Post upgrading from ISAM 9.0.5 to 10.0.3.1, ISAM Reverse Proxy is sending "Encrypted Alert" signal to client causing abrupt termination of connection.

Any idea how we can resolve this issue. We have not seen this issue with ISAM 905 version, happens after upgrading.

Few people have reported similar problems but that was while connecting to LDAP/AD.

https://www.ibm.com/support/pages/after-configured-federated-directory-ad-using-ssltls-reverse-proxy-can-not-get-started-and-also-i-can-not-login-admin-cli-secmaster

In my case the connection is between Client and WebSEAL.

Any tips on how to debug this ?

Here is the packet capture trace.

ISAM ReverseProxy IP : 192.168.136.5

Client IP : 140.168.254.162

Check packet : 121643

Could not post the content of pcap. I am getting errors where it's not accepting some of the contents of pcap file. Any idea how to post this ?

Hello _security,

There are documented Protocol TLS deprecations at several versions higher than ISAM 9.0.5.0.

Specifically we have the following:

https://www.ibm.com/docs/en/sva/10.0.1?topic=overview-whats-new-in-this-release

In ISVA 10.0.1.0 TLS 1.1 was disabled by default.

Please check the Client Hello in your conversation and confirm whether your client is using an outdated TLS protocol.

Furthermore, specifically in ISVA 10.0.3.0 the Key Database format changed from 'KDB' to 'p12' format and the 'p12' format does not have a 'Default' certificate.

This means that if the value specified in the entry 'webseal-cert-keyfile-label' that resides in the keystore specified by the value of entry 'webseal-cert-keyfile' is expired the Proxy will not return a certificate.

You must explicitly specify a valid certificate for the value of 'webseal-cert-keyfile-label' as of ISVA 10.0.3.0+ or the Reverse Proxy will terminate TLS connections because it does not have a valid certificate to present.

Furthermore, all signer certificates must be present for the certificate specified in the entry 'webseal-cert-keyfile-label'.

Please check your keystores and configuration.

Thanks for the initial response.

The 3 way handshake is successful and i see ISAM RP is responding to Client Hello.

I also see "Application Data" being sent Client<-->RP.

After upgrading to latest version the RP still has below config:

disable-tls-v1 = no

disable-tls-v11 = no

disable-tls-v12 = no

Handshake Protocol : Client Hello has below.

Version: TLS 1.2 (0x0303)

I have also checked below properties and they do have "correct values".

webseal-cert-keyfile

webseal-cert-keyfile-stash

webseal-cert-keyfile-label

the SSL keystore is accessible and has required Signer certificates.

Hello Ajay,

Then the next thing it could be is a new setting added at ISAM 9.0.7.0:

https://www.ibm.com/support/pages/isam-reverse-proxy-returning-rst-packets-https-persistent-connections-after-upgrade-v907x

Please review the technical document.

If you need further assistance you need to open a support case.

The case was already open a week ago.

This property has done the trick. Thanks for helping.

Hello Ajay,

Please update the case and indicate that the issue is resolved so we may close it out and I can put the solution in the case.

The case is already updated . I have pasted the tech note details into it and informed the concerned L2. Below is the case Id :TS009094262