Error when setting up SSL between SPS 12.52 and backend application.

book

Article ID: 38713

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

Summary:

We have a backend IIS server, that we need to setup SSL between the Secure Proxy Server and the backend server. We are getting an error: "java.lang.RuntimeException: Unrecognized cipher suite" in the SPS nohup.out log when attempting to complete an SSL handshake.

Instructions

In the vast majority of cases, if you are using the SSL cipher suites provided by default in the server.conf included in Secure Proxy Server 12.52 and up, you should not encounter this error. However, it may be a requirement in some environments that the available ciphers be tailored to specific security needs, and a change to the available ciphers in the server.conf is necessary.

The above error can occur when changes to the cipher list are made, but the ciphers are not available in the version of OpenSSL packaged with your specific version of Secure Proxy Server. To see which version is being used, log in to the command line for your SPS server(s) and type the following:

#openssl version –v

You can also use the command:

#openssl ciphers –v

To determine which ciphers are currently available for use.

Additionally, check the official OpenSSL documentation at openssl.org to determine whether this version contains the ciphers you require for your environment. If they are not included, you may need to request assistance from CA support to determine whether a future version of Secure Proxy Server will have a version of OpenSSL that supports your required ciphers.

Additional Information:

https://www.openssl.org/docs/manmaster/apps/version.html
https://www.openssl.org/docs/manmaster/apps/ciphers.html

Environment

Release: ETRSBB99000-12.52-SiteMinder-B to B
Component: