It's all about the answers!

Ask a question
QuestionsTagsUsersBadges
Follow this question
Question details

×7,387
×5,999
×1,037

question asked: Aug 22 '17, 12:20 a.m.
question was seen: 2,821 times
last updated: Sep 15 '17, 3:26 a.m.

Related questions

FAQ - How this Forum works

After upgrading to RPE 2.1.2, SSLHandshakeException on CLM schema query

0
Bob 3 (1481564) | asked Aug 22 '17, 12:20 a.m.

After upgrading to RPE 2.1.2, RPE cannot add a DNG data source schema to a template. My JTS 6.0.3 server, the security certificate of which is working fine elsewhere, like in Chrome, hasn't changed since before the RPE upgrade. Previous versions of RPE talked with my JTS just fine. 


The text of the error is javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

Is anyone else running in to this error? See screen capture here. (I changed the hostname in the image for privacy)

Comments
Kumaraswamy Gowda commented Aug 22 '17, 3:46 a.m.

Hi Bob,

>>> After upgrading to RPE 2.1.2
What was the earlier RPE version that worked?

Thanks,
Kumar

Bob 3 commented Aug 22 '17, 11:10 a.m.

 RPE worked through version 2.1.1

Kumaraswamy Gowda commented Aug 23 '17, 1:47 a.m.

How is the CLM topology? Do you use IHS and reverse proxy?

Could your try adding -Dcom.ibm.rational.rpe.tls12only=true parameter in rpe-launcher.ini and rpe-studio.ini files?

Bob 3 commented Aug 23 '17, 4:13 a.m.

After adding the INI command to both INI files, it did not change the behavior of RPE. The same error was generated.

The CLM topology is very simple: CLM 6.0.3, Tomcat, Derby. No reverse proxy. It uses a self-signed certificate. 
RPE 2.1.1 has no problem interacting with the same server at the same time.

Kumaraswamy Gowda commented Aug 28 '17, 4:40 a.m.

Hi Rob, we're working on it to understand what changed in RPE 2.1.2 that caused this issue. We did update JRE in RPE 2.1.2 from JRE 1.7.0.X to JRE 1.7.1.x. We're not yet able to replicate the issue.
How does JazzInstallDir\server\tomcat\conf\server.xml look like? especially on the cipher content in the file.

Could you please try this?
RPE_HOME has JRE at path at RPE_HOME\jre. Could you replace the the jre contents in RPE 2.1.2 with the contents from RPE 2.1.1 and share us the results?

Thanks,
Kumar

Bob 3 commented Aug 28 '17, 4:45 p.m.

Kumar, here is the SSL-related excerpt from server.xml:

<Connector SSLEnabled="true" URIEncoding="UTF-8" acceptCount="100" algorithm="${jazz.connector.algorithm}" ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA" clientAuth="false" connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false" keystoreFile="ibm-team-ssl.keystore" keystorePass="ibm-team" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" port="9443" protocol="HTTP/1.1" scheme="https" secure="true" sslEnabledProtocols="${jazz.connector.sslEnabledProtocols}"/>

I swapped out RPE 2.1.2's JRE folder for 2.1.1's JRE folder. After doing so, RPE 2.1.2 connects properly to my JTS without throwing any SSL errors!

Kumaraswamy Gowda commented Sep 11 '17, 12:38 p.m.

Hi Bob,
Did you find any workaround other than using JRE from 2.1.1?
We also published a technote http://www-01.ibm.com/support/docview.wss?uid=swg22007595 to specify the supposed cipher

Thanks,
Kumar

Bob 3 commented Sep 11 '17, 10:33 p.m.

Kumar, my JTS' server.xml already had one of the ciphers listed in the technote (TLS_RSA_WITH_AES_128_CBC_SHA) but not the other (TLS_RSA_WITH_AES_128_CBC_SHA256). I also do not use a reverse proxy because the JTS lives on a single server. Nevertheless, RPE 2.1.2 couldn't complete the SSL handshake. The only solution that worked for me was to replace the "guts" of RPE's JVM with RPE 2.1.1's JVM. 

