APAR status
Closed as program error.
Error description
1/15/24 12:03:38:817 PST] 00000001 JSSEHelper < The following exception occurred in getSSLContext(). Exit java.lang.IllegalArgumentException: Only TLS1.0/TLS1.1/TLS1.2 protocol can be enabled when SP800_131 transition mode or IBMJSSE2 enabled to run in FIPS mode at com.ibm.jsse2.bf$l.<clinit>(bf$l.java:7) at java.lang.Class.forNameImpl(Native Method) at java.lang.Class.forName(Class.java:340) at java.security.Provider$Service.getImplClass(Provider.java:1645) at java.security.Provider$Service.newInstance(Provider.java:1603) at sun.security.jca.GetInstance.getInstance(GetInstance.java:248) at sun.security.jca.GetInstance.getInstance(GetInstance.java:176) at javax.net.ssl.SSLContext.getInstance(SSLContext.java:13) at com.ibm.ws.ssl.config.SSLConfigManager.addTLS13(SSLConfigManager .java:3742) at com.ibm.ws.ssl.config.SSLConfigManager.checkSSLProtocolInList(SS LConfigManager.java:3767) at com.ibm.ws.ssl.config.SSLConfigManager.parseSecureSocketLayer1(S SLConfigManager.java:1470) at com.ibm.ws.ssl.config.SSLConfigManager.parseSSLConfig(SSLConfigM anager.java:743) at com.ibm.ws.ssl.config.SSLConfigManager.initializeServerSSL(SSLCo nfigManager.java:287)
Local fix
Changing the SSL protocol to TLSv1.2 only, between Node creation and startup, works around the problem.
Problem summary
**************************************************************** * USERS AFFECTED: All users of IBM WebSphere Application * * Server * **************************************************************** * PROBLEM DESCRIPTION: IllegalArgumentException * * and node agent startup failure * * when enabling SP800-132/FIPS140-2 * * with TLSv1.3. * **************************************************************** * RECOMMENDATION: * **************************************************************** Encountered a IllegalArgumentException when enabling SP800-131 (both strict and transition modes) or FIPS 140-2 with TLSv1.3 protocol. This happened after a JDK8 upgrade to SR8FP5 (and later) and it resluted in node agent startup failure as well.
Problem conclusion
To prevent IllegalArgumentException and node agent startup failure caused by using TLSv1.3 protocol with SP800-131 & FIPS 140-2, fixed the code to use only TLSv1.2 if SP800-131 or FIPS 140-2 is enabled. The fix for this APAR is targeted for inclusion in fix packs 9.0.5.20 and 8.5.5.26. For more information, see 'Recommended Updates for WebSphere Application Server': https://www.ibm.com/support/pages/node/715553
Temporary fix
Comments
APAR Information
APAR number
PH59304
Reported component name
WEBS APP SERV N
Reported component ID
5724H8800
Reported release
850
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2024-01-19
Closed date
2024-03-19
Last modified date
2024-03-20
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBS APP SERV N
Fixed component ID
5724H8800
Applicable component levels
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5","Line of Business":{"code":"LOB67","label":"IT Automation \u0026 App Modernization"}}]
Document Information
Modified date:
20 March 2024