IBM Support

DataStage : REST API Error with Hierarchical Stage, needs support for TLS 1.2

Troubleshooting


Problem

A DataStage job with Hierarchical stage the Rest API step fails. The url is reachable via a browser and a RESTClient debugger and both return results without error.

Symptom

See in DataStage job log


errorMessage:CDIER0961E: The REST step is unable to invoke the RESTservice, cause=javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated

Cause

There is no common version of SSL/TLS protocol supported by DataStage and the Rest APi server


When starting SSL handshake, TLS client sends ClientHello message specifying the highest SSL/TLS protocol version it talks. TLS server selects highest version protocol it and the client both support, and replies with ServerHello message including the selected version. If there is no common version useable, the server sends a "protocol_version" alert message and closes the connection.

DataStage 11.5 supports SSL 3.0 and TLS 1.0 by default, so it sends "TLSv1" in ClientHello declaring it supports TLS v1.0 and SSL v3.0. If the TLS server does not support one of them, the handshake fails with above error.

Diagnosing The Problem

In the Hierachical Stage initial stage page add, in the optional arguments field, the argument -Djavax.net.debug=SSL. Re run the job and examine the log, you will see similar to this

*** ClientHello, TLSv1


RandomCookie: GMT: 1489131973 bytes = { 10, 255, 155, 72, 2, 174, 216, 54, 115, 67, 120, 100, 93, 114, 217, 152, 230, 247, 39, 249, 79, 84, 97, 241, 13, 173, 204, 181 }
Session ID: {}
Cipher Suites: [TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_AES_128_CBC_SHA,
SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_ECDH_RSA_WITH_AES_128_CBC_SHA,
SSL_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_DSS_WITH_AES_128_CBC_SHA,
SSL_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ECDHE_RSA_WITH_RC4_128_SHA,
SSL_RSA_WITH_RC4_128_SHA, SSL_ECDH_ECDSA_WITH_RC4_128_SHA,
SSL_ECDH_RSA_WITH_RC4_128_SHA, SSL_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
SSL_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
SSL_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5]
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, secp192r1, secp224r1, secp384r1, secp521r1, secp160k1, secp160r1, secp160r2, secp192k1, secp224k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension server_name, server_name: [host_name:crowsnest.noddycat.com] ***
pool-1-thread-2, WRITE: TLSv1 Handshake, length = 159
pool-1-thread-2, received EOFException: error
pool-1-thread-2, handling exception:javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
pool-1-thread-2, SEND TLSv1 ALERT: fatal, description = handshake_failure pool-1-thread-2, WRITE: TLSv1 Alert, length = 2
pool-1-thread-2, called closeSocket()
pool-1-thread-2, IOException in getSession():javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake

Resolving The Problem

Upgrade the DataStage jdk to the latest supported, this will support TLS 1.2 as of publishing this document (September 2017) the latest available is from

http://www-01.ibm.com/support/docview.wss?uid=swg22004602

and add the following to the Optional Arguments property on the stage page



-Dcom.ibm.jsse2.overrideDefaultTLS=true -Dcom.ibm.jsse2.overrideDefaultProtocol=TLSv12

These could also be added to the IBM_JAVA_OPTIONS or CC_JVM_OPTIONS environment variables to affect all jobs. Another way to change would be via the connector migration too with a StageUpgrades.xml file such as

<?xml version='1.0' encoding='UTF-8'?>
<StageUpgrades>
<StageType name="XMLStagePX XMLStage">
<Set path="/Usage/Java/OtherOptions" contexts="all" when="always">-Dcom.ibm.jsse2.overrideDefaultTLS=true -Dcom.ibm.jsse2.overrideDefaultProtocol=TLSv12 </Set>
</StageType>
</StageUpgrades>

and the command line

CCMigration.exe -u isadmin -p password -h <host>:<port> -P <project> -L +c:\temp\su.log -U -M -Q

See below link for description of the Connector Migration Tool for updating connector properties.

[{"Product":{"code":"SSVSEF","label":"IBM InfoSphere DataStage"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"--","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"11.3;11.5;9.1","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
16 June 2018

UID

swg22008850

Page Feedback