Wednesday, 30 March 2016

Oops, my WAS upgrade broke my TLS

I saw this earlier today: -

[30/03/16 11:35:53:371 BST] 00000001 ORBRas        E com.ibm.ws.orbimpl.transport.WSTransport createServerSocket P=152627:O=0:CT ORBX0390E: Cannot create listener thread. Exception=[ org.omg.CORBA.INTERNAL: CAUGHT_EXCEPTION_WHILE_CONFIGURING_SSL_SERVER_SOCKET, Exception=java.lang.IllegalArgumentException: Cannot support SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384 with currently installed providers vmcid: 0x49421000  minor code: 77  completed: No - received while attempting to open server socket on port 9403 ].

[30/03/16 11:35:53:397 BST] 00000001 FfdcProvider  W com.ibm.ws.ffdc.impl.FfdcProvider logIncident FFDC1003I: FFDC Incident emitted on /opt/ibm/WebSphereProfiles/ODMCell1Dmgr01/logs/ffdc/dmgr_498f4d6b_16.03.30_11.35.53.3748582431257869454898.txt com.ibm.ws.orbimpl.transport.WSTransport.startListening 805

[30/03/16 11:35:53:419 BST] 00000001 FfdcProvider  W com.ibm.ws.ffdc.impl.FfdcProvider logIncident FFDC1003I: FFDC Incident emitted on /opt/ibm/WebSphereProfiles/ODMCell1Dmgr01/logs/ffdc/dmgr_498f4d6b_16.03.30_11.35.53.3975558083781694628181.txt com.ibm.ws.orbimpl.transport.WSTransport.createListener 724

[30/03/16 11:35:53:420 BST] 00000001 WsServerImpl  E   WSVR0009E: Error occurred during startup com.ibm.ws.exception.RuntimeError: org.omg.CORBA.INTERNAL: CREATE_LISTENER_FAILED_4  vmcid: 0x49421000  minor code: 56  completed: No

whilst starting a WAS ND Deployment Manager.

Coincidentally (!) this happened RIGHT after I'd upgraded from WAS 8.5.5.4 to 8.5.5.8.

A quick Google search led me here: -


which said, in part: -

The problem can be related to unrestricted policy file due to SDK upgrade. Please download/install unrestricted policy files, the steps can be found at: http://www14.software.ibm.com/webapp/wsbroker/redirect?version=phil&product=was-nd-dist&topic=tsecegs (Under "Complete the following steps to download and install the new policy files:").

at which point I metaphorically slapped my forehead and said "Doh!".

I fired up my trusty CipherTest Java class: -

java -cp /mnt/Utilities/ CipherTest

which reported: -

FAILED: Max AES key length too small! (128).

I ran my script to update the Java policies to use the unrestricted world-wide ciphers: -

#!/bin/bash
cd /opt/ibm/WebSphere/AppServer/java/jre/lib/security
mv local_policy.jar local_policy.raj
mv US_export_policy.jar US_export_policy.raj
/opt/ibm/WebSphere/AppServer/java/bin/jar xvf /mnt/Java/unrestrictedpolicyfiles.zip
chmod a+rwx *.jar

and re-ran the CipherTest: -

java -cp /mnt/Utilities/ CipherTest

PASSED: Max AES key length OK! - >= 256 (2147483647).

Sorted :-) And "Doh!" And "SLAP!"

No comments: