tag:blogger.com,1999:blog-6740338341177826314.post4232729710946190554..comments2024-03-28T09:19:27.711+00:00Comments on A Portal to a Portal: Java to DB2 via TLS 1.2 - A new one on meDave Hayhttp://www.blogger.com/profile/10444759805764485699noreply@blogger.comBlogger10125tag:blogger.com,1999:blog-6740338341177826314.post-75672753329786648292017-08-25T14:00:19.611+01:002017-08-25T14:00:19.611+01:00Hi Prashant
Glad you've made progress.
The m...Hi Prashant<br /><br />Glad you've made progress.<br /><br />The most recent exception implies that something is attempting to make a client connection INTO WAS from an external source, using an unsupported protocol ( TLS v1.0 ) whereas you've probably got WAS locked down to only support TLS v1.2.<br /><br />You can enable SSL tracing in WAS ( check the Must Gather ) to get further intel.<br /><br />In addition, remember that any client tooling such as the WSAdmin client ( which uses SOAP ) will also need to be configured to use TLS 1.2 ( which requires soap.client.props and ssl.client.props ) to be updated.<br /><br />Final consideration; remember that you may have clients making connections using browsers that don't support TLS v1.2 e.g. older versions of Internet Explorer etc.<br /><br />Cheers, Dave<br />Dave Hayhttps://www.blogger.com/profile/10444759805764485699noreply@blogger.comtag:blogger.com,1999:blog-6740338341177826314.post-37530034868081770102017-08-24T12:31:30.586+01:002017-08-24T12:31:30.586+01:00Hi Dave,
If u know anything abt following error u...Hi Dave,<br /><br />If u know anything abt following error ur comments will be helpful to me,<br /><br />Currently i hv strictly enabled TLS1.2 on WAS and DB2, and this error repeat continuously in server startup logs <br /><br />i m getting following error,<br />[8/24/17 16:27:18:209 IST] 00000048 SSLHandshakeE E SSLC0008E: Unable to initialize SSL connection. Unauthorized access was denied or security settings have expired. Exception is javax.net.ssl.SSLHandshakeException: Client requested protocol TLSv1 not enabled or not supported<br /> at com.ibm.jsse2.ab.B(ab.java:421)<br /> at com.ibm.jsse2.nc.b(nc.java:423)<br /> at com.ibm.jsse2.nc.c(nc.java:42)<br /> at com.ibm.jsse2.nc.wrap(nc.java:457)<br /> at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:39)<br /> at com.ibm.ws.ssl.channel.impl.SSLUtils.handleHandshake(SSLUtils.java:747)<br /> at com.ibm.ws.ssl.channel.impl.SSLConnectionLink.readyInbound(SSLConnectionLink.java:566)<br /> at com.ibm.ws.ssl.channel.impl.SSLConnectionLink.ready(SSLConnectionLink.java:295)<br /> at com.ibm.ws.tcp.channel.impl.NewConnectionInitialReadCallback.sendToDiscriminators(NewConnectionInitialReadCallback.java:214)<br /> at com.ibm.ws.tcp.channel.impl.NewConnectionInitialReadCallback.complete(NewConnectionInitialReadCallback.java:113)<br /> at com.ibm.ws.tcp.channel.impl.AioReadCompletionListener.futureCompleted(AioReadCompletionListener.java:175)<br /> at com.ibm.io.async.AbstractAsyncFuture.invokeCallback(AbstractAsyncFuture.java:217)<br /> at com.ibm.io.async.AsyncChannelFuture.fireCompletionActions(AsyncChannelFuture.java:161)<br /> at com.ibm.io.async.AsyncFuture.completed(AsyncFuture.java:138)<br /> at com.ibm.io.async.ResultHandler.complete(ResultHandler.java:204)<br /> at com.ibm.io.async.ResultHandler.runEventProcessingLoop(ResultHandler.java:775)<br /> at com.ibm.io.async.ResultHandler$2.run(ResultHandler.java:905)<br /> at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1881)<br />Caused by: javax.net.ssl.SSLHandshakeException: Client requested protocol TLSv1 not enabled or not supported<br /> at com.ibm.jsse2.j.a(j.java:9)<br /> at com.ibm.jsse2.nc.a(nc.java:556)<br /> at com.ibm.jsse2.ab.a(ab.java:133)<br /> at com.ibm.jsse2.ab.a(ab.java:304)<br /> at com.ibm.jsse2.cb.a(cb.java:611)<br /> at com.ibm.jsse2.cb.a(cb.java:244)<br /> at com.ibm.jsse2.ab.t(ab.java:74)<br /> at com.ibm.jsse2.ab$1.a(ab$1.java:2)<br /> at com.ibm.jsse2.ab$1.run(ab$1.java:3)<br /> at java.security.AccessController.doPrivileged(AccessController.java:456)<br /> at com.ibm.jsse2.ab$c_.run(ab$c_.java:4)<br /> at com.ibm.ws.ssl.channel.impl.SSLUtils.handleHandshake(SSLUtils.java:834)<br />Prashant Morehttps://www.blogger.com/profile/03741928495131683574noreply@blogger.comtag:blogger.com,1999:blog-6740338341177826314.post-82886405955704609572017-08-24T12:29:07.640+01:002017-08-24T12:29:07.640+01:00Hi Dave,
