Topic
  • 8 replies
  • Latest Post - ‏2013-11-22T17:16:04Z by LHuston
LHuston
LHuston
5 Posts

Pinned topic Liberty and SP800-131 setup is failing

‏2013-11-20T21:10:06Z |

I am attempting to setup Liberty with SP800-131 enabled. I've been following the documentation.

http://pic.dhe.ibm.com/infocenter/radhelp/v9/index.jsp?topic=%2Fcom.ibm.websphere.wlp.nd.multiplatform.doc%2Fae%2Ftwlp_sec_nist.html

I believe I have done all the steps appropriately, but as soon as I add the

-Dcom.ibm.jsse2.sp800-131=transition to the jvm.options file, I get a "program cannot display webpage" type error. It seems to be indicating that the application is not up and running, even though the logs tell a different story:

********************************************************************************
product = WebSphere Application Server 8.5.5.0 (wlp-1.0.3.20130510-0831)
wlp.install.dir = C:/wlp/
java.home = C:\Program Files\IBM\Java70\jre
java.version = 1.7.0
java.runtime = Java(TM) SE Runtime Environment (pwa6470sr6-20131015_01 (SR6))
os = Windows 7 (6.1; amd64) (en_US)
********************************************************************************
[11/20/13 9:58:03:364 CST] 00000001 com.ibm.ws.logging.internal.TraceSpecification               I TRAS0018I: The trace state has been changed. The new trace state is *=info.
[11/20/13 9:58:03:438 CST] 00000001 com.ibm.ws.kernel.launch.internal.FrameworkManager           A CWWKE0001I: The server FBFWCAServer has been launched.
[11/20/13 9:58:04:160 CST] 0000001b com.ibm.ws.config.internal.xml.XMLConfigParser               A CWWKG0028A: Processing included configuration resource: C:\wlp\usr\servers\FBFWCAServer\NISTSecurity.xml
[11/20/13 9:58:04:198 CST] 0000001c com.ibm.ws.logging.internal.TraceSpecification               I TRAS0018I: The trace state has been changed. The new trace state is *=audit:RRA=all:WAS.j2c=all.
[11/20/13 9:58:04:899 CST] 0000001b com.ibm.ws.security.internal.SecurityReadyServiceImpl        I CWWKS0007I: The security service is starting...
[11/20/13 9:58:05:024 CST] 00000026 com.ibm.ws.tcpchannel.internal.TCPChannel                    I CWWKO0219I: TCP Channel defaultHttpEndpoint has been started and is now listening for requests on host 127.0.0.1  (IPv4: 127.0.0.1) port 9081.
[11/20/13 9:58:05:508 CST] 0000001b com.ibm.ws.app.manager.internal.monitor.DropinMonitor        A CWWKZ0058I: Monitoring dropins for applications.
[11/20/13 9:58:05:720 CST] 00000026 com.ibm.ws.tcpchannel.internal.TCPChannel                    I CWWKO0219I: TCP Channel defaultHttpEndpoint-ssl has been started and is now listening for requests on host 127.0.0.1  (IPv4: 127.0.0.1) port 9448.
[11/20/13 9:58:05:882 CST] 0000002a com.ibm.ws.security.internal.SecurityReadyServiceImpl        I CWWKS0008I: The security service is ready.
[11/20/13 9:58:05:883 CST] 0000002a com.ibm.ws.security.token.ltpa.internal.LTPAKeyCreator       I CWWKS4105I: LTPA configuration is ready after 0.583 seconds.
[11/20/13 9:58:12:068 CST] 0000001e com.ibm.ws.http.internal.VirtualHostImpl                     A CWWKT0016I: Web application available (default_host): http://localhost:9081/FBFWCentralAdmin/
**********************************************************************************

I am using the IBM 7 SR 6 JDK:C:\Users\IBM_ADMIN>java -version
java version "1.7.0"
Java(TM) SE Runtime Environment (build pwa6470sr6-20131015_01(SR6))
IBM J9 VM (build 2.6, JRE 1.7.0 Windows 7 amd64-64 Compressed References 2013101
3_170512 (JIT enabled, AOT enabled)
J9VM - R26_Java726_SR6_20131013_1510_B170512
JIT  - r11.b05_20131003_47443
GC   - R26_Java726_SR6_20131013_1510_B170512_CMPRSS
J9CL - 20131013_170512)
JCL - 20131011_01 based on Oracle 7u45-b18

I created a certificate that appears to have all the correct criteria. I used keytool to do so.

