ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Persistent error every 5s after upgrade 10.1 - The size of the handshake message (64559) exceeds the maximum allowed size (32768)

book

Article ID: 225509

calendar_today

Updated On:

Products

CA API Gateway

Issue/Introduction

After the upgrade to API Gateway 10.1 we got a persistent error every 5 seconds in the spcc logs . :

2021-09-15T09:34:47.379+0200 INFO    1 com.l7tech.server.processcontroller.ProcessController: Getting API port from /opt/SecureSpan/Gateway/node/default/var/processControllerPort
2021-09-15T09:34:47.413+0200 WARNING 1 com.l7tech.server.processcontroller.p: default may still be starting, but API is throwing unexpected exceptions
javax.xml.ws.WebServiceException: Could not send Message.
 at org.apache.cxf.jaxws.JaxWsClientProxy.mapException(JaxWsClientProxy.java:183)
 ....
Caused by: javax.net.ssl.SSLProtocolException: SSLProtocolException invoking https://localhost:2124/ssg/services/processControllerNodeApi: The size of the handshake message (64559) exceeds the maximum allowed size (32768)
 at java.base/jdk.internal.reflect.GeneratedConstructorAccessor61.newInstance(Unknown Source

Cause

A  change in java  version 1.8.0_271  introduced a limit on the size of the TLS handshake messages the default of 32768 should be enough but if there are a lot of certificates in the cert store which have "signing client certificates" enabled the value will be to low.

Environment

Release : 10.1

Component :

Resolution

To increase the  maxHandshakeMessageSize  add the following line to the startup script of the processcontroller.

cd /opt/SecureSpan/Controller/bin

chmod  755  processcontroller.sh

vi processcontroller.sh

add the following line 

PC_JAVAOPT="${PC_JAVAOPT} -Djdk.tls.maxHandshakeMessageSize=65536"

after the line 

ADD_OPENS="--add-opens=jdk.crypto.ec/sun.security.ec=ALL-UNNAMED"
PC_JAVAOPT="${ADD_OPENS} -Djava.security.egd=file:/dev/./urandom"

save the file and reboot the server

The value for jdk.tls.maxHandshakeMessageSize must be greater than the value reported in the error message

restart the gateway process .