Thanks for ur valuable time for all thos...Hi Dave,<br /><br />Thanks for ur valuable time for all those comments,<br /><br />i was able to resolve TLS 1.2 handshake issue by following way,<br /><br />Basically on local env earlier i created self signed certificate using following DB2 bin command,<br /><br />gsk8capicmd_64 -cert -create -db "mydbserver.kdb" -pw "passw0rd" -label "dbmyselfsigned" -dn "CN=db.test.lfin.internal,O=test,OU=test,L=test,ST=test,C=US"<br /><br />after further reading and reiterating found out above certificate genrated with with default KeySize=1024 and with SHA1 signature alogrithm which is supposidly vulernable <br />and i read that you shud use 256,384,512 SHA alg.<br /><br />so i created other certificate using follwing command <br /><br />gsk8capicmd_64 -cert -create -db "mydbserver.kdb" -pw "passw0rd" -label "dbmyselfsigned" -dn "CN=db.test.lfin.internal,O=test,OU=test,L=test,ST=test,C=US" -size 2048 -sigalg SHA256withRSA<br /><br />and extracted certificate using follwing command(usual step)<br />gsk8capicmd -cert -extract -db "mydbserver.kdb" -pw "passw0rd" -label "dbmyselfsigned" -target "mydbserver.arm" -format ascii -fips<br /><br />and created keystore from .arm file using keytool command <br />keytool -import -file mydbserver.arm -keystore keystore<br /><br />and provided this keystore and pwd before ssl connection and it worked with proper server hello and key exchanges steps in debug logs.<br /><br /><br />Best Regards,<br />PrashantPrashant Morehttps://www.blogger.com/profile/03741928495131683574noreply@blogger.comtag:blogger.com,1999:blog-6740338341177826314.post-78631097563828561182017-08-21T13:13:45.726+01:002017-08-21T13:13:45.726+01:00Hi Prashant
Yeah, there a few mentioned here - ht...Hi Prashant<br /><br />Yeah, there a few mentioned here - https://wiki.openssl.org/index.php/Binaries<br /><br />Good luck :-)<br />Dave Hayhttps://www.blogger.com/profile/10444759805764485699noreply@blogger.comtag:blogger.com,1999:blog-6740338341177826314.post-9647615623705791302017-08-21T13:09:56.605+01:002017-08-21T13:09:56.605+01:00Hi Dave,
On Windows is there any tool like open S...Hi Dave,<br /><br />On Windows is there any tool like open SSL to check hv we configured TLS1.2 correctly on DB2?Prashant Morehttps://www.blogger.com/profile/03741928495131683574noreply@blogger.comtag:blogger.com,1999:blog-6740338341177826314.post-3232071705992741202017-08-21T13:05:12.252+01:002017-08-21T13:05:12.252+01:00Hi Prashant
Sure, here you go: -
http://www-01.i...Hi Prashant<br /><br />Sure, here you go: -<br /><br />http://www-01.ibm.com/support/docview.wss?uid=swg21593214<br /><br />Note that you'll need to log in with an IBM ID that's associated with the organisation that has purchased the WAS and/or DB2 licenses, typically via IBM Passport Advantage.<br /><br />If you're an IBM Business Partner or Independent Software Vendor, then there will be someone in your organisation who has a similar level of access.<br /><br />Cheers, Dave<br />Dave Hayhttps://www.blogger.com/profile/10444759805764485699noreply@blogger.comtag:blogger.com,1999:blog-6740338341177826314.post-31069362050508692952017-08-21T13:02:13.970+01:002017-08-21T13:02:13.970+01:00Hi Dave,
Appreciated your quick reply.
