IV63290: SITUATION UPDATE FORWARDER CANNOT CONNECT VIA HTTPS WHEN TLS_RSA_WITH_AES_256_CBC_SHA CIPHER IS USED.

IBM Tivoli Monitoring 6.3.0 Fix Pack 4 (6.3.0-TIV-ITM-FP0004)

APAR status

• Closed as program error.

Error description

• Starting with 6.23 FP5, the Situation Update Forwarder (SUF)
  cannot connect via HTTPS to a management server when the
  management server is using the TLS_RSA_WITH_AES_256_CBC_SHA
  cipher.  Once the HTTPS connection fails, the code will try to
  connect with HTTP which will also fail.
  
  Approver:         MK
  
  Related Files and Output:   No error is logged, however in the
  log file /tmp/itmsync/logs/synch_trace.log with tracing enabled,
  the file will show a call using https followed by a call using
  http.   If the https connections fails, it will try using http.
  This failed https connection attempt can occur for other reasons
  besides this APAR.
  
  2014.08.06 15:50:38.237-04:00
  com.tivoli.candlenet.SOAPConnection sendRequest IBM Tivoli
  Monitoring  Tivoli Event Synchronization system1.xxx.com IP SOAP
  URL is: https://system2.com:3661///cms/soap/kshhsoap.htm
  
  This is the second call, using http.
  
  2014.08.06 15:50:39.144-04:00
  com.tivoli.candlenet.SOAPConnection sendRequest IBM Tivoli
  Monitoring  Tivoli Event Synchronization system1.xxx.com IP SOAP
  URL is: http://system2.com:3661///cms/soap/kshhsoap.htm
  
  After the above call fails, it will try again using http:
  2014.08.06 15:50:39.154-04:00
  com.tivoli.candlenet.SituationUpdateForwarder testConnection IBM
  Tivoli Monitoring  Tivoli Event Synchronization
  system1.tivlab.raleigh.ibm.com IP java.net.SocketException:
  Connection reset
    at java.net.SocketInputStream.read(SocketInputStream.java:168)
    at
  java.io.BufferedInputStream.fill(BufferedInputStream.java:218)
    at
  java.io.BufferedInputStream.read1(BufferedInputStream.java:258)
    at
  java.io.BufferedInputStream.read(BufferedInputStream.java:317)
    at
  sun.net.www.http.HttpClient.parseHTTPHeader(HttpClient.java:699)
    at sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:642)
    at sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:664)
    at
  sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpU
  RLConnection.java:1218)
    at
  java.net.HttpURLConnection.getResponseCode(HttpURLConnection.jav
  a:379)
    at com.tivoli.candlenet.SOAPConnection.getResponseCode(Unknown
  Source)
    at com.tivoli.candlenet.SOAPConnection.getResponse(Unknown
  Source)
    at
  com.tivoli.candlenet.SituationUpdateForwarder.testConnection(Unk
  nown Source)
    at com.tivoli.candlenet.SituationUpdateForwarder.main(Unknown
  Source)
  

Local fix

• None,
  

Problem summary

• Situation Update Forwarder cannot connect via HTTPS when
  TLS_RSA_WITH_AES_256_CBC_SHA CIPHER is used.
  
  
  Starting with 6.23 FP5 and 6.30 FP3 the Situation Update
  Forwarder (SUF) cannot connect to a monitoring server on z/OS
  when TLS_RSA_WITH_AES_256_CBC_SHA cipher is used.   The JRE
  shipped as part of SUF was updated to 1.6 SR13 FP2.
  
  In addition to a code change, updated JCE Policy Files are
  needed for some Cipher Suites.  See Install Actions section of
  the Conclusion of this APAR for more information.
  

Problem conclusion

• The code was changed to include context TLS.   In addition to
  the code change, some cipher suites require an update policy
  file.  See the Install Actions below for more details.
  
  Install Actions:
  
  In accordance with the United States of America export
  restrictions, Java(TM) that is bundled with the server has
  limited encryption key sizes that can be used in the server
  operation.  Some cipher suites, including
  TLS_RSA_WITH_AES_256_CBC_SHA, require the installation of the
  JCE Unlimited Strength Jurisdiction Policy Files.  The following
  link lists which cipher suites require the updated policy files.
  
  http://www.ibm.com/support/knowledgecenter/SSYKE2_6.0.0/com.ibm.
  java.security.component.60.doc/security-component/jsse2Docs/ciph
  ersuites.html
  
  The following steps can be used to install the JCE Unlimited
  Strength Jurisdiction Policy files:
  
  Go to the following website:
  http://www.ibm.com/developerworks/java/jdk/security/index.html.
  - Click "Java SE 6".
  - Click "IBM SDK Policy files" under section "IBM SDK Policy
    files".
  - Click "ibm.com" website.  The Unrestricted JCE Policy files
    website is displayed.
  - Provide your IBM? ID and password and click Sign in.  You
    might need to register with IBM to download the files.
  - Select "Files for Java 5.0 SR16, Java 6 SR13, Java 6 SR5 (J9
    VM2.6), Java 7 SR4, and all later releases" and click
    Continue.
  - View the license agreement and then select "I Agree".
  - Click I confirm and then Download now to save the file on the
    hard disk of your computer.
  
  - Install the files:
  -- Stop the SUF server.
  -- Extract the file: unrestricted.zip into a directory of your
     choice.
  -- Backup existing files <SUF
     Install>/jre/lib/security/local_policy.jar and
     US_export_policy.jar.
  -- Copy the .jar files from the extraction directory to
     following directory on the SUF server:
  ----  <SUF Install>/jre/lib/security
  -- Restart the SUF server.
  
  The fix for this APAR is contained in the following maintenance
  packages:
  
    | fix pack | 6.3.0-TIV-ITM-FP0004
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

• Fixed component name

  TEMS

• Fixed component ID

  5724C04MS

Applicable component levels

• R630 PSY

     UP