Troubleshooting
Problem
When a client attempts to communicate with a WebSphere Java virtual machine (JVM) on a port secured with Transport Layer Security (TLS), but does not encrypt the message, the following message can be observed in the SystemOut.log file:
Prior to WebSphere Traditional 8.5.5.23 & 9.0.5.15 and Liberty 22.0.0.12, the message contained less information, and traces must be enabled to provide remote hostname, IP address, and port numbers associated with the connection.
*=info:SSL=all:SSLChannel=all:TCPChannel=all
Symptom
It is common for this issue to have no observable functional impact and could be safely ignored. However, the connection is failing. The client which is invoking the connection is likely not functioning properly.
Cause
The plain text connection message can be caused by several scenarios. Some scenarios are within the scope of the WebSphere product, such as...
- Local 3rd party Java agent performing health checks (such as Wily Introscope, AppDynamics, etc). Disabling these external tools can mitigate the effects of the SSLC0008E message appearing in the log. Troubleshooting issues related to 3rd party components is outside the scope of WebSphere support.
- The node agent polling the deployment manager's XDAGENT_PORT. The XDAGENT_PORT is a REST endpoint used by IHS and Datapower to perform dynamic routing. This connection leverages XDADefaultSSLSettings, which has 'client authentication' set to REQUIRED. If the SSL handshake fails, a fallback mechanism causes a plain text connection to occur. To investigate this issue further, open a case with IBM software support with the SSL MustGather attached from both the Deployment Manager and nodeagent(s) JVMs.
- If this message is observed within the Deployment Manager logs, verify the node synchronization status. If necessary, forcibly terminate the node agent process and manually run synchronization on the command-line.
- If you observe this message on a connection that intended to be unsecure (HTTP), then check the application's web.xml for the transport-guarantee setting. This setting tells WebSphere whether a specific URL pattern uses HTTP or HTTPS.
Diagnosing The Problem
Some potential root causes of this message are outside the scope of the WebSphere product. To investigate these issues, it is recommended to consult with your network administration team to review TCP/IP traffic for the hosts and ports involved with the problematic connection.
Resolving The Problem
To resolve the plaintext connection error, you must identify the client endpoint, and then correct its configuration so that it either uses a non-TLS port or encrypts the network data.
Related Information
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB67","label":"IT Automation \u0026 App Modernization"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"ARM Category":[{"code":"a8m50000000Cd8DAAS","label":"WebSphere Application Server traditional-All Platforms-\u003ESecurity-\u003ESSL-\u003ESSL - General"}],"ARM Case Number":"TS007087266","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
31 January 2024
UID
ibm16497227