ORA-17967 error in jdbc_response 2.0.0 or higher
search cancel

ORA-17967 error in jdbc_response 2.0.0 or higher

book

Article ID: 438211

calendar_today

Updated On:

Products

DX Unified Infrastructure Management (Nimsoft / UIM)

Issue/Introduction

After upgrading the jdbc_response probe to 2.0.0 from a 1.x version, Oracle connections using TCPS (SSL/TLS) fail.

The jdbc_response probe log contains the following error:

ORA-17967: SSL Handshake failure (handshake_failure) Received fatal alert: handshake_failure

Testing the connection in the probe GUI results in a pop-up message with the same error.

Environment

DX UIM - Any Version
jdbc_response probe 2.0.0 or higher

Cause

The jdbc_response probe uses Java21 instead of Java8 starting with version 2.0.0.  Java 21 explicitly blocks certain legacy cipher suites which may be configured on the Oracle database side because these ciphers do not preserve Forward Secrecy.

On the Oracle database, the sqlnet.ora configuration file located in ($ORACLE_HOME)/database/network/admin/ may contain an SSL_CIPHER_SUITES directive defining one or more obsolete cipher strings.

Examples include (but are not necessarily limited to):

  •  TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
  •  TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
  •  SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
  •  SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
  •  TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
  •  TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
  •  SSL_RSA_WITH_3DES_EDE_CBC_SHA

Resolution

Resolution

Work with your DBA to implement a more modern, secure cipher string that preserves Forward-Secrecy.

An example of a more modern, secure cipher set is as follows; your DBA and/or organization may have more specific requirements but the following is considered the standard for Oracle as of April 2026:

SSL_CIPHER_SUITES = (SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256)

This should be added to ($ORACLE_HOME)/database/network/admin/sqlnet.ora (replacing any existing SSL_CIPHER_SUITES directive.)

After updating sqlnet.ora, execute the following command on the Oracle server:

lsnrctl reload

The probe should now be able to connect successfully.

 

Workaround

As a workaround, it is possible to force Java21 to accept the less-secure ciphers by taking the following steps:

  1. In the jdbc_response probe folder ($UIM_HOME/nimsoft/probes/database/jdbc_response), create a plain text file named custom.security and add only the following line (which removes the strict modern cipher blocks) - do not add extra lines or carriage returns, the file should be one line only.

    jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA

  2. Deactivate the jdbc_response probe.
  3. Access Raw Configure on the jdbc_response probe.
  4. If there is a "startup" folder, expand it and if there is an "opt" folder, expand that.

    If the startup->opt folder does not exist, create it by clicking on "New Section" in the raw configure interface, and then enter "startup", ensuring that "Create at root" is enabled.

    Then, highlight "startup", click on "New Section" again and enter "opt", but this time, ensure "Create at root" is not enabled.

  5. Inside the startup->opt section, add a New Key:

    custom_cipher_file

    The value should be:

    -Djava.security.properties=(/path/to/file/custom.security)

    example:

    -Djava.security.properties=/opt/nimsoft/probes/database/jdbc_response/custom.security




  7. Activate the probe and test the connection, which should now succeed.

 

Additional Information

Java21 Release Note: TLS Cipher Suites Using 3DES Removed From the Default Enabled List

Powered by Wolken Software