For our l...Hi Dave,<br /><br />Appreciated your quick reply.<br /><br />For our local system we create WAS profile and configure datasource . In eclipse we add our project in WAS server and start server which will normally start on configured ports.<br /><br />My local env is as follows,<br />WIndows 7, WAS 8.5.5.8(IBM java_1.7_64), DB2 10.5.7 .<br /><br />Surprisingly following code direcly run as java application in eclipse works normally with prooper server hello message and key exchange,<br /><br />package com.ibm.ejs.container;<br /><br />import java.security.Security;<br />import java.sql.Connection;<br />import java.sql.DriverManager;<br />import java.sql.ResultSet;<br />import java.sql.Statement;<br />import java.util.Properties;<br /><br />import javax.net.ssl.SSLContext;<br /><br />public class TestTLSDB2Connection {<br /> static String isSSLEnabled= "true";<br /> static String driver ="com.ibm.db2.jcc.DB2Driver";<br /> static String url = "jdbc:db2://localhost:60006/DBOQ26";<br /> static String user = "devuser";<br /> static String password = "Password1";<br /> <br /> public static void main(String sa[]){<br /> Connection conn = null;<br /> try {<br /> <br /> Class.forName(driver);<br /> <br />// Security.setProperty("ssl.SocketFactory.provider", "com.ibm.jsse2.SSLSocketFactoryImpl");<br />// Security.setProperty("ssl.ServerSocketFactory.provider", "com.ibm.jsse2.SSLServerSocketFactoryImpl");<br />// System.setProperty("javax.net.ssl.trustStoreType", "JKS");<br />// System.setProperty("javax.net.ssl.trustStore", "C:/db2SSL/keystore");<br />// System.setProperty("javax.net.ssl.trustStorePassword","passw0rd");<br /> <br /> <br /> Properties props = new Properties();<br /> props.setProperty("user", user);<br /> props.setProperty("password", password);<br /><br /> System.err.println("security.realm.ConnectionFactory.newInstance.........");<br /> <br /> if ((isSSLEnabled != null) && ("true".equalsIgnoreCase(isSSLEnabled))) {<br /> props.setProperty("sslConnection", "true");<br /> props.setProperty("sslTrustStoreLocation","C:/db2SSL/keystore");<br /> props.setProperty("sslTrustStorePassword","passw0rd");<br /> <br />// SSLContext sslContext = SSLContext.getInstance("TLSv1.2");<br />// sslContext.init(null, null, null);<br />// SSLContext.setDefault(sslContext);<br /> <br /> <br /> System.err.println("security.realm.ConnectionFactory.........SSL ON");<br /> } else {<br /> System.err.println("security.realm.ConnectionFactory.........SSL OFF:"+ isSSLEnabled);<br /> }<br /> <br /> conn = DriverManager.getConnection(url, props);<br /> System.err.println("Connection :"+conn);<br /> <br /> String query = "select * from TESTTABLE" ;<br /><br /> Statement statement = conn.createStatement () ;<br /> ResultSet rs = statement.executeQuery (query) ;<br /> System.err.println(">>>Data");<br /> while ( rs.next () )<br /> System.err.println (rs.getString (1) + " " + rs.getString(2) ) ;<br /> <br /> conn.close () ;<br /> <br /> <br /> }<br /> catch (Exception e){<br /> e.printStackTrace();<br /> }<br /> <br /> <br /> }<br />}<br /><br />I have never raised PMR request , can u pls give me URL where i can log this issue.<br />Prashant Morehttps://www.blogger.com/profile/03741928495131683574noreply@blogger.comtag:blogger.com,1999:blog-6740338341177826314.post-30727842897768453752017-08-21T12:47:48.505+01:002017-08-21T12:47:48.505+01:00Hi Prashant
Thanks for the feedback.
