Troubleshooting
Problem
Customers might face problems after creating a certificate signing request (sudo cert-req) and importing the signed certificate (sudo cert-import) whereby the UI of IBM Resilient does not work. This can occur after accurately following the instructions in the IBM Knowledge Center.
Symptom
After importing the SSL certificate signed by a certificate authority by running sudo cert-import and running sudo systemctl restart resilient-messaging an error similar to the following is seen in /usr/share/co3/logs/client.log and the UI will not load.
Caused by: javax.jms.JMSException: Could not connect to broker URL: ssl://127.0.0.1:65000?socket.verifyHostName=false&socket.enabledProtocols=TLSv1.2&socket.enabledCipherSuites=SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384%2CSSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384%2CSSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA%2CSSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256%2CSSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256%2CSSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA%2CSSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384%2CSSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384%2CSSL_ECDHE_RSA_WITH_AES_256_CBC_SHA%2CSSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256%2CSSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256%2CSSL_ECDHE_RSA_WITH_AES_128_CBC_SHA%2CTLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256%2CTLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256%2CTLS_ECDH_RSA_WITH_AES_128_CBC_SHA256%2CTLS_ECDH_RSA_WITH_AES_128_GCM_SHA256%2CTLS_RSA_WITH_AES_128_CBC_SHA%2CTLS_RSA_WITH_AES_128_CBC_SHA256%2CTLS_RSA_WITH_AES_256_CBC_SHA%2CTLS_RSA_WITH_AES_256_CBC_SHA256%2CTLS_RSA_WITH_AES_128_GCM_SHA256. Reason: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at org.apache.activemq.util.JMSExceptionSupport.create(JMSExceptionSupport.java:36)
at org.apache.activemq.ActiveMQConnectionFactory.createActiveMQConnection(ActiveMQConnectionFactory.java:374)
at org.apache.activemq.ActiveMQConnectionFactory.createActiveMQConnection(ActiveMQConnectionFactory.java:304)
at org.apache.activemq.ActiveMQConnectionFactory.createConnection(ActiveMQConnectionFactory.java:244)
at org.springframework.jms.support.JmsAccessor.createConnection(JmsAccessor.java:180)
at org.springframework.jms.core.JmsTemplate.execute(JmsTemplate.java:474)
... 49 common frames omitted
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
Cause
The problem is caused by the signature algorithm used by the certificate authority to sign the certificate signing request. In some cases, the signature algorithm might be old and deprecated or it might be new and not yet supported.
Diagnosing The Problem
Once sudo cert-import is run the contents of the keystore can be queried.
sudo keytool -list -v -keystore /crypt/certs/keystore -storepass "$(sudo resutil keyvaultget -name "keystore")"
Looking at the output, specifically the "signature algorithm name," shows an unsupported algorithm.
Alias name: co3
Creation date: Nov 30, 2020
Entry type: keyEntry
Certificate chain length: 3
Certificate[1]:
Owner: CN=resilient.domain.com, OU=Security, O=IT, C=US
Issuer: CN=IssuingCA, DC=ad, DC=domain, DC=com
Serial number: 3a000003a30ba61bh113859cab000999900003a3
Valid from: 11/30/20 11:29 AM until: 11/30/22 11:29 AM
Certificate fingerprints:
MD5: 02:AC:29:94:53:42:24:9C:2F:B5:FE:87:26:1E:02:D9
SHA1: 91:59:5E:7V:55:C8:47:51:66:16:DF:5T:88:68:35:5B:1A:CB:04:78
SHA256: G6:1C:7A:4F:05:E0:42:3D:V3:73:E1:8B:F2:48:E3:70:69:A3:61:D4:02:E8:3A:67:59:60:C3:20:32:AA:BV:77
Signature algorithm name: RSAPSS
Version: 3
RSAPSS is not yet supported by the Java Runtime Environment used by IBM Resilient v39.
In another instance, looking at the chain of certificates identified an intermediate SSL certificate signed by using an old algorithm md5WithRSAEncryption.
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=US, O=IT, OU=Security, CN=Intermediate-signer
Validity
Not Before: Jan 14 17:41:51 2005 GMT
Not After : Jan 9 17:41:51 2025 GMT
Subject: C=US, O=IT, OU=Security, CN=Root-signer
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
The file /usr/lib/jvm/ibm-jdk-8/jre/lib/security/java.security defines the disabled algorithms. The md5WithRSAEncryption algorithm used by the intermediate certificate is a disabled algorithm.
jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224
jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024
The fact that neither of the algorithms are supported means the imported certificates could not load and thus the IBM Resilient service could not connect to the IBM Resilient Messaging service causing the reported problems.
Related Information
Document Location
Worldwide
[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSIP9Q","label":"IBM Security SOAR"},"ARM Category":[{"code":"a8m0z000000cvqUAAQ","label":"Security SSL"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]
Was this topic helpful?
Document Information
Modified date:
19 April 2021
UID
ibm16373646