported

Cause

Endevot Tomcat is configired to use TLS1.2 only:

      <Connector port="1857" protocol="HTTP/1.1" SSLEnabled="true"
                     maxThreads="150" scheme="https" secure="true"
                     clientAuth="false" sslProtocol="TLS"
                     sslEnabledProtocols="TLSv1.2"
                     keystoreType="JCERACFKS"
                     keystoreFile="safkeyring://NV#TST/RINGDVPNV"
            sslImplementationName="com.ca.sslsocket.CASSLImplementation" />

IDz start up command:

C:\Users\a587531\IBM\SDPV14.1.7\eclipse.exe -product com.ibm.rational.developer.systemz.product.ide -vmargs -DrdzCryptoProviderClass=com.ibm.security.capi.IBMCAC -Djavax.net.ssl.trustStoreprovider=IBMCAC -Djavax.net.ssl.trustStoreType=Windows-ROOT

This command use IBM security provider (IBMCAC) and somehow cause JVM/JSSEs default setting to TLS1.0.

Environment

Release : 18.0.12

Component : CA Endevor Software Change Manager

Resolution

Option 1:
Add vm paramter -Dhttps.protocols=TLSv1.2 and remove the -Djavax.net.ssl.trustStoreprovider=IBMCAC from IDz start up command: 
C:\Users\a587531\IBM\SDPV14.1.7\eclipse.exe -product com.ibm.rational.developer.systemz.product.ide -vmargs -DrdzCryptoProviderClass=com.ibm.security.capi.IBMCAC -Djavax.net.ssl.trustStoreType=Windows-ROOT -Dhttps.protocols=TLSv1.2

Option 2:
Add paramter --launcher.appendVmargs before -vmargs parameter in IDz start up, and modify eclipse.ini (remove
-Djavax.net.ssl.trustStoreprovider=IBMCAC, add -Dhttps.protocols=TLSv1.2)

sample eclipse.ini: 
-vm
jdk/jre/bin/j9vm/jvm.dll
-startup
plugins/org.eclipse.equinox.launcher_1.3.201.v20161025-1711.jar
--launcher.library
plugins/org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.401.v20161122-1740
--launcher.appendVmargs
-install
C:/Program Files/CA/DEz
-vmargs
-Dhttps.protocols=TLSv1.2
-Djavax.net.debug=all
-Djavax.net.ssl.trustStoreType=Windows-MY
-DrdzCryptoProviderClass=com.ibm.security.capi.IBMCAC
-Xquickstart
-Xms40m
-Xmx1024m
-Xmnx64m
-Xgcpolicy:gencon
-Xscmx96m
-Xshareclasses:name=IBMSDP_%u
-Xcompressedrefs