IBM Support

IBM InfoSphere Information Server has limited support on IBM WebSphere Application Server SP 800-131 and Suite B security mode

Troubleshooting


Problem

InfoSphere Information Server installation fails with pre-installed WebSphere Application Server with TLSV1.2 protocol, which is required by SP 800-131 and Suite B security mode.

Symptom

The InfoSphere Information Server installation fails with error message similar to "An error occurred opening the data stream from URL https://example.com:9443"

The WebSphere Application Server SystemOut.log has an SSLHandshake error which is similar to the following text:
[9/7/12 22:01:07:669 IST] 000000bb SSLHandshakeE E SSLC0008E: Unable to initialize SSL connection. Unauthorized access was denied or security settings have expired. Exception is javax.net.ssl.SSLHandshakeException: Client requested protocol SSLv3 not enabled or not supported
at com.ibm.jsse2.kb.z(kb.java:498)
at com.ibm.jsse2.SSLEngineImpl.b(SSLEngineImpl.java:459)
at com.ibm.jsse2.SSLEngineImpl.c(SSLEngineImpl.java:231)
at com.ibm.jsse2.SSLEngineImpl.wrap(SSLEngineImpl.java:359)
at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:6)

Cause

When WebSphere Application Server is configured with SP 800-131 and Suite B security mode, the TLSv1.2 SSL handshake protocol is required. The InfoSphere Information Server installation and patch installation don't support TLSv1.1 and TLSv1.2 SSL handshake protocol. InfoSphere Information Server supports SSL_TLSv2 protocol, which supports SSLv3, TLSv1, TLSv1.1 and TLSv1.2 protocols, with the following limitations and considerations.
- Since not all web browser are currently supporting TLSv1.1 and TLSv1.2 protocol, carefully plan ahead before switching to SP 800-131 or Suite B security mode.
- If WebSphere Application Server Web Server plug-in is used with the front-end HTTP server, the plugin doesn't connect to application server if it is configured to use TLSv1.1 or 1.2. It is addressed by WebSphere APAR PM69593.
- InfoSphere Information Server installation and patch installation currently do not support TLSv1.1 and TLSv1.2.

Resolving The Problem

Switch to FIPS140-2 mode or disable FIPS, then choose SSL_TLS, SSL or TLS protocol for an initial installation with a pre-installed WebSphere Application Server and when patches are installed. Regarding how to switch to FIPS140-2 mode or disable FIPS, please refer to WebSphere Information Center on the topic of "Manage FIPS". Regarding how to choose SSL_TLS, SSL or TLS protocol, please refer to WebSphere Application Server Information Center on the topic "Quality of protection (QoP) settings".
Apply APAR PM69593 for the WebSphere Application Server Web Server plug-in if it is used.

[{"Product":{"code":"SSZJPZ","label":"IBM InfoSphere Information Server"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"--","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"9.1","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
16 June 2018

UID

swg21611207

Page Feedback