Kumaraswamy Gowda commented Sep 15 '17, 12:52 a.m.

Hi Bob,

Could you try latest milestone of RPE 6.0.5 from https://jazz.net/downloads/rational-publishing-engine? It has JRE 8 bundled within it... just wanted to check if the issue gets resolved with JRE 8.

Thanks,
Kumar

Bob 3 commented Sep 15 '17, 3:26 a.m.

Kumar, I installed RPE 6.0.5 M4 and it encounters the same SSL handshake challenge. (Screenshot here)

showing 5 of 10 show 5 more comments

2 answers

Most liked answers ↑|Newest answers|Oldest answers

1
permanent link
Kenji Sarai (96029) | answered Aug 22 '17, 1:16 a.m.

Hi Bob,

There is a very similar problem reported recently, and it is caused by that there is no shared ciphers for TLS 1.2 between IBM Http Server and RPE (IBMJSSE2 provider).

ciphers in IHS: https://www.ibm.com/support/knowledgecenter/SSEQTP_8.5.5/com.ibm.websphere.ihs.doc/ihs/rihs_ciphspec.html

ciphers in RPE: https://www.ibm.com/support/knowledgecenter/SSYKE2_7.0.0/com.ibm.java.security.component.70.doc/security-component/jsse2Docs/ciphersuites.html

RPE do not have the cipher 2f and 3c by default, but can be added. Enable them and use Basic authentication, then it will be working fine.

This is a quite complex problem, I would recommend to contact IBM support team for detailed investigation.

Comments
Bob 3 commented Aug 22 '17, 2:56 a.m.

Thanks for identifying the problem, Kenji!

Is there a work instruction available on how to add 2f and 3c cipher support to RPE?

Kumaraswamy Gowda commented Aug 22 '17, 3:23 a.m.

Thanks Kenji. Small correction...

>>> Enable them and use Basic authentication, then it will be working fine.
For DNG, use the same authentication method like OAuth if it was used earlier.
It's Basic for connection to JRS as a data source.

Kumaraswamy Gowda commented Aug 22 '17, 3:45 a.m.

Hi Bob,

>>> After upgrading to RPE 2.1.2
What was the earlier RPE version that worked?

Thanks,
Kumar

Kenji Sarai commented Aug 22 '17, 10:18 p.m.

Hi Bob,

Can you add the com.ibm.rational.rpe.tls12only=true parameter to rpe-launcher.ini and rpe-studio.ini files, and give it a try?

The cipher settings might be different in your environment, so need detailed investigation how to set them in your IHS (httpd.conf). If the parameter as above does not work, please contact IBM support team.

Bob 3 commented Aug 22 '17, 11:06 p.m.

Kenji, thank you for this instruction. After adding the INI command, it did not change the behavior of RPE. Can you point me to any documentation on the security-related INI commands? I would like to do some troubleshooting.

Kenji Sarai commented Aug 23 '17, 12:07 a.m.

Here is the list of all flags you can add in the ini file. However there are not many for security..

https://www.ibm.com/support/knowledgecenter/SS6RHZ_2.1.2/com.ibm.rational.pe.reference.doc/topics/c_flags.html

showing 5 of 6 show 1 more comments
0
permanent link
Guido Schneider (3.4k1486115) | answered Sep 11 '17, 4:41 p.m.

Maybe you must add the self signed certificate of JTS into the Java Keystore of RPE Java. In jre/lib/security/cacerts.

regards
Guido

Comments
Bob 3 commented Sep 11 '17, 10:34 p.m.

Guido, thanks for this idea. I tried to import my self-signed certificate to the Java Keystore but apparently my certificate's password is too short! I'm not too keen on establishing a new certificate (with a longer password) and needing to roll it out to all my users. Regrettably, I won't be able to test this solution right now. 

Your answer

Register or to post your answer.


Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.