Troubleshooting
Problem
Clients are experiencing difficulties inserting, updating, or accessing data in the cache. This issue arises when WebSphere eXtreme Scale 8.6.1.6 servers are configured with NIST SP800-131 in strict mode, and clients communicate with servers by using SSL, resulting in the following error log:
java.lang.IllegalArgumentException: Only TLS1.2 protocol can be enabled in SP800_131 strict mode
In scenarios where WebSphere eXtreme Scale (XSLD) container servers are configured with the -Dcom.ibm.jsse2.sp800-131=strict option, and restAdmin, restUI, and restData servers use SSL connections, the data cannot be accessed through REST APIs.Symptom
Clients are unable to access data from the grid when WebSphere eXtreme Scale servers are set to -Dcom.ibm.jsse2.sp800-131=strict, and clients use SSL to connect to the server.
In an XSLD environment, accessing the grid through REST APIs results in failure. The server logs indicate the following error:
In an XSLD environment, accessing the grid through REST APIs results in failure. The server logs indicate the following error:
Exception = com.ibm.wsspi.channelfw.exception.ChannelException
Source = com.ibm.ws.channel.ssl.internal.SSLConnectionLink
probeid = 238
Stack Dump = com.ibm.wsspi.channelfw.exception.ChannelException: java.lang.IllegalArgumentException: Only TLS1.2 protocol can be enabled in SP800_131 strict mode
at com.ibm.ws.channel.ssl.internal.SSLChannel.getSSLContextForLink(SSLChannel.java:485)
at com.ibm.ws.channel.ssl.internal.SSLChannel.getSSLContextForInboundLink(SSLChannel.java:277)
at com.ibm.ws.channel.ssl.internal.SSLConnectionLink.ready(SSLConnectionLink.java:313)
at com.ibm.ws.tcpchannel.internal.NewConnectionInitialReadCallback.sendToDiscriminators(NewConnectionInitialReadCallback.java:169)
at com.ibm.ws.tcpchannel.internal.NewConnectionInitialReadCallback.complete(NewConnectionInitialReadCallback.java:77)
at com.ibm.ws.tcpchannel.internal.WorkQueueManager.requestComplete(WorkQueueManager.java:516)
at com.ibm.ws.tcpchannel.internal.WorkQueueManager.attemptIO(WorkQueueManager.java:586)
at com.ibm.ws.tcpchannel.internal.WorkQueueManager.workerRun(WorkQueueManager.java:970)
at com.ibm.ws.tcpchannel.internal.WorkQueueManager$Worker.run(WorkQueueManager.java:1059)
at com.ibm.ws.threading.internal.ExecutorServiceImpl$RunnableWrapper.run(ExecutorServiceImpl.java:247)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1160)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
at java.lang.Thread.run(Thread.java:825)
Caused by: java.lang.IllegalArgumentException: Only TLS1.2 protocol can be enabled in SP800_131 strict mode
at com.ibm.jsse2.bf$e.(bf$e.java:12)
at java.lang.Class.forNameImpl(Native Method)
at java.lang.Class.forName(Class.java:340)
at java.security.Provider$Service.getImplClass(Provider.java:1645)
at java.security.Provider$Service.newInstance(Provider.java:1603)
at sun.security.jca.GetInstance.getInstance(GetInstance.java:248)
at sun.security.jca.GetInstance.getInstance(GetInstance.java:218)
at javax.net.ssl.SSLContext.getInstance(SSLContext.java:11)
at com.ibm.ws.ssl.JSSEProviderFactory$2.run(JSSEProviderFactory.java:258)
at com.ibm.ws.security.util.AccessController.doPrivileged(AccessController.java:118)
at com.ibm.ws.ssl.JSSEProviderFactory.validateProvider(JSSEProviderFactory.java:253)
at com.ibm.ws.ssl.JSSEProviderFactory.getInstance(JSSEProviderFactory.java:183)
at com.ibm.ws.ssl.JSSEProviderFactory.getInstance(JSSEProviderFactory.java:76)
at com.ibm.ws.ssl.config.SSLConfigManager.(SSLConfigManager.java:187)
at com.ibm.ws.ssl.config.SSLConfigManager.getInstance(SSLConfigManager.java:194)
at com.ibm.ws.ssl.config.FIPSUtils$1.run(FIPSUtils.java:44)
at com.ibm.ws.security.util.AccessController.doPrivileged(AccessController.java:63)
at com.ibm.ws.ssl.config.FIPSUtils.checkFipsEnabled(FIPSUtils.java:39)
at com.ibm.ws.ssl.config.FIPSManager.readWASPropertiesForFips(FIPSManager.java:138)
at com.ibm.ws.ssl.config.FIPSManager.initializeFIPS(FIPSManager.java:85)
at com.ibm.ws.xs.ssl.channel.impl.SSLChannelFactory.(SSLChannelFactory.java:51)
at java.lang.J9VMInternals.newInstanceImpl(Native Method)
at java.lang.Class.newInstance(Class.java:2108)
Resolving The Problem
This issue is resolved. Configuring the WebSphere eXtreme Scale (XSLD) container servers with the Dcom.ibm.jsse2.sp800-131=strict option was known to cause issues. Apply the ifix PH61457 on WebSphere eXtreme Scale 8.6.1.6 to address this problem.
Alternatively, for WebSphere eXtreme Scale stand-alone and WebSphere Application Server environments:
- Set the jvm.options file with -Dcom.ibm.jsse2.sp800-131=transition for all WebSphere eXtreme Scale container servers.
For XSLD (eXtreme Scale Liberty Deployment):
- Modify the jvm.options file for all container servers, and ensure that restAdmin, restData, and restUI servers are configured with -Dcom.ibm.jsse2.sp800-131=transition instead of the strict mode.
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB67","label":"IT Automation \u0026 App Modernization"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSTVLU","label":"WebSphere eXtreme Scale"},"ARM Category":[{"code":"a8m50000000L2AFAA0","label":"IBM WebSphere Extreme Scale"}],"ARM Case Number":"","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"},{"code":"PF057","label":"HP"}],"Version":"8.6.1"}]
Was this topic helpful?
Document Information
Modified date:
09 July 2024
UID
ibm17030472