Troubleshooting
Problem
A DataStage job with Hierarchical stage the Rest API step fails. The url is reachable via a browser and a RESTClient debugger and both return results without error.
Symptom
See in DataStage job log
errorMessage:CDIER0961E: The REST step is unable to invoke the RESTservice, cause=javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
Cause
There is no common version of SSL/TLS protocol supported by DataStage and the Rest APi server
When starting SSL handshake, TLS client sends ClientHello message specifying the highest SSL/TLS protocol version it talks. TLS server selects highest version protocol it and the client both support, and replies with ServerHello message including the selected version. If there is no common version useable, the server sends a "protocol_version" alert message and closes the connection.
DataStage 11.5 supports SSL 3.0 and TLS 1.0 by default, so it sends "TLSv1" in ClientHello declaring it supports TLS v1.0 and SSL v3.0. If the TLS server does not support one of them, the handshake fails with above error.
Diagnosing The Problem
In the Hierachical Stage initial stage page add, in the optional arguments field, the argument -Djavax.net.debug=SSL. Re run the job and examine the log, you will see similar to this
*** ClientHello, TLSv1
RandomCookie: GMT: 1489131973 bytes = { 10, 255, 155, 72, 2, 174, 216, 54, 115, 67, 120, 100, 93, 114, 217, 152, 230, 247, 39, 249, 79, 84, 97, 241, 13, 173, 204, 181 }
Session ID: {}
Cipher Suites: [TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_AES_128_CBC_SHA,
SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_ECDH_RSA_WITH_AES_128_CBC_SHA,
SSL_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_DSS_WITH_AES_128_CBC_SHA,
SSL_ECDHE_ECDSA_WITH_RC4_128_SHA, SSL_ECDHE_RSA_WITH_RC4_128_SHA,
SSL_RSA_WITH_RC4_128_SHA, SSL_ECDH_ECDSA_WITH_RC4_128_SHA,
SSL_ECDH_RSA_WITH_RC4_128_SHA, SSL_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
SSL_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
SSL_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5]
Compression Methods: { 0 }
Extension elliptic_curves, curve names: {secp256r1, secp192r1, secp224r1, secp384r1, secp521r1, secp160k1, secp160r1, secp160r2, secp192k1, secp224k1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension server_name, server_name: [host_name:crowsnest.noddycat.com] ***
pool-1-thread-2, WRITE: TLSv1 Handshake, length = 159
pool-1-thread-2, received EOFException: error
pool-1-thread-2, handling exception:javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
pool-1-thread-2, SEND TLSv1 ALERT: fatal, description = handshake_failure pool-1-thread-2, WRITE: TLSv1 Alert, length = 2
pool-1-thread-2, called closeSocket()
pool-1-thread-2, IOException in getSession():javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
Resolving The Problem
Upgrade the DataStage jdk to the latest supported, this will support TLS 1.2 as of publishing this document (September 2017) the latest available is from
http://www-01.ibm.com/support/docview.wss?uid=swg22004602
and add the following to the Optional Arguments property on the stage page
-Dcom.ibm.jsse2.overrideDefaultTLS=true -Dcom.ibm.jsse2.overrideDefaultProtocol=TLSv12
These could also be added to the IBM_JAVA_OPTIONS or CC_JVM_OPTIONS environment variables to affect all jobs. Another way to change would be via the connector migration too with a StageUpgrades.xml file such as
<?xml version='1.0' encoding='UTF-8'?>
<StageUpgrades>
<StageType name="XMLStagePX XMLStage">
<Set path="/Usage/Java/OtherOptions" contexts="all" when="always">-Dcom.ibm.jsse2.overrideDefaultTLS=true -Dcom.ibm.jsse2.overrideDefaultProtocol=TLSv12 </Set>
</StageType>
</StageUpgrades>
and the command line
CCMigration.exe -u isadmin -p password -h <host>:<port> -P <project> -L +c:\temp\su.log -U -M -Q
See below link for description of the Connector Migration Tool for updating connector properties.
Related Information
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg22008850