Jazz Forum Welcome to the Jazz Community Forum Connect and collaborate with IBM Engineering experts and users

After upgrading to RPE 2.1.2, SSLHandshakeException on CLM schema query

Questions
Tags
Users
Badges
Bob 3
(15312472) Aug 22 '17, 12:20 a.m.

After upgrading to RPE 2.1.2, RPE cannot add a DNG data source schema to a template. My JTS 6.0.3 server, the security certificate of which is working fine elsewhere, like in Chrome, hasn't changed since before the RPE upgrade. Previous versions of RPE talked with my JTS just fine. 


The text of the error is javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

Is anyone else running in to this error? See screen capture here. (I changed the hostname in the image for privacy)

0 votes

Comments
Kumaraswamy Gowda
Aug 22 '17, 3:46 a.m.

Hi Bob,

>>> After upgrading to RPE 2.1.2
What was the earlier RPE version that worked?

Thanks,
Kumar

Bob 3
Aug 22 '17, 11:10 a.m.

 RPE worked through version 2.1.1

Kumaraswamy Gowda
Aug 23 '17, 1:47 a.m.

How is the CLM topology? Do you use IHS and reverse proxy?

Could your try adding -Dcom.ibm.rational.rpe.tls12only=true parameter in rpe-launcher.ini and rpe-studio.ini files?

Bob 3
Aug 23 '17, 4:13 a.m.

After adding the INI command to both INI files, it did not change the behavior of RPE. The same error was generated.

The CLM topology is very simple: CLM 6.0.3, Tomcat, Derby. No reverse proxy. It uses a self-signed certificate. 
RPE 2.1.1 has no problem interacting with the same server at the same time.

Kumaraswamy Gowda
Aug 28 '17, 4:40 a.m.

Hi Rob, we're working on it to understand what changed in RPE 2.1.2 that caused this issue. We did update JRE in RPE 2.1.2 from JRE 1.7.0.X to JRE 1.7.1.x. We're not yet able to replicate the issue.
How does JazzInstallDir\server\tomcat\conf\server.xml look like? especially on the cipher content in the file.

Could you please try this?
RPE_HOME has JRE at path at RPE_HOME\jre. Could you replace the the jre contents in RPE 2.1.2 with the contents from RPE 2.1.1 and share us the results?

Thanks,
Kumar

Bob 3
Aug 28 '17, 4:45 p.m.

Kumar, here is the SSL-related excerpt from server.xml:

<Connector SSLEnabled="true" URIEncoding="UTF-8" acceptCount="100" algorithm="${jazz.connector.algorithm}" ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA" clientAuth="false" connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false" keystoreFile="ibm-team-ssl.keystore" keystorePass="ibm-team" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" port="9443" protocol="HTTP/1.1" scheme="https" secure="true" sslEnabledProtocols="${jazz.connector.sslEnabledProtocols}"/>

I swapped out RPE 2.1.2's JRE folder for 2.1.1's JRE folder. After doing so, RPE 2.1.2 connects properly to my JTS without throwing any SSL errors!

Kumaraswamy Gowda
Sep 11 '17, 12:38 p.m.

Hi Bob,
Did you find any workaround other than using JRE from 2.1.1?
We also published a technote http://www-01.ibm.com/support/docview.wss?uid=swg22007595 to specify the supposed cipher

Thanks,
Kumar

Bob 3
Sep 11 '17, 10:33 p.m.

Kumar, my JTS' server.xml already had one of the ciphers listed in the technote (TLS_RSA_WITH_AES_128_CBC_SHA) but not the other (TLS_RSA_WITH_AES_128_CBC_SHA256). I also do not use a reverse proxy because the JTS lives on a single server. Nevertheless, RPE 2.1.2 couldn't complete the SSL handshake. The only solution that worked for me was to replace the "guts" of RPE's JVM with RPE 2.1.1's JVM. 

Kumaraswamy Gowda
Sep 15 '17, 12:52 a.m.

