IBM Support

PH46229: HTTPS ADVISOR FAILS TO OPEN SECURE CONNECTION WITH JAVA 8.0.7.0 AND HIGHER

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • The https advisor uses java the IBM JSSE provider to establish
secure connections to the servers. Starting with java 8.0.7.0,
the Client Hello packets that java creates and sends to the
servers are not valid and cause handshake failures.

Local fix

  • 



Problem summary


    

  • ****************************************************************
* USERS AFFECTED:  IBM WebSphere Load Balancer, Caching        *
*                  Proxy CBR load balancing, and Site          *
*                  Selector                                    *
****************************************************************
* PROBLEM DESCRIPTION: The HTTPS and LDAPS advisor show -1     *
*                      for the load on all servers. The        *
*                      advisor log reports                     *
*                      SSLHandshakeException.                  *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************

1) The https advisor or ldaps advisor report loads of -1 on
all servers.
2) Advisor log reports exceptions:
createSocket(): Exception:
javax.net.ssl.SSLHandshakeException: Received fatal alert:
decode_error
createSocket(): Error connecting
3)The server.log reports java level 8.0.7.0 or higher. For
example: SRV: Java Version: 8.0.7.5 -
pap6480sr7fp5-20220208_01(SR7 FP5)
4) A network trace shows Client Hello with protocol SSLv2 but
internal protocol shows TLS1.3; server responds with SSL
Alert; no Server Hello is observed.

    



Problem conclusion


    

  • Starting with java 8.0.7.0, the protocol set in the SSLContext
object is propagated to the sockets opened under that context.
The advisors specify TLS 1.2 in the SSLContext. The sockets
opened under that context indicate support for TLS1.3, SSLv3,
and SSLv2Hello in addition to the supported protocols.

The advisors previously enabled all supported protocols on the
socket but code was modified to only enable TLS protocols
equal to or less than the protocol level set in the SSLContext.

Fix levels:
8.5.5.22
9.0.5.13

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    PH46229
    • 

  • Reported component name
    WS EDGE LB IPV4
    • 

  • Reported component ID
    5724H8812
    • 

  • Reported release
    900
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2022-05-08
    • 

  • Closed date
    2022-05-11
    • 

  • Last modified date
    2022-05-11
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    WS EDGE LB IPV4
    • 

  • Fixed component ID
    5724H8812
    • 



Applicable component levels


    








      
              
                            

              

              [{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"900"}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            12 May 2022
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback