Question & Answer
Question
Caused by: java.lang.IllegalArgumentException: Only TLS1.2 protocol can be enabled in SP800_131 strict mode.
Cause
When SP800-131 strict mode is enabled for DOORS Web Access, only the TLSv1.2 protocol can be used.
The error stack shows that the Tomcat code tries to create an SSLContext with a protocol alias that is not "TLSv1.2":
... at javax.net.ssl.SSLContext.getInstance(SSLContext.java:29) at org.apache.tomcat.util.compat.TLS.<clinit>(TLS.java:35) at org.apache.tomcat.util.net.jsse.JSSEUtil.isTls13Available(JSSEUtil.java:175) ...
The problematic call happens as a means to detect whether TLSv1.3 is available:
The call to org.apache.tomcat.util.compat.TLS.isTls13Available() was removed in April 2019:
Don't warn that SSLv2Hello is unavailable unless explicitly configured
The org.apache.tomcat.util.compat.TLS class was removed completely in January 2020:
Delete some deprecated code planned for removal in Tomcat 10
The version of Tomcat that is shipped with DWA 9.7.2.x is not compatible with IBM Java's SP800_131 strict mode because Tomcat explicitly tries to enable TLSv1.3, albeit only as a detection mechanism.
Answer
1. Go to the Rational DOORS Web Access installation directory.
For example, C:\Program Files\IBM\Rational\DOORS Web Access\9.version
2.Rename the server directory to server.orig.
3.Extract the downloaded Apache Tomcat core compressed file to ./server in the Rational DOORS Web Access installation directory.
4.Delete the contents of the ./server/webapps folder.
5.Copy the following jar files from your ./server.orig/lib directory to ./server/lib.
commons-logging-1.1.x.jar
dwa-catalina.jar
log4j-1.2.x.jar
log4j-2.xml
6.Remove the following jar files from the ./server/lib directory.
tomcat-websocket.jar
websocket-api.jar
7.Copy the contents of /server.orig/festival directory to ./server/festival.
8.Copy the ./server.orig/conf/server.xml file to ./server/conf/server.xml.
9.Copy ./server.orig/localhost.keystore to ./server.
10. Modify the ./server/conf/context.xml file.
Add the "<CookieProcessor sameSiteCookies="none" />" property within context tag, and save the file.
Add the following attributes in the ./server/conf/server.xml file:
address="0.0.0.0" requiredSecret="servicecatalog"
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" address="0.0.0.0" requiredSecret="servicecatalog" />
Note: Make sure the new folders and content have the same permission as before for the files copied and created.
Also, copy keystore and truststore and any custom files to appropriate locations.
Was this topic helpful?
Document Information
Modified date:
15 October 2023
UID
ibm17052671