search cancel

Gateway set CWP security.fips.enabled blocks TLS connection to MySQL ssg Database

book

Article ID: 255964

calendar_today

Updated On:

Products

CA API Gateway

Issue/Introduction

We are using Software Install on RHEL 7.

We are working on an upgrade to 10.1 CR2.  Enabling CWP(cluster wide property) security.fips.enabled=true seems to block connection to MySQL ssg database.  We are able to run the install, then run the CR2 patch, then install our policy bundles and CWPs.  This sets security.fips.enabled to true.  When we restart, the Gateway comes up, but when we try to connect with Policy Manager, the requests to the database do not work:

2022-12-07T12:26:49.991-0500 WARN    171 org.hibernate.engine.jdbc.spi.SqlExceptionHelper: SQL Error: 0, SQLState: null
2022-12-07T12:26:49.992-0500 ERROR   171 org.hibernate.engine.jdbc.spi.SqlExceptionHelper: Connections could not be acquired from the underlying database! 

The following parameters is set in the node.properties:

l7.mysql.url.parameters.extra=&useSSL=true&requireSSL=true&verifyServerCertificate=false&enabledTLSProtocols=TLSv1.2

 

Environment

Release : 10.1

Resolution

Adding the following to /opt/SecureSpan/Gateway/node/default/etc/conf/system.properties

jdk.tls.namedGroups=ecp256r1, secp384r1, secp521r1, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192

Then restart the Gateway.