Policy Manager 10.1
CA Gateway 10.1


Customer encounter below error when trying to connect to the policy manager.

WARNING: Could not connect to admin service server org.springframework.remoting.RemoteAccessException: Could not access HTTP invoker remote service at [https://securespangateway/ssg/manager/AdminLogin]; nested exception is javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake at org.springframework.remoting.httpinvoker.HttpInvokerClientInterceptor.convertHttpInvokerAccessException(HttpInvokerClientInterceptor.java:234) at org.springframework.remoting.httpinvoker.HttpInvokerClientInterceptor.invoke(HttpInvokerClientInterceptor.java:160) at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186) at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:215) at com.sun.proxy.$Proxy6.getServerCertificateVerificationInfo(Unknown Source) at com.l7tech.console.security.d.call(Unknown Source) at com.l7tech.gateway.common.spring.remoting.http.SecureHttpComponentsHttpInvokerRequestExecutor.doWithSession(Unknown Source) at com.l7tech.console.security.c.call(Unknown Source) at com.l7tech.gateway.common.spring.remoting.http.SecureHttpComponentsHttpInvokerRequestExecutor.doWithTrustFailureHandler(Unknown Source) at com.l7tech.console.security.SecurityProviderImpl.a(Unknown Source) at com.l7tech.console.security.SecurityProviderImpl.login(Unknown Source) at com.l7tech.console.panels.by.construct(Unknown Source) at com.l7tech.gui.util.au.run(Unknown Source) at java.base/java.lang.Thread.run(Thread.java:829) Caused by: javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake at java.base/sun.security.ssl.SSLSocketImpl.handleEOF(SSLSocketImpl.java:1696) at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1514) at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1416) at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:456) at java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:921) at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:1291) at org.apache.http.impl.io.AbstractSessionOutputBuffer.flushBuffer(AbstractSessionOutputBuffer.java:147) at org.apache.http.impl.io.AbstractSessionOutputBuffer.flush(AbstractSessionOutputBuffer.java:154) at org.apache.http.impl.AbstractHttpClientConnection.doFlush(AbstractHttpClientConnection.java:278) at org.apache.http.impl.AbstractHttpClientConnection.flush(AbstractHttpClientConnection.java:283) at org.apache.http.impl.conn.ManagedClientConnectionImpl.flush(ManagedClientConnectionImpl.java:175) at org.apache.http.protocol.HttpRequestExecutor.doSendRequest(HttpRequestExecutor.java:232) at org.apache.http.protocol.HttpRequestExecutor.execute(HttpRequestExecutor.java:125) at org.apache.http.impl.client.DefaultRequestDirector.tryExecute(DefaultRequestDirector.java:715) at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:520) at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906) at com.l7tech.gateway.common.spring.remoting.http.SecureHttpComponentsHttpInvokerRequestExecutor.executePostMethod(Unknown Source) at com.l7tech.gateway.common.spring.remoting.http.SecureHttpComponentsHttpInvokerRequestExecutor.doExecuteRequest(Unknown Source) at org.springframework.remoting.httpinvoker.AbstractHttpInvokerRequestExecutor.executeRequest(AbstractHttpInvokerRequestExecutor.java:141) at org.springframework.remoting.httpinvoker.HttpInvokerClientInterceptor.executeRequest(HttpInvokerClientInterceptor.java:209) at org.springframework.remoting.httpinvoker.HttpInvokerClientInterceptor.executeRequest(HttpInvokerClientInterceptor.java:191) at org.springframework.remoting.httpinvoker.HttpInvokerClientInterceptor.invoke(HttpInvokerClientInterceptor.java:157) ... 12 more Caused by: java.io.EOFException: SSL peer shut down incorrectly at java.base/sun.security.ssl.SSLSocketInputRecord.read(SSLSocketInputRecord.java:483) at java.base/sun.security.ssl.SSLSocketInputRecord.readHeader(SSLSocketInputRecord.java:472) at java.base/sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:160) at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:111) at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1506) ... 32 more

Release : 10.1

Trouble shooting,

select a.name, a.scheme, a.endpoints, a.enabled, b.name, b.value from connector a, connector_property b where a.port='8443' and b.name='protocols' and  a.goid=b.connector_goid\G

The root cause is due to old env uses TLSv1, which is deprecated by java 11 on gateway 10.1.

Since the policy manager cannot connect to the gateway, we may have to manually update the TLS setting for port 8443, 

1. backup the ssg database

2. run following sql to update tls version for port 8443 to tlsv1.2 and tlsv1.3, (on primary DB node)

update connector_property set value='TLSv1.2,TLSv1.3' where name='protocols' and connector_goid in (select goid from connector where port='8443');

(there should be only 1 row changed)

4. restart gateway nodes to load the new settings

5. try policy manager again.