A request being routed to node that does not have SNI extension support may fail with the following error log or audit log:
Problem routing to?https://server.domain.com:443/service. Error msg: Unable to obtain HTTP response from https://server.domain.com:443/service: Warning Alert received: Unrecognized Name
This failure does not originate from the Gateway and is actually the error response returned by the server application when the Gateway attempts to connect.
The gateway does support SNI to the backend with the introduction of Java 7 .
Oracle added Server Name Indication (SNI) extension support to Java 7. The Gateway moved to Java 7 in version 7.1.0. The Gateway also uses several Java-based SSL/TLS providers. All of these dependencies cooperate to provide support for SNI for SSL/TLS-encrypted connections and handshakes.
SNI allows a client application to specify a host it desires to connect to for a particular TCP connection. It is useful for virtual hosting of multiple web servers or services on one server or port of a server. This allows one or more applications to be available on the same server, interface, or port while allowing the client to specify what host it wants to connect to. If a server application does not support this extension then a particular error message will be returned during the SSL handshake and the attempt to connect (and the subsequent routing attempt) will fail. This issue can be avoided by disabling SNI support within a particular node in the cluster.
This issue can be worked around by disabling the SNI extension within the Gateway's implementation of Java. To disable SNI, perform the following:
The procedure above will need to be executed on each node in the impacted cluster as system properties are not replicated over the cluster and are made on a node-by-node basis.
If you need to have persistent support for SNI even with the error printed--or if the steps above do not resolve the issue then please contact Layer 7 Support at CA Technologies