APAR status
Closed as program error.
Error description
The https advisor uses java the IBM JSSE provider to establish secure connections to the servers. Starting with java 8.0.7.0, the Client Hello packets that java creates and sends to the servers are not valid and cause handshake failures.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: IBM WebSphere Load Balancer, Caching * * Proxy CBR load balancing, and Site * * Selector * **************************************************************** * PROBLEM DESCRIPTION: The HTTPS and LDAPS advisor show -1 * * for the load on all servers. The * * advisor log reports * * SSLHandshakeException. * **************************************************************** * RECOMMENDATION: * **************************************************************** 1) The https advisor or ldaps advisor report loads of -1 on all servers. 2) Advisor log reports exceptions: createSocket(): Exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: decode_error createSocket(): Error connecting 3)The server.log reports java level 8.0.7.0 or higher. For example: SRV: Java Version: 8.0.7.5 - pap6480sr7fp5-20220208_01(SR7 FP5) 4) A network trace shows Client Hello with protocol SSLv2 but internal protocol shows TLS1.3; server responds with SSL Alert; no Server Hello is observed.
Problem conclusion
Starting with java 8.0.7.0, the protocol set in the SSLContext object is propagated to the sockets opened under that context. The advisors specify TLS 1.2 in the SSLContext. The sockets opened under that context indicate support for TLS1.3, SSLv3, and SSLv2Hello in addition to the supported protocols. The advisors previously enabled all supported protocols on the socket but code was modified to only enable TLS protocols equal to or less than the protocol level set in the SSLContext. Fix levels: 8.5.5.22 9.0.5.13
Temporary fix
Comments
APAR Information
APAR number
PH46229
Reported component name
WS EDGE LB IPV4
Reported component ID
5724H8812
Reported release
900
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2022-05-08
Closed date
2022-05-11
Last modified date
2022-05-11
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WS EDGE LB IPV4
Fixed component ID
5724H8812
Applicable component levels
[{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"900"}]
Document Information
Modified date:
12 May 2022