Troubleshooting
Problem
Attempts to run custom code in Sterling agent/application server fails to invoke https URLs which supports TLS 1.2.
Symptom
SSLHandShake failure in agent/appserver logs.
Cause
- Usage of unsupported JDK version.
- Appropriate JVM arguments not passed.
- Third-party libraries used in custom code changing the default TLS protocol.
Diagnosing The Problem
Collect SSL debug logs by giving "-Djavax.net.debug=ssl:handshake:verbose" and check if the logs are having SSL protocol failure.
Following are the actors in this issue
1a) JDK used by the agent/appserver
1b) Sterling agent framework/appserver
1c) custom code which calls remote https server
1d) remote https server
2) Sterling does not set any https protocols by default. This means that the protocol used by the client JVM for sending the clientHello in the handshake to the remote https server will be, either the default JDK protocol or the protocol which is being overridden in custom code which calls remote server. Here the client JVM refers to the agent or appserver JVM which is used to call the remote server.
3) Default https protocol varies with JDK versions. For JDK 7 is TLSv1. However this can be overrriden by setting the system property "-Dhttps.protocols=TLSv1.2" in the client JVM which makes call to the remote https server. However, this will work only for calls being made to the remote server using java's HttpsURLConnection library. Verify that you are using HttpsURLConnection or not. If not then the TLS protocol needs to set programmatically by the custom code using
https://docs.oracle.com/javase/8/docs/api/javax/net/ssl/SSLSocket.html#…-
4) it is also possible that due to older version of JDK, there may be some issues in picking the value of system properties "https.protocols" and "jdk.tls.client.protocols". Check the Java vendor documentation and confirm the JDK used supports the required protocol
5a) You can write a simple java program using the exact same JDK version which is used by the agent/appserver, and then in the java program try connecting to the https remote server. This will make it easier to diagnose the issue.
5b) If custom code is using HttpsURLConnection and they are not overriding the default protocol in custom code, then contact the JDK team as to why even after setting https.protocol system property, the clientHello is not picking the new protocol? It is expected that after setting the https.protocol, it should use the protocol in this property for communication with the server.
5c) If custom code is not using HttpsURLConnection and if i uses third-party libaaries , confirm the third-party libraries are not overriding the tls protocol. We have seen multiple occurrences in the past where third party libraries overriding the default protocol and client had to set the default protocol in custom code to overcome the issue.
Resolving The Problem
1. Use the right JDK version which supports the required TLS protocol
2. Try giving "-Dhttps.protocols=TLSv1.2" in JVM arguments
3. Debug the custom code and confirm that third party libraries used are not overriding the default protocol to an unsupported version
4. If third-party libraries are changing the default protocol, override the protocol in client code to force the required protocol
Product Synonym
Sterling OMS
Was this topic helpful?
Document Information
Modified date:
11 July 2018
UID
ibm10716385