Unable to connect Jenkins server from RTC with TLS 1.2 enabled
Our networking team has configured our F5 load balancer to use TLS 1.2 in our test environments. Since doing this our connection between RTC and Jenkins is broken. We've enabled TLS 1.2 in our WAS 8.5.5 profile but still couldnt connect to the Jenkins server. Im guessing there's additional configuration needed.
We’ve tried adding,
-Dcom.ibm.jsse2.overrideDefaultProtocol=SSL_TLSv2
To the Jazz properties in WAS with no luck.
We’ve also added the JVM arguments,
-Dcom.ibm.team.repository.transport.client.protocol=TLSv1.2
-Dhttps.cipherSuites=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
and got some different results but still couldn’t hit the Jenkins server,
Connection test requested.
Connecting to: https://jenkins.testqa.zionsbank.com
Exception: java.lang.IllegalArgumentException: Cannot support TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA with currently installed providers
Test connection FAILED!
Before this change we were getting,
Connection test requested.
Connecting to:
Exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
Test connection FAILED!
we've also changed TLSv1.2 to SSL_TLSv2 in the Quality of Protection settings
We also download JCE updates for Java 6 but it totally broke connectivity to the RTC application. Any help would be appreciated.
One answer
Based on the error message alone, you can follow the technote below to enable strong encryption, and hopefully resolve the issue.
http://www-01.ibm.com/support/docview.wss?uid=swg21245273
Comments
Thanks Donald, we followed those instructions but still having trouble connecting to Jenkins.
Connection test requested.
Connecting to: https://jenkins.testqa.zionsbank.com
Exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
Test connection FAILED!
The WAS logs are showing:
WAS received the failure from the remote endpoint(Jenkins).
[3/17/17 14:37:51:295 MDT] 000000cb SystemOut O WebContainer : 5 @@ 14:37 z070187 <Jakarta Commons-HttpClient/3.1@172.20.155.85> /ccm/service/com.ibm.rational.connector.hudson.internal.common.IHudsonService, RECV TLSv1 ALERT: fatal, handshake_failur
It seems that we're moving backwards, as the error indicates that TLSv1, not TLSv2 was used during the handshake. :-(
I just noticed that you said "we've also changed TLSv1.2 to SSL_TLSv2 in the Quality of Protection settings" at the beginning. Why so? Shouldn't we force all connections to use TLSv1.2? Change it back and see what happens.
If you need to further debug it, you can capture and analyze the traffic using Wireshark. Or turning on SSL debugging in WAS. You may someone with more experience in this to help you out if you still get stuck.
Just remember something, the method in the above comment will not solve your issue as the QoP setting deals with incoming connections (WAS as a server), not outgoing connections (WAS as a client).
Try to follow the below document, in particular, step 9-12.
https://www.ibm.com/support/knowledgecenter/en//SSYMRC_6.0.3/com.ibm.jazz.install.doc/topics/t_enable_tls1.2_was.html
As mentioned earlier, what you want to do is tighten up the security settings to align with the F5. In other words, force everything SSL in TSLv1.2.