With specif...Hi Prashant<br /><br />Thanks for the feedback.<br /><br />With specific regard to the openssl command, that MAY only indicate that the OS from where you're running the command doesn't support TLS 1.2. I see that problem with macOS, as per this post - https://portal2portal.blogspot.co.uk/2016/12/openssl-tripped-and-fell-on-macos.html - whereas Red Hat Enterprise Linux 6 and 7 both include a later level of the openssl client code.<br /><br />The symptoms that you're reporting are a 100% mirror for what I saw on Friday, which led me to update the JDBC drivers.<br /><br />You could experiment by switching to a different, weaker cipher, in order to see whether that is blocking the handshake.<br /><br />From where are you running your Java code ? I was running it on RHEL using IBM Java7. What JRE are you using ?<br /><br />Finally, have you yet raised a PMR with IBM Support ? If not, I'd definitely recommend that approach.<br /><br />Cheers, Dave<br />Dave Hayhttps://www.blogger.com/profile/10444759805764485699noreply@blogger.comtag:blogger.com,1999:blog-6740338341177826314.post-68033389631241749892017-08-21T12:14:23.057+01:002017-08-21T12:14:23.057+01:00Hi Dave,
I hv DB2 v10.5.700.375 and also changed ...Hi Dave,<br /><br />I hv DB2 v10.5.700.375 and also changed db2 jars from LIB with proper version(4.19.49) mentioned in ur blog link.<br />But still facing same issue. Even tried by using latest db2 driver jar with version 4.23.42 but no luck on that front also.<br /><br />i hv followed http://www-01.ibm.com/support/docview.wss?uid=swg21993801 link to configure DB2 for TLS12<br /><br />SSL_SVR_KEYDB=C:\db2SSL\mydbserver.kdb<br />SSL_SVR_STASH=C:\db2SSL\mydbserver.sth<br />SSL_SVR_LABEL=dbmyselfsigned<br />SSL_SVCENAME=db2c_DB2_ssl<br />SSL_CIPHERSPECS= TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384<br />SSL_VERSIONS=TLSV12<br /><br />On WAS profile configuration level i used this link for TLS1.2 config<br />https://jazz.net/help-dev/clm/index.jsp?topic=%2Fcom.ibm.jazz.install.doc%2Ftopics%2Ft_enable_tls1.2_was.html.<br /><br />Refered following link to Signer certificates retrived from port and under Datasource added custom property sslConnection=true<br />http://www-01.ibm.com/support/docview.wss?uid=swg21667093<br /><br /><br /><br />>>>when i try to use openssl to see cipher specs following err came. not the output mentioned like ur command<br /><br />\openssl-0.9.8h-1-bin\bin>openssl s_client -showcerts -connect localhost:60006<br />Loading 'screen' into random state - done<br />CONNECTED(000001A0)<br />13356:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:./ssl/s23_clnt.c:585:<br /><br />and in db2diag -f following msg got<br />2017-08-21-16.09.40.708000+330 I15963551F486 LEVEL: Error<br />PID : 12960 TID : 9436 PROC : db2syscs.exe<br />INSTANCE: DB2 NODE : 000<br />APPHDL : 0-150<br />HOSTNAME: DL-4RX3LC2<br />EDUID : 9436 EDUNAME: db2agent () 0<br />FUNCTION: DB2 UDB, common communication, sqlccMapSSLErrorToDB2Error, probe:30<br />MESSAGE : DIA3604E The SSL function "gsk_secure_soc_init" failed with the<br /> return code "402" in "sqlccSSLSocketSetup".<br /> <br /> <br />If u provide ur mail i can send details logs. <br /> <br />Prashant Morehttps://www.blogger.com/profile/03741928495131683574noreply@blogger.comtag:blogger.com,1999:blog-6740338341177826314.post-58624439032514511312017-08-18T21:56:51.751+01:002017-08-18T21:56:51.751+01:00Hi Dave,
Thanks for ur efforts, i ll check with u...Hi Dave,<br /><br />Thanks for ur efforts, i ll check with updated db jars and keep u updated accordingly.<br /><br />Its weekend now expect some delay in response. Hv a good day<br />Prashant Morehttps://www.blogger.com/profile/03741928495131683574noreply@blogger.com