SSL certificate details:
Version V3
Signature algorithm: sha512RSA
Signature hash algorithm: sha512
Public Key RSA (2048Bits)
Thumbprint algorithm: sha1

I configured the server.xml to use TLSv1.2
 

<featureManager>

<feature>appSecurity-2.0</feature>

<feature>ssl-1.0</feature>

</featureManager>

<keyStore id="defaultKeyStore"

 

 

location="key.jks"

type="JKS" password="{xor}xyz/>

 

<ssl id="FBFWCASSLConfig"

keyStoreRef="defaultKeyStore"

serverKeyAlias="selfsigned"

clientAuthentication="true"

sslProtocol="TLSv1.2" />

With all of the above I can access my application via SSL until I add the line to jvm.options to turn on the SP800-131, 

 I added the following line to jvm.options.-Dcom.ibm.jsse2.sp800-131=transition

At this point, the web application is no longer accessible from the browser. I have tried IE 9 with SSL 3.0-ON and TLS 1.2 ON and the browser within RAD(not sure if TLS v1.2 is enabled or not)

I am at a loss as to what else needs to be enabled or changed for Liberty to work under SP800-131. Any assistance would be appreciated.

 

  • Alaine
    Alaine
    5 Posts
    ACCEPTED ANSWER

    Re: Liberty and SP800-131 setup is failing

    ‏2013-11-22T15:38:10Z  
    • LHuston
    • ‏2013-11-22T14:23:14Z

    Yes, I changed the password and left off a quote mark.

    I turned on the tracing. I think changing the certificate to a 256 did make a difference from the error two days ago. It seems to ahve a new error about not liking the certificate chain.

    The behavior is that I turn on the server it asks for a security exception, which is reasonable since I have a self created certificate and then I get a the "connection was interrupted" page.

    I am attaching the message and trace files from a single call to the server from the web page.

    The exception seems to be:
    O Default Executor-thread-3, fatal error: 40: null cert chain
    javax.net.ssl.SSLHandshakeException: null cert chain
    [11/22/13 8:15:43:705 CST] 00000026 SystemOut                                                    O %% Invalidated:  [Session-4, SSL_DHE_RSA_WITH_AES_128_CBC_SHA]
    [11/22/13 8:15:43:705 CST] 00000026 SystemOut                                                    O Default Executor-thread-3
    [11/22/13 8:15:43:705 CST] 00000026 SystemOut                                                    O , SEND TLSv1.2 ALERT: 
    [11/22/13 8:15:43:706 CST] 00000026 SystemOut                                                    O fatal,
    [11/22/13 8:15:43:706 CST] 00000026 SystemOut                                                    O description = handshake_failure
    [11/22/13 8:15:43:706 CST] 00000026 SystemOut                                                    O Default Executor-thread-3, WRITE: TLSv1.2 Alert, length = 2
    [11/22/13 8:15:43:707 CST] 00000026 SystemOut                                                    O Default Executor-thread-3, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLHandshakeException: null cert chain
     

    You have client authentication enabled on the Liberty server.   That error suggests your browser does not have a key.   YOu need to import a personal certificate into your browser and make sure the Liberty server has the signer in it's truststore.   Or you can turn of clientAuthentication.

  • Alaine
    Alaine
    5 Posts

    Re: Liberty and SP800-131 setup is failing

    ‏2013-11-21T18:58:47Z  

    Hi,

    Can you try using a certificate that is not sha512.   Browsers don't seem to handle sha512 signature algorithm.  I never found an official statement just something we concluded when we tried using a sha512 cert and looking at jsse trace.   We were able to access the server using a java program just not from the browser.  Please try certificate that uses sha2 or sha3.

  • LHuston
    LHuston
    5 Posts

    Re: Liberty and SP800-131 setup is failing

    ‏2013-11-21T21:31:45Z  
    • Alaine
    • ‏2013-11-21T18:58:47Z

    Hi,

    Can you try using a certificate that is not sha512.   Browsers don't seem to handle sha512 signature algorithm.  I never found an official statement just something we concluded when we tried using a sha512 cert and looking at jsse trace.   We were able to access the server using a java program just not from the browser.  Please try certificate that uses sha2 or sha3.

    Hello!

    I tried creating a new certificate in a new jks. Again if I change the jvm.options to:
     

    -Dcom.ibm.jsse2.sp800-131=off everything works in SSL. If I go back to:

    -Dcom.ibm.jsse2.sp800-131=transition I am nto able to get a connection.

    I created the certificate with this command:
    C:\wlp\usr\servers\FBFWCAServer\resources\security>keytool -genkey -keyalg RSA -
    sigalg SHA256withRSA -alias 256selfsigned -keystore mykey.jks -storepass xyz-validity 36000 -keysize 2048

    I can see the certificate is being successfully used if I turn the sp800 off.

    Version V3
    Signature algorithm sha256RSA
    Signature hash algorithm sha256
    Public key RSA (2048 Bits)
    Thumbprint algorithm sha1

    I went into about:config in Firefox to ensure that the TLS 1.2 was being used. It looked like from some logs it was failing back to TLSv1.1.

