It's all about the answers!

Ask a question
QuestionsTagsUsersBadges
Guidelines | FAQ
Follow this question
Question details

×42,854
×118
×36

question asked: Jan 15 '18, 4:16 a.m.
question was seen: 2,271 times
last updated: Jan 16 '18, 1:03 a.m.

Related questions

RTC Migration 5.0.1 to 6.0.4 with tomcat -> ssl_error_no_cypher_overlap

0
Thomas Vogel (111) | asked Jan 15 '18, 4:16 a.m.

Hello,
after the migration of the rtc 5.0.1 to 6.0.4
occurse the following Error in the Browser (Chrome, Firefox, IE)

ssl_error_no_cypher_overlap

The Error was describe in the end of the Migration Guide, but i dont know what i have to doing

Here the part of the Guide
"Regenerate your self-signed keystore: Your previous version self-signed certificate might not work after you upgrade because of the potential cypher changes in the new version. If you are not able to login to the server after the upgrade with the following error: ssl_error_no_cypher_overlap, you might just need to regenerate your self-signed keystore by using the newer JDK that is bundled with the product. "

Thanks for your Help

2 answers

Most liked answers ↑|Newest answers|Oldest answers

0
permanent link
Ralph Schoon (63.3k33646) | answered Jan 15 '18, 8:14 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

This refers to the security certificate for the application server. You either have to get a valid signed one and install it

https://www.ibm.com/support/knowledgecenter/SSYMRC_6.0.4/com.ibm.jazz.install.doc/topics/c_server_certificates.html

or create a self signed certificate. as described here: https://jazz.net/help-dev/clm/topic/com.ibm.jazz.install.doc/topics/t_install_server_certificates.html

You have to basically do one of these because of all the changes to SSL due to the security issues with SSL in the last.

0
permanent link
Donald Nong (14.5k614) | answered Jan 16 '18, 1:03 a.m.

It's the first time I saw this instruction and it makes little sense to me.

If the error "ssl_error_no_cypher_overlap" is to be trusted, I believe it means that you have chosen a weaker cipher suite than required, which is blocked by modern browsers. Do you have this problem with the original Tomcat server?

You can try to change the cipher suite to be the same as the default Liberty setting in CLM 6.0.4, assuming you are using the bundled JRE.

In your Tomcat server.xml, you should see

ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"

and change it to
ciphers="TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256"

Then restart your Tomcat server.



Your answer

Register or to post your answer.


Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.