It's all about the answers!

Ask a question

Unable to connect to RTC 6.0.4 after enabling TLS 1.2 for NIST SP 800-131 changes


Gurinder Brar (112) | asked Dec 05 '17, 5:35 a.m.
retagged Jan 04 '18, 11:37 a.m. by Ken Tessier (84117)

Hi Team,
After upgrading from RTC 5.0.2 to RTC 6.0.4, my instance is working fine.However when I apply the TLSv1.2 changes to the server as well as the client i am not able to connect.
Changes in server done as per this post https://www.ibm.com/support/knowledgecenter/SSYMRC_6.0.4/com.ibm.jazz.install.doc/topics/t_enable_tls1.2_liberty.html
Added this line to RTC client : -Dcom.ibm.team.repository.transport.client.protocol=TLSv1.2
The server log shows below errors:

[12/5/17 14:36:00:842 IST] 000001de com.ibm.ws.channel.ssl.internal.SSLHandshakeErrorTracker     E CWWKO0801E: Unable to initialize SSL connection. Unauthorized access was denied or security settings have expired. Exception is javax.net.ssl.SSLHandshakeException: Client requested protocol TLSv1 not enabled or not supported
        at com.ibm.jsse2.ab.B(ab.java:526)
        at com.ibm.jsse2.nc.b(nc.java:294)
        at com.ibm.jsse2.nc.c(nc.java:458)
        at com.ibm.jsse2.nc.wrap(nc.java:106)
        at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:39)
        at com.ibm.ws.channel.ssl.internal.SSLUtils.handleHandshake(SSLUtils.java:716)
        at com.ibm.ws.channel.ssl.internal.SSLConnectionLink.readyInbound(SSLConnectionLink.java:552)
        at com.ibm.ws.channel.ssl.internal.SSLConnectionLink.ready(SSLConnectionLink.java:325)
        at com.ibm.ws.tcpchannel.internal.NewConnectionInitialReadCallback.sendToDiscriminators(NewConnectionInitialReadCallback.java:174)
        at com.ibm.ws.tcpchannel.internal.NewConnectionInitialReadCallback.complete(NewConnectionInitialReadCallback.java:83)
        at com.ibm.ws.tcpchannel.internal.WorkQueueManager.requestComplete(WorkQueueManager.java:504)
        at com.ibm.ws.tcpchannel.internal.WorkQueueManager.attemptIO(WorkQueueManager.java:574)
        at com.ibm.ws.tcpchannel.internal.WorkQueueManager.workerRun(WorkQueueManager.java:929)
        at com.ibm.ws.tcpchannel.internal.WorkQueueManager$Worker.run(WorkQueueManager.java:1018)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1157)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:627)
        at java.lang.Thread.run(Thread.java:809)
Caused by: javax.net.ssl.SSLHandshakeException: Client requested protocol TLSv1 not enabled or not supported
        at com.ibm.jsse2.j.a(j.java:16)
        at com.ibm.jsse2.nc.a(nc.java:497)
        at com.ibm.jsse2.ab.a(ab.java:185)
        at com.ibm.jsse2.ab.a(ab.java:536)
        at com.ibm.jsse2.cb.a(cb.java:727)
        at com.ibm.jsse2.cb.a(cb.java:355)
        at com.ibm.jsse2.ab.t(ab.java:383)
        at com.ibm.jsse2.ab$1.a(ab$1.java:4)
        at com.ibm.jsse2.ab$1.run(ab$1.java:3)
        at java.security.AccessController.doPrivileged(AccessController.java:488)
        at com.ibm.jsse2.ab$c_.run(ab$c_.java:3)
        at com.ibm.ws.channel.ssl.internal.SSLUtils.handleHandshake(SSLUtils.java:774)
        ... 11 more



Comments
Daniel Barbour commented Dec 06 '17, 11:57 a.m. | edited Jan 04 '18, 9:02 p.m.

Interesting - This is not an 'answer' but I will supplement the original question with the following observation from my system :

I made the changes noted by the referenced link and the server startup did not finish on my installation (it is 6.0.4 iFix004a with an All-In-One topology containing: JTS, RM, CCM, QM, LDX, GC, LQE, RS, and DCC and using Microsoft SQL Server as the DBMS, the OS is Windows Server 2012 R2).  While I was still able to log in to the Jazz Team Server after making the noted changes to server.startup.bat and to the server.xml files, I was not able to access any applications or their projects.

The console log reported the following problem which appears to indicate that CLM is still trying to use the SSL protocol - in the face of the other changes (which require TLS1.2 to be used) an error is correctly raised.  The question remains - what are the missing instructions that will ensure the CLM applications actually USE TLS1.2?

