SSL Error in WebSphere Application Server while using Internal CA in IBM MobileFirst Adapter

1
votes

Environment:

  1. WebSphere Platform 8.5.5.0 [BASE 8.5.5.0 gm1319.01] running with process name Node01Cell\Node01\server1 and process id 9392
  2. Host Operating System is Windows Server 2012, version 6.2
  3. Java version = 1.6.0, Java Compiler = j9jit26, Java VM name = IBM J9 VM
  4. IBM MobileFirst 6.3.0.00.20141127-1357

HTTP Adapter is used to connect with the WebService which over HTTPS issued by Internal CA.

In order to access the Webserivce Internal RootCA & Webserivce Public certificate's are added Manually in WAS as per below steps.

SSL certificate and key management > Key stores and certificates > NodeDefaultTrustStore > Signer certificates > Add > Entering Alias Name & File Path.

But the same is failed with below error by Retrieve from port.

ErrorReceived fatal alert: handshake_failure

However, I had verified Internal CA & Webservices endpoint certificates are available in

${CONFIG_ROOT}/cells/Node01Cell/nodes/Node01/trust.p12

Those same certificates are added in MFP default.keystore as well and enabled the keystore in worklight.properties file.

Though the above configurations are seems to be fine but below error is logged when the request from Adapter is sent to the webservice.

[3/22/17 14:09:35:744 ] 000000ae SystemOut     O WebContainer : 4, setSoTimeout(120000) called
[3/22/17 14:09:35:744 ] 000000ae SystemOut     O 
Is initial handshake: true
[3/22/17 14:09:35:744 ] 000000ae SystemOut     O %% No cached client session
[3/22/17 14:09:35:744 ] 000000ae SystemOut     O *** ClientHello, TLSv1
[3/22/17 14:09:35:744 ] 000000ae SystemOut     O RandomCookie:  GMT: 1473400159 bytes = { 246, 214, 135, 72, 132, 51, 89, 33, 32, 31, 239, 155, 210, 120, 83, 221, 214, 84, 136, 207, 132, 51, 172, 126, 33, 192, 150, 43 }
[3/22/17 14:09:35:744 ] 000000ae SystemOut     O Session ID:  {}
[3/22/17 14:09:35:744 ] 000000ae SystemOut     O Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_RC4_128_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_RSA_FIPS_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, SSL_RENEGO_PROTECTION_REQUEST]
[3/22/17 14:09:35:744 ] 000000ae SystemOut     O Compression Methods:  { 0 }
[3/22/17 14:09:35:744 ] 000000ae SystemOut     O ***
[3/22/17 14:09:35:744 ] 000000ae SystemOut     O [write] MD5 and SHA1 hashes:  len = 81

[3/22/17 14:09:35:744 ] 000000ae SystemOut     O WebContainer : 4, WRITE: TLSv1 Handshake, length = 81
[3/22/17 14:09:35:744 ] 000000ae SystemOut     O [Raw write]: length = 86

[3/22/17 14:09:35:744 ] 000000ae SystemOut     O [Raw read]: length = 5
[3/22/17 14:09:35:744 ] 000000ae SystemOut     O 0000: 15 03 01 00 02                                     .....

[3/22/17 14:09:35:744 ] 000000ae SystemOut     O [Raw read]: length = 2
[3/22/17 14:09:35:744 ] 000000ae SystemOut     O 0000: 02 28                                              ..

[3/22/17 14:09:35:744 ] 000000ae SystemOut     O WebContainer : 4, READ: TLSv1 Alert, length = 2
[3/22/17 14:09:35:744 ] 000000ae SystemOut     O WebContainer : 4, RECV TLSv1 ALERT:  fatal, handshake_failure
[3/22/17 14:09:35:744 ] 000000ae SystemOut     O WebContainer : 4, called closeSocket()
[3/22/17 14:09:35:744 ] 000000ae SystemOut     O WebContainer : 4, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
[3/22/17 14:09:35:744 ] 000000ae SystemOut     O WebContainer : 4, called close()
[3/22/17 14:09:35:744 ] 000000ae SystemOut     O WebContainer : 4, called closeInternal(true)
[3/22/17 14:09:35:744 ] 000000ae DataAccessSer E  logError FWLSE0099E: An error occurred while invoking procedure  [project mobile]SampleAdapter/HttpRequestFWLSE0100E:  parameters: [project mobile]
Http request failed: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
FWLSE0101E: Caused by:  [project mobile]javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failurejava.lang.RuntimeException: Http request failed: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
    at com.worklight.adapters.http.HTTPConnectionManager.execute(HTTPConnectionManager.java:236)
    at com.worklight.adapters.http.HttpClientContext.doExecute(HttpClientContext.java:185)
    at com.worklight.adapters.http.HttpClientContext.execute(HttpClientContext.java:169)
    at com.worklight.adapters.http.HTTP.execRequest(HTTP.java:145)
    at com.worklight.adapters.http.HTTP.invoke(HTTP.java:134)

Webserivce URL is accessible from Browser and displays SSL lock displays in green color with no error or warnings.

1
sslhttpsibm-mobilefirstwebsphere
"handshake_failure" would seem to indicate that the client (in this case, the WebSphere Application Server) and the server (the web service you're trying to use) have no cipher suites in common. - patbarron
It seems to be lower-level than certificate validity, maybe even lower-level than cipher suites. Do you have any logging from the client side? - Andrew McGuinness
Do you have a way to check the supported cipher suites of the server where the Web Service is running? (I'm assuming it's a different server than this one where you're running the HTTP adapter.) If it's an internet-facing server, ssllabs.com/ssltest is an easy way to see that information - dbreaux
@patbarron, in order to sync the cipher suites what is the suggested way that i can test and make necessary changes in WAS. - jais
You can refer to (ibm.com/support/knowledgecenter/en/SSAW57_8.5.5/…) to see what protocols and cyphers have been enabled in your application server. And you can use nmap --script ssl-enum-ciphers -p <yourServerPort> <yourbackendServerHostname> to get the list of ciphers and protocols supported by your backend server. Eg: nmap --script ssl-enum-ciphers -p 443 google.com - Amith Kashyap

1 Answers

0
votes

Apply the latest iFix for IBM MobileFirst Platform Foundation (6.3.0.0)

This should solve the issue because it contains the APAR PI42320 fix.