Jazz Forum Welcome to the Jazz Community Forum Connect and collaborate with IBM Engineering experts and users

RTC Migration 5.0.1 to 6.0.4 with tomcat -> ssl_error_no_cypher_overlap

Questions
Tags
Users
Badges
Thomas Vogel
(111) Jan 15 '18, 4:16 a.m.

Hello,
after the migration of the rtc 5.0.1 to 6.0.4
occurse the following Error in the Browser (Chrome, Firefox, IE)

ssl_error_no_cypher_overlap

The Error was describe in the end of the Migration Guide, but i dont know what i have to doing

Here the part of the Guide
"Regenerate your self-signed keystore: Your previous version self-signed certificate might not work after you upgrade because of the potential cypher changes in the new version. If you are not able to login to the server after the upgrade with the following error: ssl_error_no_cypher_overlap, you might just need to regenerate your self-signed keystore by using the newer JDK that is bundled with the product. "

Thanks for your Help

0 votes

2 answers
2,553 views
0 votes

2 answers

Permanent link
Ralph Schoon
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER (63.9k33648) Jan 15 '18, 8:14 a.m.

This refers to the security certificate for the application server. You either have to get a valid signed one and install it

https://www.ibm.com/support/knowledgecenter/SSYMRC_6.0.4/com.ibm.jazz.install.doc/topics/c_server_certificates.html

or create a self signed certificate. as described here: https://jazz.net/help-dev/clm/topic/com.ibm.jazz.install.doc/topics/t_install_server_certificates.html

You have to basically do one of these because of all the changes to SSL due to the security issues with SSL in the last.

0 votes

Permanent link
Donald Nong
(14.5k614) Jan 16 '18, 1:03 a.m.

It's the first time I saw this instruction and it makes little sense to me.

If the error "ssl_error_no_cypher_overlap" is to be trusted, I believe it means that you have chosen a weaker cipher suite than required, which is blocked by modern browsers. Do you have this problem with the original Tomcat server?

You can try to change the cipher suite to be the same as the default Liberty setting in CLM 6.0.4, assuming you are using the bundled JRE.

In your Tomcat server.xml, you should see

ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"

and change it to
ciphers="TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256"

Then restart your Tomcat server.



0 votes

Your answer

Register or log in to post your answer.

Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.

Ask a question
Guidelines
FAQ
Search context
Follow this question

By Email: 

Once you sign in you will be able to subscribe for any updates here.

By RSS:

Answers
Answers and Comments
Question details
× 119
× 36

Question asked: Jan 15 '18, 4:16 a.m.

Question was seen: 2,553 times

Last updated: Jan 16 '18, 1:03 a.m.

Confirmation Cancel Confirm