APM: AssetViewer authentication error with TLS 1.2 protocols enabled

book

Article ID: 144978

calendar_today

Updated On:

Products

CA IT Asset Manager CA IT Asset Manager Asset Portfolio Management CA Software Asset Manager (CA SAM) ASSET PORTFOLIO MGMT- SERVER

Issue/Introduction

AssetViewer is not displaying data within APM.  Getting SSL authentication error.  

ams.log may present with a message such as:
ERROR LogWriter 40 com.microsoft.sqlserver.jdbc.SQLServerException: The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: SQL Server did not return a response. The connection has been closed.

Issue is specific to ITAM 17.1 only.

Cause

The issue is due to the OS that is hosting SQL Server having been hardened for TLS 1.2 per the following update:

https://support.microsoft.com/en-us/help/3135244/tls-1-2-support-for-microsoft-sql-server 

In the AMS release provided in ITAM 17.1, AMS uses JRE 1.8, build 1.8.0-b132, which does not appear to support TLS 1.2.  Issue reproduction occurred after installing the SCHANNEL registry settings which had enabled TLS 1.2 and disabled TLS 1.0 as well as introduced various cipher key settings.

See also the attached file which contains a series of registry changes that enable/disable various TLS protocols.

Environment

Release : 17.1

Component : CA Asset Portfolio Management

Resolution

The issue does not present in a 17.2 based environment.  This is due to AMS using a different JRE build, ie:

java version "11.0.1" 2018-10-16 LTS
Java(TM) SE Runtime Environment 18.9 (build 11.0.1+13-LTS)
Java HotSpot(TM) 64-Bit Server VM 18.9 (build 11.0.1+13-LTS, mixed mode)

Attachments

1581534044203__Schannel.txt get_app