Jazz Forum Welcome to the Jazz Community Forum Connect and collaborate with IBM Engineering experts and users

Cypher error for JTS setup URL

Questions
Tags
Users
Badges
Narayanan Potti
(27037679) Nov 21 '15, 11:48 p.m.
I need to migrate Rational CM 4.0.6 from Windows server 2008 R2 to Redhat Linux. I installed Rational CLM 4.0.6 on Linux server. Application server: Apache Tomcat/7.0.32

JTS is required to use port 10443 which is currently in Windows server. I am required to use SSL certificate signed by CA Entrust. Linux admin had created certification request and sent to Entrust. He received signed certificate files with .crt extension. I received 3 .crt files, installed the files using keytool and created keystore file ibm-team-ssl.keystore.

I changed port to 10443 in Tomcat/conf/server.xml. When trying JTS set up URL connection I get error:

An error occurred during a connection to <JTS setup URL>. Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap)

I tried using IE and Chrome and cannot connect. Error in Chrome: ERR_SSL_VERSION_OR_CIPHER_MISMATCH

On the server I checked using netstat -an command and the server is listening on port 10443. Is this issue with Certificate request or with the certificates issued by the CA Entrust ? Any help will be greatly appreciated.

Thanks
NP

0 votes

1 answer
3,131 views
0 votes

One answer

Permanent link
Donald Nong
(14.5k614) Nov 22 '15, 7:05 p.m.
If you still have a copy of the original server.xml file, compare it carefully with the current version, in particular the <Connector port="9443"> block and see if you accidentally changed something that should not be changed. Pay attention to the "ciphers" listed in that block.

If the server.xml file looks OK, you can use openssl to test the SSL connection as it gives more details than browsers do. You should have openssl installed by default on your Redhat Linux server.
openssl s_client -connect localhost:10443

0 votes

Comments
Narayanan Potti
Nov 22 '15, 8:33 p.m.

Hi Donald

I compared /tomcat/conf/server.xml for block beginning with   -->
    <Connector port="10443"

and could not find any difference. Please see below results of the command you gave to test SSL connection. Kindly let me know what could be the problem.

]# openssl s_client -connect localhost:10443
CONNECTED(00000003)
139623445563208:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:744:


no peer certificate available


No client certificate CA names sent


SSL handshake has read 7 bytes and written 249 bytes


New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE



Thank You
NP

Donald Nong
Nov 23 '15, 12:41 a.m.

Can you see the "no peer certificate available" message? It means that the server does not provide any certificates so no clients can connect. I suspect that when you import the certificates into the keystore, it was not successful.

Your answer

Register or log in to post your answer.

Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.

Ask a question
Guidelines
FAQ
Search context
Follow this question

By Email: 

Once you sign in you will be able to subscribe for any updates here.

By RSS:

Answers
Answers and Comments
Question details
× 7,497
× 2,357
× 36
× 1
× 1

Question asked: Nov 21 '15, 11:48 p.m.

Question was seen: 3,131 times

Last updated: Nov 23 '15, 12:41 a.m.

Confirmation Cancel Confirm