Hi Bob,

Could you try latest milestone of RPE 6.0.5 from https://jazz.net/downloads/rational-publishing-engine? It has JRE 8 bundled within it... just wanted to check if the issue gets resolved with JRE 8.

Thanks,
Kumar

Bob 3
Sep 15 '17, 3:26 a.m.

Kumar, I installed RPE 6.0.5 M4 and it encounters the same SSL handshake challenge. (Screenshot here)

showing 5 of 10 show 5 more comments
2 answers
3,954 views
0 votes

2 answers

Permanent link
Kenji Sarai
(96039) Aug 22 '17, 1:16 a.m.

Hi Bob,

There is a very similar problem reported recently, and it is caused by that there is no shared ciphers for TLS 1.2 between IBM Http Server and RPE (IBMJSSE2 provider).

ciphers in IHS: https://www.ibm.com/support/knowledgecenter/SSEQTP_8.5.5/com.ibm.websphere.ihs.doc/ihs/rihs_ciphspec.html

ciphers in RPE: https://www.ibm.com/support/knowledgecenter/SSYKE2_7.0.0/com.ibm.java.security.component.70.doc/security-component/jsse2Docs/ciphersuites.html

RPE do not have the cipher 2f and 3c by default, but can be added. Enable them and use Basic authentication, then it will be working fine.

This is a quite complex problem, I would recommend to contact IBM support team for detailed investigation.

1 vote

Comments
Bob 3
Aug 22 '17, 2:56 a.m.

Thanks for identifying the problem, Kenji!

Is there a work instruction available on how to add 2f and 3c cipher support to RPE?

Kumaraswamy Gowda
Aug 22 '17, 3:23 a.m.

Thanks Kenji. Small correction...

>>> Enable them and use Basic authentication, then it will be working fine.
For DNG, use the same authentication method like OAuth if it was used earlier.
It's Basic for connection to JRS as a data source.

Kumaraswamy Gowda
Aug 22 '17, 3:45 a.m.

Hi Bob,

>>> After upgrading to RPE 2.1.2
What was the earlier RPE version that worked?

Thanks,
Kumar

Kenji Sarai
Aug 22 '17, 10:18 p.m.

Hi Bob,

Can you add the com.ibm.rational.rpe.tls12only=true parameter to rpe-launcher.ini and rpe-studio.ini files, and give it a try?

The cipher settings might be different in your environment, so need detailed investigation how to set them in your IHS (httpd.conf). If the parameter as above does not work, please contact IBM support team.

Bob 3
Aug 22 '17, 11:06 p.m.

Kenji, thank you for this instruction. After adding the INI command, it did not change the behavior of RPE. Can you point me to any documentation on the security-related INI commands? I would like to do some troubleshooting.

Kenji Sarai
Aug 23 '17, 12:07 a.m.

Here is the list of all flags you can add in the ini file. However there are not many for security..

https://www.ibm.com/support/knowledgecenter/SS6RHZ_2.1.2/com.ibm.rational.pe.reference.doc/topics/c_flags.html

showing 5 of 6 show 1 more comments
Permanent link
Guido Schneider
(3.4k1491115) Sep 11 '17, 4:41 p.m.

Maybe you must add the self signed certificate of JTS into the Java Keystore of RPE Java. In jre/lib/security/cacerts.

regards
Guido

0 votes

Comments
Bob 3
Sep 11 '17, 10:34 p.m.

Guido, thanks for this idea. I tried to import my self-signed certificate to the Java Keystore but apparently my certificate's password is too short! I'm not too keen on establishing a new certificate (with a longer password) and needing to roll it out to all my users. Regrettably, I won't be able to test this solution right now. 

Your answer

Register or log in to post your answer.

Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.

Ask a question
Guidelines
FAQ
Search context
Follow this question

By Email: 

Once you sign in you will be able to subscribe for any updates here.

By RSS:

Answers
Answers and Comments
Question details
× 7,521

Question asked: Aug 22 '17, 12:20 a.m.

Question was seen: 3,954 times

Last updated: Sep 15 '17, 3:26 a.m.

Confirmation Cancel Confirm