Troubleshooting SSL Cipher issues in Netcool/ISM and ITCAM ISM

Question & Answer

Question

ITCAM ISM : HTTP Monitor SSL Cipher issues, what causes handshake failures?

Answer

The way to determine the cause of a handshake failure is to troubleshoot the problem through trial-and-error after checking available documentation, and whilst monitoring the TCP activity using snoop/tcpdump/Wireshark.

1. Confirm whether the existing Cipher suite is compatible:

Set the cipher in the https.props SSLCipherSuite property and attempt to
connect to the website. If it connects, it's compatible - if handshaking
fails, there is one possible reason. The Reference Guide's HTTPS
section lists the ISMs available ciphers.

2. Additional information:

WGET allows you to mimic web browsers from the command line and supports SSL (see the Related Information section below).

You may also use the OpenSSL command line client tool to test the
connection (see the Related Information section below).

To list all available ciphers:

openssl ciphers

To test handshaking with the site:
openssl s_client -connect www2.btbroadbandoffice.com:443 -cipher
MY_CIPHER

On success the certificate is displayed and you will be given a prompt for commands (e.g. "GET / HTTP/1.0").
On failure an error and reason will be displayed (e.g. "sslv3 alert handshake failure").

3. How to find a problem?

If possible use the standalone HTTPS monitor for testing cipher support,
it's faster and easier. The ISMs use a reasonable suite by default (see
props file) and supports a large range (see reference guide, HTTPS).
However, not all standard OpenSSL ciphers are included
in the ISMs (due to patents on a few ciphers).

Try adding this to the https.props file:

SSLCipherSuite :
"DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DES-CBC3-SHA:DES-CBC3-MD5:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:AES128-SHA:IDEA-CBC-SHA:IDEA-CBC-MD5:RC2-CBC-MD5:DHE-DSS-RC4-SHA:RC4-SHA:RC4-MD5:RC4-MD5:RC4-64-MD5:EXP1024-DHE-DSS-DES-CBC-SHA:EXP1024-DES-CBC-SHA:EXP1024-RC2-CBC-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:DES-CBC-MD5:EXP1024-DHE-DSS-RC4-SHA:EXP1024-RC4-SHA:EXP1024-RC4-MD5:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC2-CBC-MD5:EXP-RC4-MD5:EXP-RC4-MD5"

Again if you need to independently verify if a given protocol works, try the OpenSSL client with the -cipher option.

4. Where is the local security certificate stored in the ISM?

Client certificates are not shipped with the monitor and you need to specify where they are in the https.props.
Server certificates are cached and discarded in memory.

Related Information

WGET

OpenSSL CLI Client Tool

[{"Product":{"code":"SS2GQ5","label":"Tivoli Composite Application Manager for Internet Service Monitoring"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"HTTPS Monitor","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"6.0.1;6.0.0;7.1.0.1;7.1.0.2","Edition":"Edition Independent","Line of Business":{"code":"LOB45","label":"Automation"}}]

Tips

Troubleshooting SSL Cipher issues in Netcool/ISM and ITCAM ISM

Question & Answer

Question

Answer

Related Information

Was this topic helpful?

Document Information

UID

Share your feedback

Need support?