Websphere agent 21.4 unable to connect to cloud proxy due to cipher error - 21.6 works

book

Article ID: 223693

calendar_today

Updated On:

Products

CA Application Performance Management (APM / Wily / Introscope) DX APM SaaS CA Application Performance Management Agent (APM / Wily / Introscope) DX Application Performance Management

Issue/Introduction

Using WAS 8.5.5. on IBM JVM 1.8_181 with 21.4 Java agent.

This is failing to connect to the Cloud Proxy (via LBAS load balancer) due to a cipher issue

9/09/21 05:16:28 AM BST [VERBOSE] [IntroscopeAgent.ConnectionThread] Attempting to connect to Introscope Enterprise Manager dx-apm-proxy-mydomian.net:443,com.wily.isengard.postofficehub.link.net.HttpsTunnelingSocketFactory (4).
9/09/21 05:16:28 AM BST [WARN] [IntroscopeAgent.CommonsHttpTunnelingClient] connectBinary failed to perform SSL handshake: Received fatal alert: handshake_failure
...

 

When using a 21.6 agent it works - what is different about 21.6 and can the change be adapted for 21.4 

 

 

 

 

Cause

21.4 agent lists the ciphers supported and then sets 

9/09/21 05:15:57 AM BST [INFO] [IntroscopeAgent.Agent] Setting SSL socket ciphers to: [SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256]

however this cipher is not supported by the intermediate load balancer

21.6 agent instead sets 

9/10/21 01:24:21 PM BST [INFO] [IntroscopeAgent.Agent] Setting SSL socket ciphers to: []

Environment

Release : 21.4

Component : Agent

Resolution

Forcing the agent to use a specific cipher supported by both agent JVM and the remote endpoint via an agent property addressed the problem

agentManager.cipherSuites.1=SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256 

Additional Information

setting agentManager.cipherSuites.1= did not help with 21.4 agent even though 21.6 was effectively doing this