IBM Support

Demystifying the SSLC0008E 'plain text connection' message.

Troubleshooting


Problem

When a client attempts to communicate with a WebSphere Java virtual machine (JVM) on a port secured with Transport Layer Security (TLS), but does not encrypt the message, the following message can be observed in the SystemOut.log file:
SSLC0008E: The SSL connection cannot be initialized from the HOSTNAME_A host and X port on the remote client to the HOSTNAME_B host and Y port on the local server. Exception: javax.net.ssl.SSLException: The WebSphere server received an unencrypted inbound communication on a secure connection.  This does not indicate a problem with the WebSphere server. To resolve the issue, configure the client to use SSL or to connect to a port on the WebSphere server that does not require SSL.

Prior to WebSphere Traditional 8.5.5.23 & 9.0.5.15 and Liberty 22.0.0.12, the message contained less information, and traces must be enabled to provide remote hostname, IP address, and port numbers associated with the connection.

SSLC0008E: Unable to initialize SSL connection.  Unauthorized access was denied or security settings have expired.  Exception is javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
*=info:SSL=all:SSLChannel=all:TCPChannel=all

Symptom

It is common for this issue to have no observable functional impact and could be safely ignored. However, the connection is failing. The client which is invoking the connection is likely not functioning properly.

Cause

The plain text connection message can be caused by several scenarios. Some scenarios are within the scope of the WebSphere product, such as...
  1. Local 3rd party Java agent performing health checks (such as Wily Introscope, AppDynamics, etc). Disabling these external tools can mitigate the effects of the SSLC0008E message appearing in the log. Troubleshooting issues related to 3rd party components is outside the scope of WebSphere support.
  2. The node agent polling the deployment manager's XDAGENT_PORT. The XDAGENT_PORT is a REST endpoint used by IHS and Datapower to perform dynamic routing. This connection leverages XDADefaultSSLSettings, which has 'client authentication' set to REQUIRED. If the SSL handshake fails, a fallback mechanism causes a plain text connection to occur. To investigate this issue further, open a case with IBM software support with the SSL MustGather attached from both the Deployment Manager and nodeagent(s) JVMs.
  3. If this message is observed within the Deployment Manager logs, verify the node synchronization status. If necessary, forcibly terminate the node agent process and manually run synchronization on the command-line. 
  4. If you observe this message on a connection that intended to be unsecure (HTTP), then check the application's web.xml for the transport-guarantee setting. This setting tells WebSphere whether a specific URL pattern uses HTTP or HTTPS.

Diagnosing The Problem

Some potential root causes of this message are outside the scope of the WebSphere product. To investigate these issues, it is recommended to consult with your network administration team to review TCP/IP traffic for the hosts and ports involved with the problematic connection.

Resolving The Problem

To resolve the plaintext connection error, you must identify the client endpoint, and then correct its configuration so that it either uses a non-TLS port or encrypts the network data.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB67","label":"IT Automation \u0026 App Modernization"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"ARM Category":[{"code":"a8m50000000Cd8DAAS","label":"WebSphere Application Server traditional-All Platforms-\u003ESecurity-\u003ESSL-\u003ESSL - General"}],"ARM Case Number":"TS007087266","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
31 January 2024

UID

ibm16497227

Page Feedback