It's all about the answers!

Ask a question
QuestionsTagsUsersBadges
Guidelines | FAQ
Follow this question
Question details

×42,882
×6,033

question asked: Mar 16 '17, 4:23 p.m.
question was seen: 3,980 times
last updated: Mar 21 '17, 9:57 p.m.

Related questions

Unable to connect Jenkins server from RTC with TLS 1.2 enabled

0
Michael Angelastro (55617) | asked Mar 16 '17, 4:23 p.m.

Our networking team has configured our F5 load balancer to use TLS 1.2 in our test environments.  Since doing this our connection between RTC and Jenkins is broken.  We've enabled TLS 1.2 in our WAS 8.5.5 profile but still couldnt connect to the Jenkins server.  Im guessing there's additional configuration needed.

We’ve tried adding,

-Dcom.ibm.jsse2.overrideDefaultProtocol=SSL_TLSv2

To the Jazz properties in WAS with no luck. 

We’ve also added the JVM arguments,

-Dcom.ibm.team.repository.transport.client.protocol=TLSv1.2
-Dhttps.cipherSuites=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

and got some different results but still couldn’t hit the Jenkins server,

Connection test requested.
    Connecting to: https://jenkins.testqa.zionsbank.com
    Exception: java.lang.IllegalArgumentException: Cannot support TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA with currently installed providers
    Test connection FAILED!

Before this change we were getting,

Connection test requested.
                Connecting to:
                Exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
                Test connection FAILED!
               
we've also changed TLSv1.2 to SSL_TLSv2 in the Quality of Protection settings


We also download JCE updates for Java 6 but it totally broke connectivity to the RTC application.  Any help would be appreciated.

One answer

Most liked answers ↑|Newest answers|Oldest answers

0
permanent link
Donald Nong (14.5k614) | answered Mar 16 '17, 9:26 p.m.

Based on the error message alone, you can follow the technote below to enable strong encryption, and hopefully resolve the issue.
http://www-01.ibm.com/support/docview.wss?uid=swg21245273

Comments
Michael Angelastro commented Mar 21 '17, 10:15 a.m.

Thanks Donald, we followed those instructions but still having trouble connecting to Jenkins.

Connection test requested.
    Connecting to: https://jenkins.testqa.zionsbank.com
    Exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
    Test connection FAILED!

The WAS logs are showing:

 WAS received the failure from the remote endpoint(Jenkins).
[3/17/17 14:37:51:295 MDT] 000000cb SystemOut     O   WebContainer : 5 @@ 14:37 z070187 <Jakarta Commons-HttpClient/3.1@172.20.155.85> /ccm/service/com.ibm.rational.connector.hudson.internal.common.IHudsonService, RECV TLSv1 ALERT:  fatal, handshake_failur

Donald Nong commented Mar 21 '17, 9:29 p.m.

It seems that we're moving backwards, as the error indicates that TLSv1, not TLSv2 was used during the handshake. :-(

I just noticed that you said "we've also changed TLSv1.2 to SSL_TLSv2 in the Quality of Protection settings" at the beginning. Why so? Shouldn't we force all connections to use TLSv1.2? Change it back and see what happens.

If you need to further debug it, you can capture and analyze the traffic using Wireshark. Or turning on SSL debugging in WAS. You may someone with more experience in this to help you out if you still get stuck.

Donald Nong commented Mar 21 '17, 9:57 p.m.

Just remember something, the method in the above comment will not solve your issue as the QoP setting deals with incoming connections (WAS as a server), not outgoing connections (WAS as a client).

Try to follow the below document, in particular, step 9-12.
https://www.ibm.com/support/knowledgecenter/en//SSYMRC_6.0.3/com.ibm.jazz.install.doc/topics/t_enable_tls1.2_was.html

As mentioned earlier, what you want to do is tighten up the security settings to align with the F5. In other words, force everything SSL in TSLv1.2.

Your answer

Register or to post your answer.


Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.