It's all about the answers!

Ask a question

Looking for technical support for RTC Jazz Build Engines


Randall Beck (2228) | asked May 20, 11:49 a.m.

 Recently, our RTC Admin enabled TLS1.2 enforcement on our RTC Source Code servers. We have been using the instructions at this URL to reconfigure our RTC Jazz Build Engines to accept the TLS1.2 protocol.


This article helped with many of our JBEs, but a few are still unable to communicate with the RTC source code servers. Consequently, we require assistance on how to remediate the remaining JBEs.

The specific error we are not able to resolve are:
"Error logging in to repository ... Remote host closed connection during handshake."

We can provide more details as needed.

Thanks.


3 answers



permanent link
Davyd Norris (6666) | answered May 20, 10:17 p.m.
Hi Randall,

The error sounds like the changes haven't been implemented correctly for those engines, especially since you've managed to get all but a few to work.

Are the ones that aren't working exactly the same as the others? If they are then I would look for small differences in the jbe.ini file, in the command line used to start them, or in the paths

permanent link
Randall Beck (2228) | answered May 21, 10:15 a.m.

  Hi Davyd,


Thank you for your response. Still not working, but I have made some forward progress in the past 24 hours. Here's what I have learned:
  1. When I added the TLS directive -Dcom.ibm.team.repository.transport.client.protocol=TLSv1.2 to buildsystem/buildengine/eclipse/jbe.ini I still see the handshake failure, and the JBE fails to start.
  2. If I remove that entry from jbe.ini, and add it to buildsystem/buildengine/eclipse/jbe.sh, the JBE starts up successfully, but when it picks up a job, it fails with the message: Remote host closed connection during handshake.
  3. If the Build Definition is of type "Ant - Jazz Build Engine", I can add the string -Dcom.ibm.team.repository.transport.client.protocol=TLSv1.2 to the "Java VM arguments" field on the "Ant" tab. This works, and picks up a build request successfully.
  4. Encouraged by my luck with an Ant Build Def, I was hoping there was a way to pass the TLS directive to  Build Definitions of type "Command Line", but I see no way to do that in either the "Jazz Source Control" or "Command Line" table.
In summary, here are the questions that linger:
  • Is there a way to send -Dcom.ibm.team.repository.transport.client.protocol=TLSv1.2 for a "Command Line" build definition?
  • What is different about the communication between the RTC Server and the JBE that allows the JBE to start successfully, but fails the build request? 
Thanks again.

--Randy


Comments
Davyd Norris commented May 21, 9:51 p.m.
So a couple of things:
 - from the above it appears you're using the Build System on Linux machines. Are all the engines on Linux, or are they on different OS? Are the ones that are working on the same or different?
 - did you have to do both 2 and 3 above to get the engine to work? I would have thought both were required because you need to be able to connect first and then service the jobs
 - every connection you make back to the ELM server is going to have to use TLS 1.2, so that would mean if your command line was pushing a build progress update or something, it'll need it too. Maybe that's where the job fails?
 - do you have build engine logs at all?


permanent link
Randall Beck (2228) | answered May 22, 1:06 p.m.
edited May 22, 1:26 p.m.

 Hi Davyd,

To answer your questions:

> Are all the engines on Linux, or are they on different OS?

> Are the ones that are working on the same or different?

They are all 100% Linux systems, RHEL 7.8 to be precise. What's unique about the ones that are not working is that their Build   Definition is of type "Command Line".  The RTC Build Definitions that are working are all of type "Ant - Jazz Build Engine".  This means that the same JBE will work for any build def of type Ant, and will fail for any build def of type "Command Line".

 > did you have to do both 2 and 3 above to get the engine to work?

 > I would have thought both were required because you need to be

 > able to connect first and then service the jobs

Correct. Adding the TLS1.2 string to jbe.sh is necessary and sufficient for a successful build only if the build def is of type Ant.

 > every connection you make back to the ELM server is going to have to

 > use TLS 1.2, so that would mean if your command line was pushing a

 > build progress update or something, it'll need it too. Maybe that's where

 > the job fails?

Yes, that is precisely the problem. I have not found a way to pass the TLS1.2 string using any of the tabs on the Build Definition of type "Command Line". The build def of type "Ant" allows me to pass the TLS1.2 string on the Ant tab using the "Java VM arguments" field.

In summary, I need to tell Java from a "Command Line" build def that I want to use the TLS1.2 string. I have tried setting JAVA_OPTS, but that did not work

-Randy 


Comments
Davyd Norris commented May 22, 9:28 p.m.
Do you have a command line you can share with us? The line itself and any script you're using? Obfuscate or sanitise if you have to.

What I want to see is where you're potentially communicating back to the ELM server from either the command line or the script.

The other thing to try is add the -verbose option to jbe.sh to get detailed logging

Randall Beck commented May 26, 5:48 p.m.

Hi Davyd,


Getting closer, but one question remains: 

How can I pass the Java TLS1.2 argument using a Command Line build definition?

These are the available fields:
  1. Command
  2. Arguments
  3. Working Directory
  4. Properties
  5. Environment variables
Thanks again for sticking with me.

--Randy
 


Davyd Norris commented May 26, 9:06 p.m.
This is something you will likely have to bake into your actual commands in the command line itself.

I also think there's a way to add the TLS info into the JBE running the Ant builds without having to add it into the vm arguments, but you've got that working now so we can leave it be for now.

If you can show us what is actually being executed in the command line then we may be able to spot the problem.

Another thing to try out is create a super simple command line that just returns a success or fail code and try running that. If that works then it's definitely the command line script that's being run.

Also turn on verbose reporting for the engine, and have a look at where it fails - you may find it's actually running the script but returning that error inside it somewhere

Randall Beck commented May 27, 9:57 a.m.

G'Day Davyd,


It's working now, and I cannot thank you enough for your guidance.  The solution was staring me in the face, but it took your most recent note to jar my mind.

The script that is called by the Command Line build definition is named "build.sh". The first thing this script does is checkout the source code from the SCM library.   What was missing from this script was the TLS1.2 directive, informing the extract process to use the TLS1.2 protocol. This explained why the JBE was able to start, but failed during the extract.

All needed to do was to modify "build.sh" by adding the TLS1.2 parameter. Once I did that, the build extracted the source code without issue.

Again, thanks so much for you help!

--Randy


Davyd Norris commented May 27, 8:45 p.m.

YAY!!! Awesome news mate. So glad you got it running

Your answer


Register or to post your answer.