IBM webMethods Hybrid Integration

IBM webMethods Hybrid Integration

Join this online group to communicate across IBM product users and experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  webMethods 9.10 TLS 1.2 configuration problem

    Posted Mon May 01, 2017 11:31 PM

    We tested version 9.10 ,JDK 1.8, send message by TN use TLS 1.2 protocol, send failure, according to Alert Fatal: handshake failure;
    When using TLS 1.0 protocol, can correct to send and receive messages. Who know where is wrong?

    Extended Setting:

    watt.config.systemProperties=javax.net.debug=ssl
    watt.net.jsse.client.enabledCipherSuiteList=default
    watt.net.jsse.client.enabledProtocols=TLSv1.2
    watt.net.jsse.server.enabledCipherSuiteList=default
    watt.net.jsse.server.enabledProtocols=TLSv1.2
    watt.net.ssl.client.cipherSuiteList=default
    watt.net.ssl.client.strongcipheronly=false
    watt.net.ssl.server.cipherSuiteList=default
    watt.net.ssl.server.strongcipheronly=false
    watt.net.ssl.client.handshake.minVersion=tls
    watt.ssl.iaik.debug=true
    watt.net.ssl.client.useJSSE=true

    Debug logs:

    INFO | jvm 1 | 2017/04/18 14:30:39 | ssl_debug(1): Starting handshake (iSaSiLk 3.03)…
    INFO | jvm 1 | 2017/04/18 14:30:39 | ssl_debug(1): Remote client:10.147.139.137:443, Timestamp:Tue Apr 18 14:30:39 CST 2017
    INFO | jvm 1 | 2017/04/18 14:30:39 | ssl_debug(1): Sending secure renegotiation cipher suite
    INFO | jvm 1 | 2017/04/18 14:30:39 | ssl_debug(1): Sending v3 client_hello message, requesting version 3.1…
    INFO | jvm 1 | 2017/04/18 14:30:39 | ssl_debug(1): Received alert message: Alert Fatal: handshake failure
    INFO | jvm 1 | 2017/04/18 14:30:39 | ssl_debug(1): SSLException while handshaking: Peer sent alert: Alert Fatal: handshake failure
    INFO | jvm 1 | 2017/04/18 14:30:39 | ssl_debug(1): Shutting down SSL layer…
    INFO | jvm 1 | 2017/04/18 14:30:39 | ssl_debug(1): Closing transport…

    INFO | jvm 1 | 2017/04/18 15:47:17 | http-bio-8074-exec-2, received EOFException: error
    INFO | jvm 1 | 2017/04/18 15:47:17 | http-bio-8074-exec-2, handling exception: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
    INFO | jvm 1 | 2017/04/18 15:47:17 | http-bio-8074-exec-2, SEND TLSv1.2 ALERT: fatal, description = handshake_failure
    INFO | jvm 1 | 2017/04/18 15:47:17 | http-bio-8074-exec-2, WRITE: TLSv1.2 Alert, length = 2
    INFO | jvm 1 | 2017/04/18 15:47:17 | http-bio-8074-exec-2, called closeSocket()
    INFO | jvm 1 | 2017/04/18 15:47:17 | http-bio-8074-exec-2, IOException in getSession(): javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
    INFO | jvm 1 | 2017/04/18 15:47:17 | http-bio-8074-exec-2, called close()
    INFO | jvm 1 | 2017/04/18 15:47:17 | http-bio-8074-exec-2, called closeInternal(true)


    #Integration-Server-and-ESB
    #webMethods


  • 2.  RE: webMethods 9.10 TLS 1.2 configuration problem

    Posted Tue May 02, 2017 08:23 AM

    Sounds like certificate issue to me. Make sure if required keys (public key) added to keystores/truststores


    #webMethods
    #Integration-Server-and-ESB


  • 3.  RE: webMethods 9.10 TLS 1.2 configuration problem

    Posted Tue May 02, 2017 08:35 AM

    Hello Sherry,

    From the error message it looks like your target system is not accepting TLS1.2

    Can you please check once?

    Thanks,
    Yogesh


    #webMethods
    #Integration-Server-and-ESB


  • 4.  RE: webMethods 9.10 TLS 1.2 configuration problem

    Posted Tue May 02, 2017 10:23 AM

    Hi,

    please note that TLS v1.1 and TLS v1.2 are only available when using JSSE for inbound or outbound connections.

    When JSSE is not used only TLS v1.0 will be available.