From console.log:
[ERROR   ] SRVE0283E: Exception caught while initializing context: java.lang.RuntimeException: CRLQE0436E Link Index Provider context initialization failed. Application will be unavailable
    at com.ibm.team.jis.lqe.LQServletContextListener.contextInitialized(LQServletContextListener.java:172)
    at com.ibm.ws.webcontainer.webapp.WebApp.notifyServletContextCreated(WebApp.java:2420)
    at [internal classes]
Caused by: java.io.IOException: CRLQE0424E An error occured instantiating database, Cannot create PoolableConnectionFactory (The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: "Only TLS1.2 protocol can be enabled in SP800_131 strict mode". ClientConnectionId:406e2fed-2ec3-486b-8b54-a6ad5311ac96).
    at com.ibm.team.integration.lqe.lib.jdbc.JDBCUtilities.createDataSourceFromProperties(JDBCUtilities.java:584)
    at com.ibm.team.integration.lqe.lib.jdbc.JDBCUtilities.lookupDataSource(JDBCUtilities.java:345)
    at com.ibm.team.jis.lqe.AppInitializer.initialize(AppInitializer.java:286)
    at com.ibm.team.jis.lqe.LQServletContextListener.contextInitialized(LQServletContextListener.java:152)
    ... 2 more
Caused by: org.apache.commons.dbcp.SQLNestedException: Cannot create PoolableConnectionFactory (The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: "Only TLS1.2 protocol can be enabled in SP800_131 strict mode". ClientConnectionId:406e2fed-2ec3-486b-8b54-a6ad5311ac96)
    at org.apache.commons.dbcp.BasicDataSource.createPoolableConnectionFactory(BasicDataSource.java:1549)
    at org.apache.commons.dbcp.BasicDataSource.createDataSource(BasicDataSource.java:1388)
    at org.apache.commons.dbcp.BasicDataSource.getLogWriter(BasicDataSource.java:1098)
    at org.apache.commons.dbcp.BasicDataSourceFactory.createDataSource(BasicDataSourceFactory.java:350)
    at com.ibm.team.integration.lqe.lib.jdbc.JDBCUtilities.createDataSourceFromProperties(JDBCUtilities.java:508)
    ... 5 more
Caused by: com.microsoft.sqlserver.jdbc.SQLServerException: The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: "Only TLS1.2 protocol can be enabled in SP800_131 strict mode". ClientConnectionId:406e2fed-2ec3-486b-8b54-a6ad5311ac96
    at com.microsoft.sqlserver.jdbc.SQLServerConnection.terminate(SQLServerConnection.java:1669)
    at com.microsoft.sqlserver.jdbc.TDSChannel.enableSSL(IOBuffer.java:1668)
    at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectHelper(SQLServerConnection.java:1325)
    at com.microsoft.sqlserver.jdbc.SQLServerConnection.login(SQLServerConnection.java:993)
    at com.microsoft.sqlserver.jdbc.SQLServerConnection.connect(SQLServerConnection.java:829)
    at com.microsoft.sqlserver.jdbc.SQLServerDriver.connect(SQLServerDriver.java:1012)
    at org.apache.commons.dbcp.DriverConnectionFactory.createConnection(DriverConnectionFactory.java:38)
    at org.apache.commons.dbcp.PoolableConnectionFactory.makeObject(PoolableConnectionFactory.java:582)
    at org.apache.commons.dbcp.BasicDataSource.validateConnectionFactory(BasicDataSource.java:1556)
    at org.apache.commons.dbcp.BasicDataSource.createPoolableConnectionFactory(BasicDataSource.java:1545)
    ... 9 more
Caused by: java.lang.IllegalArgumentException: Only TLS1.2 protocol can be enabled in SP800_131 strict mode
    at com.ibm.jsse2.pb.a(pb.java:6)
    at com.ibm.jsse2.pb.b(pb.java:29)
    at com.ibm.jsse2.pb.<init>(pb.java:77)
    at com.ibm.jsse2.qc.a(qc.java:68)
    at com.ibm.jsse2.qc.<init>(qc.java:194)
    at com.ibm.jsse2.SSLSocketFactoryImpl.createSocket(SSLSocketFactoryImpl.java:1)
    at com.microsoft.sqlserver.jdbc.TDSChannel.enableSSL(IOBuffer.java:1606)
    ... 17 more

One answer



permanent link
Donald Nong (14.3k213) | answered Jan 04 '18, 10:08 p.m.

I have followed the instructions in the document and had no problems with running the CLM server in TLSv1.2 protocol.

There seems to be confusion and I will try to clear things up.
1. In Gurinder's case, if the RTC Eclipse client cannot connect to a TLSv1.2 enabled server, you should check the eclipse.ini file for proper configuration, and the .log file in the current workspace for any errors reported on the SSL connection.
2. The stack trace does not appear to be related to the issue in hand. If it does, you need to find out why TLSv1 (instead of TLSv1.2) is picked - JVM does not randomly choose an SSL protocol. If the stack trace is related to any threads initiated by Liberty itself (connecting back to itself), you may need to add a server.env file as described in the below document.
https://www.ibm.com/support/knowledgecenter/SSAW57_8.5.5/com.ibm.websphere.wlp.nd.doc/ae/twlp_sec_nist.html
3. Daniel's case is quite different as the error is reported by MS SQL Server JDBC driver - that is, the SSL connection is from the CLM Server, to the SQL Server. This is an outbound issue, and CLM Server (Liberty) is acting as a client in this case. I have no experience of setting up TLSv1.2 on SQL Server so I cannot offer any suggestions here, rather than double check the SQL Server's configuration. Probably it needs to be set to SP800_131 strict mode as well?

Your answer


Register or to post your answer.