IBM Support

SSL exception error in WebSphere Application Server javax.net.ssl.SSLException java.lang.ArrayIndexOutOfBoundsException: Array index out of range

Troubleshooting


Problem

SSL exception error in WebSphere Application Server javax.net.ssl.SSLException java.lang.ArrayIndexOutOfBoundsException: Array index out of range

Exception Stack in the Logs as follows

[1/21/20 14:19:03:880 GST] 00000001 exception     E com.ibm.ws.wim.adapter.ldap.LdapConnection getDirContext CWWIM4520E  The 'javax.naming.CommunicationException: myldap.ibm.com:636 [Root exception is javax.net.ssl.SSLException: java.lang.ArrayIndexOutOfBoundsException: Array index out of range: 64]' naming exception occurred during processing.
[1/21/20 14:19:03:880 GST] 00000001 exception     E com.ibm.ws.wim.adapter.ldap.LdapConnection getDirContext
                                 com.ibm.websphere.wim.exception.WIMSystemException: CWWIM4520E  The 'javax.naming.CommunicationException: myldap.ibm.com:636 [Root exception is javax.net.ssl.SSLException: java.lang.ArrayIndexOutOfBoundsException: Array index out of range: 64]' naming exception occurred during processing.
        at com.ibm.ws.wim.adapter.ldap.LdapConnection.getDirContext(LdapConnection.java:1877)
        at com.ibm.ws.wim.adapter.ldap.LdapConnection.search(LdapConnection.java:3173)
        at com.ibm.ws.wim.adapter.ldap.LdapConnection.checkSearchCache(LdapConnection.java:3104)
        at com.ibm.ws.wim.adapter.ldap.LdapConnection.search(LdapConnection.java:3281)
        at com.ibm.ws.wim.adapter.ldap.LdapConnection.searchEntities(LdapConnection.java:3502)
        at com.ibm.ws.wim.adapter.ldap.LdapAdapter.search(LdapAdapter.java:3437)

Resolving The Problem

The problem happened because of the handshaking with TLSv1 when the 2048 DH key was used. However, in IBMJSSE2, 2048 DH key was only allowed when the handshake is performed with TLSv1.2.
Switch to SSL_TLSv2, where it can use TLSv1.2 to handle the 2048 DH public keys, we need to handshake with the TLSv1.2 protocol.
Following Workaround solutions:
--> 1. switch to TLSv1.2 with 2048 DH keys
--> 2. switch to 1024 DH keys with TLSv1
--> 3. Switch to SSL_TLSv2
--->4. Disable cipher suites which use DH/DHE key exchange

APAR IV73472, where it has description LARGE PRE-MASTER SECRET GENERATED FROM 2048 BIT DH KEY NOT DIGESTED IN TLSV1 AND TLSV1.1 The problem happens when the server-side uses large DH key (e.g. 2048 bit) inTLSv1/TLSv1.1 key exchange.
IBM IV73472: LARGE PRE-MASTER SECRET GENERATED FROM 2048 BIT DH KEY NOT DIGESTED IN TLSV1 AND TLSV1.1
A recommended solution upgrade the WebSphere Application Server and JDK.
Workaround You can configure WebSphere Application Server to use TLSv1.2 or SSL_TLSv2. Please see the following steps.

1. Log on to https://washostname:9043/ibm/console as a console user.
2. Go to Security > SSL certificate and key management > Manage endpoint security configurations c.Select Node01 from the Inbound folder and click on SSL configurations ( NodeDefaultSSLsetting and CellDefaultSSLsetting) Note: For each node it has their own NodeDefaultSSLsetting
3. Select each SSL Configuration described above, then click Quality of protection (QoP) settings under Additional Properties.
4. On the Quality of protection (QoP) settings panel, select TLSv1.2 or SSL_TLSv2 from the pull-down list in the box named Protocol.
change the protocol to TLSV1.2
5. Click Apply and Save.
6. Update ssl.client.props
The SSL protocol is set with the com.ibm.ssl.protocol property in the ssl.client.props file. Edit the ssl.client.props file and set the com.ibm.ssl.protocol value to TLS.
For example, modify com.ibm.ssl.protocol=TLSv1.2. This must be done for each ssl.client.props file under the following directories:
More details follow the given below technote
How can I configure the Websphere Application Server SSL protocol to use TLSv1.2 ONLY?
https://www.ibm.com/support/pages/node/1077951
Another Workaround you can Disable cipher suites which uses DH/DHE key exchange.
Remove ciphers related to DH/DHE from SSL config.
How to change strength/customize cipher suite groups in WebSphere Application Server
https://www.youtube.com/watch?reload=9&v=dheizcFimX0

Document Location

Worldwide

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Component":"","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
15 April 2020

UID

ibm11275058

Page Feedback