    This is due to the fact that the properties watt.net.ssl.client.handshake.minVersion=tls and watt.net.ssl.client.handshake.maxVersion=tls will both using TLS v1.0. The underlying Entrust library is not yet aware of the newer TLS v1.1.and TLS v1.2 protocol version.

    Addnedum please check for the following wiki ariticle:
    https://techcommunity.softwareag.com/pwiki/-/wiki/Main/Debugging+TLS+SSL+connections+in+Integration+Server

    This explains how to debug and which versions are supported by each library (Entrust IAIK or JSSE):
    https://techcommunity.softwareag.com/pwiki/-/wiki/Main/Debugging+TLS+SSL+connections+in+Integration+Server

    Regards,
    Holger


    #Integration-Server-and-ESB
    #webMethods


  • 5.  RE: webMethods 9.10 TLS 1.2 configuration problem

    Posted Wed May 03, 2017 07:26 AM

    Keystores/truststores configuration is correct. Because TLS1.0 can send success.


    #webMethods
    #Integration-Server-and-ESB


  • 6.  RE: webMethods 9.10 TLS 1.2 configuration problem

    Posted Wed May 03, 2017 07:47 AM

    Delete all settings similar to iaik, or reported the following error. Why to enable iaik?

    Delivery service for 5972sa00bf6ora5m0000000q failed with a status of fail and status message of ERROR iaik.security.ssl.SSLException: Peer sent alert: Alert Fatal: handshake failure

    SSL logs:

    INFO | jvm 5 | 2017/05/03 17:09:22 | Allow unsafe renegotiation: false
    INFO | jvm 5 | 2017/05/03 17:09:22 | Allow legacy hello messages: true
    INFO | jvm 5 | 2017/05/03 17:09:22 | Is initial handshake: true
    INFO | jvm 5 | 2017/05/03 17:09:22 | Is secure renegotiation: false
    INFO | jvm 5 | 2017/05/03 17:09:22 | http-bio-8074-Acceptor-0, setSoTimeout(60000) called
    INFO | jvm 5 | 2017/05/03 17:09:22 | Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
    INFO | jvm 5 | 2017/05/03 17:09:22 | Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
    INFO | jvm 5 | 2017/05/03 17:09:22 | Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
    INFO | jvm 5 | 2017/05/03 17:09:22 | Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
    INFO | jvm 5 | 2017/05/03 17:09:22 | Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
    INFO | jvm 5 | 2017/05/03 17:09:22 | Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
    INFO | jvm 5 | 2017/05/03 17:09:22 | Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1
    INFO | jvm 5 | 2017/05/03 17:09:22 | Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
    INFO | jvm 5 | 2017/05/03 17:09:22 | Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
    INFO | jvm 5 | 2017/05/03 17:09:22 | Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
    INFO | jvm 5 | 2017/05/03 17:09:22 | Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
    INFO | jvm 5 | 2017/05/03 17:09:22 | Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
    INFO | jvm 5 | 2017/05/03 17:09:22 | Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
    INFO | jvm 5 | 2017/05/03 17:09:22 | Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1
    INFO | jvm 5 | 2017/05/03 17:09:22 | http-bio-8074-exec-23, received EOFException: error
    INFO | jvm 5 | 2017/05/03 17:09:22 | http-bio-8074-exec-23, handling exception: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
    INFO | jvm 5 | 2017/05/03 17:09:22 | http-bio-8074-exec-23, SEND TLSv1.2 ALERT: fatal, description = handshake_failure
    INFO | jvm 5 | 2017/05/03 17:09:22 | http-bio-8074-exec-23, WRITE: TLSv1.2 Alert, length = 2
    INFO | jvm 5 | 2017/05/03 17:09:22 | http-bio-8074-exec-23, called closeSocket()
    INFO | jvm 5 | 2017/05/03 17:09:22 | http-bio-8074-exec-23, IOException in getSession(): javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
    INFO | jvm 5 | 2017/05/03 17:09:22 | http-bio-8074-exec-23, called close()
    INFO | jvm 5 | 2017/05/03 17:09:22 | http-bio-8074-exec-23, called closeInternal(true)

    Extended Settings:

    watt.config.systemProperties=javax.net.debug=ssl
    watt.net.jsse.client.enabledCipherSuiteList=default
    watt.net.jsse.client.enabledProtocols=TLSv1.2
    watt.net.jsse.server.enabledCipherSuiteList=default
    watt.net.jsse.server.enabledProtocols=TLSv1.2
    watt.net.ssl.client.useJSSE=true


    #webMethods
    #Integration-Server-and-ESB


Related Content