After upgrading to RPE 2.1.2, SSLHandshakeException on CLM schema query
After upgrading to RPE 2.1.2, RPE cannot add a DNG data source schema to a template. My JTS 6.0.3 server, the security certificate of which is working fine elsewhere, like in Chrome, hasn't changed since before the RPE upgrade. Previous versions of RPE talked with my JTS just fine.
The text of the error is javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
Is anyone else running in to this error? See screen capture here. (I changed the hostname in the image for privacy)
showing 5 of 10
show 5 more comments
|
2 answers
Hi Bob, There is a very similar problem reported recently, and it is caused by that there is no shared ciphers for TLS 1.2 between IBM Http Server and RPE (IBMJSSE2 provider). ciphers in IHS: https://www.ibm.com/support/knowledgecenter/SSEQTP_8.5.5/com.ibm.websphere.ihs.doc/ihs/rihs_ciphspec.html ciphers in RPE: https://www.ibm.com/support/knowledgecenter/SSYKE2_7.0.0/com.ibm.java.security.component.70.doc/security-component/jsse2Docs/ciphersuites.html RPE do not have the cipher 2f and 3c by default, but can be added. Enable them and use Basic authentication, then it will be working fine. This is a quite complex problem, I would recommend to contact IBM support team for detailed investigation. Comments
Bob 3
commented Aug 22 '17, 2:56 a.m.
Thanks for identifying the problem, Kenji!
Is there a work instruction available on how to add 2f and 3c cipher support to RPE?
Kumaraswamy Gowda
commented Aug 22 '17, 3:23 a.m.
Thanks Kenji. Small correction...
Kumaraswamy Gowda
commented Aug 22 '17, 3:45 a.m.
Hi Bob,
Kenji Sarai
commented Aug 22 '17, 10:18 p.m.
Hi Bob, Can you add the com.ibm.rational.rpe.tls12only=true parameter to rpe-launcher.ini and rpe-studio.ini files, and give it a try? The cipher settings might be different in your environment, so need detailed investigation how to set them in your IHS (httpd.conf). If the parameter as above does not work, please contact IBM support team.
Bob 3
commented Aug 22 '17, 11:06 p.m.
Kenji, thank you for this instruction. After adding the INI command, it did not change the behavior of RPE. Can you point me to any documentation on the security-related INI commands? I would like to do some troubleshooting.
Kenji Sarai
commented Aug 23 '17, 12:07 a.m.
Here is the list of all flags you can add in the ini file. However there are not many for security..
showing 5 of 6
show 1 more comments
|
Maybe you must add the self signed certificate of JTS into the Java Keystore of RPE Java. In jre/lib/security/cacerts.
Comments
Bob 3
commented Sep 11 '17, 10:34 p.m.
Guido, thanks for this idea. I tried to import my self-signed certificate to the Java Keystore but apparently my certificate's password is too short! I'm not too keen on establishing a new certificate (with a longer password) and needing to roll it out to all my users. Regrettably, I won't be able to test this solution right now. |
Your answer
Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.
Comments
Hi Bob,
>>> After upgrading to RPE 2.1.2
What was the earlier RPE version that worked?
Thanks,
Kumar
RPE worked through version 2.1.1
How is the CLM topology? Do you use IHS and reverse proxy?
Could your try adding -Dcom.ibm.rational.rpe.tls12only=true parameter in rpe-launcher.ini and rpe-studio.ini files?
After adding the INI command to both INI files, it did not change the behavior of RPE. The same error was generated.
Hi Rob, we're working on it to understand what changed in RPE 2.1.2 that caused this issue. We did update JRE in RPE 2.1.2 from JRE 1.7.0.X to JRE 1.7.1.x. We're not yet able to replicate the issue.
How does JazzInstallDir\server\tomcat\conf\server.xml look like? especially on the cipher content in the file.
Could you please try this?
RPE_HOME has JRE at path at RPE_HOME\jre. Could you replace the the jre contents in RPE 2.1.2 with the contents from RPE 2.1.1 and share us the results?
Thanks,
Kumar
Kumar, here is the SSL-related excerpt from server.xml:
Hi Bob,
Did you find any workaround other than using JRE from 2.1.1?
We also published a technote http://www-01.ibm.com/support/docview.wss?uid=swg22007595 to specify the supposed cipher
Thanks,
Kumar
Kumar, my JTS' server.xml already had one of the ciphers listed in the technote (TLS_RSA_WITH_AES_128_CBC_SHA) but not the other (TLS_RSA_WITH_AES_128_CBC_SHA256). I also do not use a reverse proxy because the JTS lives on a single server. Nevertheless, RPE 2.1.2 couldn't complete the SSL handshake. The only solution that worked for me was to replace the "guts" of RPE's JVM with RPE 2.1.1's JVM.
Hi Bob,
Could you try latest milestone of RPE 6.0.5 from https://jazz.net/downloads/rational-publishing-engine? It has JRE 8 bundled within it... just wanted to check if the issue gets resolved with JRE 8.
Thanks,
Kumar
Kumar, I installed RPE 6.0.5 M4 and it encounters the same SSL handshake challenge. (Screenshot here)