Technical Blog Post
Abstract
ITCAM for Transactions - SSL Handshake Failed in ISM HTTPS monitoring
Body
IBM Tivoli Composite Application Manager for Transactions
~ How to do stuff ~
By Kevin Baldwin -
How to.....
Avoid SSL Handshake issues in ISM HTTPS monitoring
"SSL handshake failed" happens because the ISM HTTPS monitor failed to initialize SSL connectivity after establishing a connection to the server.
As a result, you may need to configure the monitor to enable / disable TLS & SSL.
Here are some technotes and other links that contain useful information to help determine why you have SSL handshake issues and how to fix them:
- By default, the latest versions of ISM enable TLS and disable SSL protocols.
Properties are available in https.props to change this behaviour for legacy purposes.
IBM Knowledge Center > ITCAMfT 7.4.0.1 > Administrator's Guide > Appendixes > SSL settings in Internet Service Monitoring describes these options and provides advice relating to security considerations and supported ciphers.
- The following technotes also contain information to help troubleshoot SSL, TLS and Cipher related issues:
Troubleshooting SSL Cipher issues in Netcool/ISM and ITCAM ISM
ITCAM4Tx : ISM https monitor reports "SSL handshake failed" message
Disable SSLv2 and SSLv3, and enable TLS1.1 and TLS1.2
The TLS options described in the above technotes were introduced to address this APAR:
IV56117 ISM MONITORS NEED TO BE ABLE TO DISABLE TLS 1.2 AND TLS 1.1 FOR COMPATIBILITY WITH OLDER CRYPTOGRAPHY IMPLEMENTATIONS
The APAR fix was originally shipped in:
ITCAMfT 7.4.0.0-TIV-CAMIS-IF0011
If you're not already using ITCAMfT 7.4.0.0-TIV-CAMIS-IF0011 or higher you'll need to upgrade the ISM agent to take advantage of these options.
Use the information in Table 1 of ITCAM for Transactions 7.4 - Interim Fixes and Fixpacks to identify the latest available version.
- Point 9 in the blog ITCAM4Transactions - ISM - Best practices and pitfalls (PART 1) refers to SSL handshake issues in response to the question:
Does ISM https monitoring support SNI (Server Name Indication)?
Answer: Yes, ISM HTTPS monitor does support SNI, but only since ISM agent 7.4.0.2 IF0003 [7.4.0.2-TIV-CAMIS-IF0003]
If you are using ISM https to monitor a server which is configured with SNI, monitoring will fail and https.log will show error messages like this, if you are using older ISM agent version:
Information: [monitored server]: Initiating SSL handshake ...
Error: [monitored server] : SSL handshake failed status:0 sslerr: 1 error_code: 0
Error : [monitored server] : SSL handshake sslerr reason:tlsv1 alert internal error - 336151608
Error: SSL connection to [monitored server]:443 failed
Visit the ITCAM for Transactions ~ How to do stuff ~ Homepage for more articles in this series
[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SS5MD2","label":"Tivoli Composite Application Manager for Transactions"},"ARM Category":[{"code":"a8m500000008i3JAAQ","label":"ITCAM-for-Transactions->Internet Service Monitoring ISM"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)","Line of Business":{"code":"LOB45","label":"Automation"}}]
UID
ibm11278844