It's all about the answers!

Ask a question

how to make clm application to connect DB on tcps port


vivek vijayan (152) | asked Mar 15 '18, 4:42 a.m.
edited Mar 16 '18, 3:26 a.m. by Fariz Saracevic (649413)

we are using clm 6.0.3 with liberty profile and oracle db 12c for our applications.

Java.runtime= Java™ SE Runtime Environment (pxa6470_27sr3fp40-201604220_01 (SR3 FP40))
our IBM clm applications are hosted on Websphere Liberty Server 8.5.5.9 (wlp-1.0.12.cl50920160227-1523)

java version - 1.7.0_75
ojdbc driver-ojdbc7.jar

Implementation setup




We want to enable mutual ssl authentication with DB server to application.

Steps followed.

We are using the default keystore of liberty profile , where we imported the DB certificate and also extracted the applicationcertificate and imported the same oracle DB wallet.

we are using default server.xml file and startup file and java.security files. For making this tcps communication, where exactly we need to make changes






Issue detrails




we are able to connect the db through tcp string. But not able to connect by tcps string.

           tcp string – thin:jts-user/{password}@//192.168.100.216:1521/vmtestdb
           tcps String - thin:jts_user/{password}@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=192.168.100.216)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=vmtestdb)))

           
           
Error Code:-




Caused by: oracle.net.ns.NetException: The Network Adapter could not establish the connection
    at oracle.net.nt.ConnStrategy.execute(ConnStrategy.java:445)
    at oracle.net.resolver.AddrResolution.resolveAndExecute(AddrResolution.java:464)
    at oracle.net.ns.NSProtocol.establishConnection(NSProtocol.java:594)
    at oracle.net.ns.NSProtocol.connect(NSProtocol.java:229)
    at oracle.jdbc.driver.T4CConnection.connect(T4CConnection.java:1360)
    at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:486)
    ... 80 more
Caused by: oracle.net.ns.NetException: The ssl protocol specified is not supported.
    at oracle.net.nt.TcpsConfigure.configureVersion(TcpsConfigure.java:179)
    at oracle.net.nt.TcpsNTAdapter.setSSLSocketOptions(TcpsNTAdapter.java:253)
    at oracle.net.nt.TcpsNTAdapter.connect(TcpsNTAdapter.java:172)
    at oracle.net.nt.ConnOption.connect(ConnOption.java:133)
    at oracle.net.nt.ConnStrategy.execute(ConnStrategy.java:411)
    ... 85 more
Caused by: java.lang.IllegalArgumentException: SSLv2Hello is not a recognized protocol.
    at com.ibm.jsse2.pb.a(pb.java:105)
    at com.ibm.jsse2.pb.b(pb.java:96)
    at com.ibm.jsse2.pb.<init>(pb.java:115)
    at com.ibm.jsse2.qc.setEnabledProtocols(qc.java:805)
    at oracle.net.nt.TcpsConfigure.configureVersion(TcpsConfigure.java:175)           
                      
           
For reproducing the issue, we will get the same error when we put tcps string to connect the db.


3 answers



permanent link
Ralph Schoon (55.3k23642) | answered Mar 15 '18, 4:53 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

Caused by: oracle.net.ns.NetException: The ssl protocol specified is not supported.

I would suggest to talk to Oracle support.


Comments
vivek vijayan commented Mar 15 '18, 5:49 a.m.

Hi Ralph,

So is it because of the DB server listening to the sslv2 hello port and there is nothing to do from application side.

we suspected that, we would need to make some changes need to be done from server.xml or server.startup file of java security.xml to not to listen sslv2.

Also, could you please clarify whether we need to add the oracle wallet configurations to server.xml file or server.startup file.




Ralph Schoon commented Mar 15 '18, 5:59 a.m. | edited Mar 15 '18, 6:00 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

Here what I can share:

  1. This is an open forum where users try to help other users with questions, in case they can
  2. This is not IBM Support
  3. Issues with infrastructure from other vendors should sometimes be discussed with said vendor

I can not clarify anything, as I am not an expert in this infrastructure.

I have however seen like 5 threads around this very specific question. I am not sure if that is all from the same source. If so, I would consider this abuse of this forum.

I have not seen any resolution and repeating to ask the same question does not seem to be productive.

So please get in contact with IBM or Oracle support.


If you have an answer, I think every forum user would be happy if you share that.


permanent link
vivek vijayan (152) | answered Mar 15 '18, 6:22 a.m.

Hi Ralph,

Thanks for your advise.

We have already reached oracle support and they confirmed that we have to disable the sslv2 listening in Application side. But we couldnt find any proper link from net with the solution here.

i believe that the liberty profile is based on server.xml file configuration and where we have "ssl enabled protocol = ssl"
and in server.startup file, we tried to add some additional parameters as below

JAVACMD="$JAVACMD -Ddeployment.security.SSLv2Hello=false -Ddeployment.security.SSLv3=false -Ddeployment.security.TLSv1=false -D\
deployment.security.TLSv1.1=true -Ddeployment.security.TLSv1.2=true"   


but still no luck.

We hope this something related to jdk version and oracle jdbc version compatibility issue.

But here we are not aware that how to make the application not to listen sslv2 which is by default disabled in jdk 1.7, but still from where this call is coming.




Comments
Ralph Schoon commented Mar 15 '18, 6:43 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

Then get in contact with IBM support and file a PMR. They can escalate to development if needed.


permanent link
vowner owner (254) | answered Mar 16 '18, 8:41 a.m.

Hi Ralph,

Currently we are setting up the Test environment prior to the PROD and hence we don't have a license or customer id to submit the PMR. Once the test activity is done with the configuration we will go for the licensed version. Bu there we are helpless to raise PMR.


Comments
Ralph Schoon commented Mar 16 '18, 9:38 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

Get in contact to your/a IBM sales team and get contact to support. The question has been asked so often without definitive answer the forum members seem to not have an answer.

Your answer


Register or to post your answer.