It's all about the answers!

Ask a question

What is the blocker for TLS 1.2 for Mac OS RTC Client


Kevin Ramer (4.4k6158177) | asked Jan 26 '16, 11:43 a.m.
Hi, 

Under a corporate mandate to enable TLSv1.2 on our CLM applications.  In https://jazz.net/help-dev/clm/index.jsp?re=1&topic=/com.ibm.jazz.install.doc/topics/t_enable_tls1.2_rtc.html&scope=null one finds:

Limitations

The following portions of the CLM product stack do not yet support TLS 1.2.
  • Rational Team Concert Eclipse client for Mac OS X
  • Quality Management Microsoft Word and Excel client
  • Cognos
We have a sizable population of Mac OS X users who are unable to connect to a TLS enabled applications.  What is the limiting factor of enabling TLS with Mac OS X Eclipse ?



Comments
Kevin Ramer commented Feb 11 '16, 2:40 p.m.

So, no one knows ?


Kim Soederhamn commented Feb 15 '16, 6:42 a.m.

 Maybe you need to raise a request for enhancement to get TLS working with eclipse on MAC OS.


Kevin Ramer commented Feb 15 '16, 10:05 a.m.

With Rational or Eclipse Development ?


Kevin Ramer commented Apr 12 '17, 4:01 p.m.

No one ever said where the enhancement should be opened... 

FWIW:  I unzipped a 6.0.2 macos 64 bit and I can use the scm utility to successfully connect to a TLSv1.2 enabled server and do query ( e.g. list workspaces ) w/o issue. 

However, users of our applications with MacOS cannot use Eclipse IDE.  I can't verify on  mac as I can't successfully connect to the "display"

Accepted answer


permanent link
Donald Nong (14.3k213) | answered Apr 13 '17, 5:23 a.m.

I think I have found the solution and there is no need to raise an enhancement request - the RTC 6.0.3 Client for Eclipse 4.2.x IDE works perfectly with TLSv1.2, and it even comes bundled with a JDK 1.7 (Oracle Java SE 1.7.0_101).

The whole thing appears to be related to the Eclipse 3.6 RCP that the older versions of RTC are based on. This version of Eclipse can only execute (Apple) Java 1.6, which does not provide TLSv1.2 support. I can confirm that it refuses to honor the "-vm" parameter in either the eclipse.ini or the Info.plist file.
https://bugs.eclipse.org/bugs/show_bug.cgi?id=339788

It is easy to see this by adding or modifying the below line in the eclipse.ini file.

-Dosgi.requiredJavaVersion=1.7

You will then get the below error message when launching RTC. Note that 1.6.0_65 is the Apple Java version, and all other installed JVMs (OpenJDK and Oracle Java) are ignored.
Version 1.6.0_65 of the JVM is not suitable for this product.

So, if you can use RTC 6.0.3 Client for Eclipse 4.2.x IDE, use it. Otherwise, use an Eclipse 4.2 base and install RTC on top of it - verify that the Eclipse base can be launched with Java 7 or 8 first.

Kevin Ramer selected this answer as the correct answer

Comments
Kevin Ramer commented Apr 13 '17, 8:22 a.m.

Thank you, Donald.   I presumed that the version of Java in use had more to do with making a TLS v1.2 connection than the RTC client features.   I passed this info along to a  MacOS user, but with the suggestion to maybe try Eclipse Luna + RTC 6.0.2 P2 ( I use that combination daily on my RHEL 6.8 platform ).   We're on 6.0.2 so even though 6.0.3 would do the TLS....


Donald Nong commented Apr 13 '17, 9:34 p.m.

That's right. If you look at the stack trace in the other answer that I posted, you will see that the "TLSv1.2 SSLContext not available" error is thrown by Java itself. That actually prompted me to do further research and find out the information that I posted in this answer.

One other answer



permanent link
Donald Nong (14.3k213) | answered Apr 13 '17, 1:17 a.m.

You should raise an enhancement request to the RTC development, I believe. If I enable debugging, here is what I see in the .log file.

!ENTRY com.ibm.team.repository.transport.client.SSLUtils 0 500 2017-04-13 15:02:01.206
!MESSAGE SSL Algorithm Priority: [TLSv1.2]

!ENTRY com.ibm.team.repository.transport.client.SSLUtils 0 500 2017-04-13 15:02:01.206
!MESSAGE Creating TLSv1.2 context

!ENTRY com.ibm.team.repository.transport.client.SSLUtils 0 500 2017-04-13 15:02:01.207
!MESSAGE TLSv1.2 SSLContext not available
!STACK 0
java.security.NoSuchAlgorithmException: TLSv1.2 SSLContext not available
    at sun.security.jca.GetInstance.getInstance(GetInstance.java:142)
    at javax.net.ssl.SSLContext.getInstance(SSLContext.java:125)
    at com.ibm.team.repository.transport.client.SSLUtils.createSSLContext(SSLUtils.java:207)
    at com.ibm.team.repository.transport.client.SSLUtils.createSSLContext(SSLUtils.java:168)
    at com.ibm.team.repository.transport.client.SSLUtils.createSSLContext(SSLUtils.java:135)
    at com.ibm.team.repository.client.util.FormBasedAuth.setupSSLSupport(FormBasedAuth.java:331)
    at com.ibm.team.repository.client.util.RepositoryUtil.getRepositoryId2(RepositoryUtil.java:109)
    at com.ibm.team.repository.client.internal.TeamRepositoryService.connectToAndUpdateTeamRepository(TeamRepositoryService.java:401)
    at com.ibm.team.repository.client.internal.TeamRepositoryService.getTeamRepositoryWithOverride(TeamRepositoryService.java:180)
    at com.ibm.team.process.rcp.ui.RepositoryCreationPage.createNewRepository(RepositoryCreationPage.java:235)
    at com.ibm.team.process.rcp.ui.RepositoryCreationPage.create(RepositoryCreationPage.java:201)
    at com.ibm.team.process.rcp.ui.RepositoryCreationPage$1.run(RepositoryCreationPage.java:130)
    at org.eclipse.jface.operation.ModalContext$ModalContextThread.run(ModalContext.java:121)

!ENTRY com.ibm.team.repository.transport.client.SSLUtils 0 500 2017-04-13 15:02:01.207
!MESSAGE Failed to create TLSv1.2 context

!ENTRY com.ibm.team.repository.transport.client.SSLUtils 0 500 2017-04-13 15:02:01.207
!MESSAGE No acceptable encryption algorithm found

!ENTRY com.ibm.team.repository.client 1 800 2017-04-13 15:02:01.208
!MESSAGE CRJAZ0053I The identifier for the repository identified by "https://clm603.example.com:9443/ccm" could not be contacted: No acceptable encryption algorithm found

(The last message is what I see on the RTC UI).

While not the exact source code, you can see the logic of the code here.
https://github.com/jenkinsci/teamconcert-plugin/blob/master/com.ibm.team.build.hjplugin/src/main/java/com/ibm/team/build/internal/hjplugin/util/SSLContextUtil.java

So the error is thrown well before an SSL handshake is made. I can confirm that there is no TCP/IP traffic happening before the error occurs.

Your answer


Register or to post your answer.