    I turned on Fiddler and checked what was going on(I've tried it outside Fiddler too, just in case)
    The output in Fiddler from a failed connection is:
     

    CONNECT ibm-8heamst5mh6:9448 HTTP/1.1

    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0

    Connection: keep-alive

    Connection: keep-alive

    Host: ibm-8heamst5mh6:9448

    A SSLv3-compatible ClientHello handshake was found. Fiddler extracted the parameters below.

    Version: 3.3 (TLS/1.2)

    Random: 52 8E 75 40 BC 24 68 46 21 A9 6D F0 25 74 8D 53 7E 62 58 AB AA 13 74 00 F9 A1 91 E0 87 6F B0 1D

    SessionID: empty

    Extensions:

    server_name ibm-8heamst5mh6

    renegotiation_info 00

    elliptic_curves 00 06 00 17 00 18 00 19

    ec_point_formats 01 00

    SessionTicket TLS empty

    NextProtocolNegotiation empty

    signature_algorithms 00 10 04 01 05 01 02 01 04 03 05 03 02 03 04 02 02 02

    Ciphers:

    [C00A] TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

    [C014] TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA

    [0088] TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA

    [0087] TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA

    [0039] TLS_DHE_RSA_WITH_AES_256_SHA

    [0038] TLS_DHE_DSS_WITH_AES_256_SHA

    [C00F] TLS_ECDH_RSA_WITH_AES_256_CBC_SHA

    [C005] TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA

    [0084] TLS_RSA_WITH_CAMELLIA_256_CBC_SHA

    [0035] TLS_RSA_AES_256_SHA

    [C009] TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

    [C007] TLS_ECDHE_ECDSA_WITH_RC4_128_SHA

    [C013] TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA

    [C011] TLS_ECDHE_RSA_WITH_RC4_128_SHA

    [0045] TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA

    [0044] TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA

    [0033] TLS_DHE_RSA_WITH_AES_128_SHA

    [0032] TLS_DHE_DSS_WITH_AES_128_SHA

    [C00E] TLS_ECDH_RSA_WITH_AES_128_CBC_SHA

    [C00C] TLS_ECDH_RSA_WITH_RC4_128_SHA

    [C004] TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA

    [C002] TLS_ECDH_ECDSA_WITH_RC4_128_SHA

    [0096] TLS_RSA_WITH_SEED_CBC_SHA

    [0041] TLS_RSA_WITH_CAMELLIA_128_CBC_SHA

    [002F] TLS_RSA_AES_128_SHA

    [0005] SSL_RSA_WITH_RC4_128_SHA

    [0004] SSL_RSA_WITH_RC4_128_MD5

    [C008] TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA

    [C012] TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA

    [0016] SSL_DHE_RSA_WITH_3DES_EDE_SHA

    [0013] SSL_DHE_DSS_WITH_3DES_EDE_SHA

    [C00D] TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA

    [C003] TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA

    [FEFF] SSL_RSA_FIPS_WITH_3DES_EDE_SHA

    [000A] SSL_RSA_WITH_3DES_EDE_SHA

    Compression:

    [00] NO_COMPRESSION

     

     

    I am 'guessing' that using SHA256 in my certificate should now be working with TLS_DHE_RSA_WITH_AES_256_SHA. I double checked in Openssl and that is a TLSv1.2 cipher.

    I also turned on the was security logging and get the following exception:

    -----Start of DE processing------ = [11/21/13 14:44:45:324 CST]
    Exception = java.lang.IllegalArgumentException
    Source = com.ibm.ws.channel.ssl.internal.SSLConnectionLink
    probeid = 238
    Stack Dump = java.lang.IllegalArgumentException: SSL protocol cannot be enabled in FIPS/SP800_131/suiteb mode
     at com.ibm.jsse2.pb.a(pb.java:86)
     at com.ibm.jsse2.pb.<init>(pb.java:77)
     at com.ibm.jsse2.nc.a(nc.java:477)
     at com.ibm.jsse2.nc.<init>(nc.java:271)
     at com.ibm.jsse2.dc.engineCreateSSLEngine(dc.java:33)
     at javax.net.ssl.SSLContext.createSSLEngine(SSLContext.java:24)
     at com.ibm.ws.channel.ssl.internal.SSLUtils.getSSLEngine(SSLUtils.java:1129)
     at com.ibm.ws.channel.ssl.internal.SSLConnectionLink.ready(SSLConnectionLink.java:268)
     at com.ibm.ws.tcpchannel.internal.NewConnectionInitialReadCallback.sendToDiscriminators(NewConnectionInitialReadCallback.java:174)
     at com.ibm.ws.tcpchannel.internal.NewConnectionInitialReadCallback.complete(NewConnectionInitialReadCallback.java:83)
     at com.ibm.ws.tcpchannel.internal.WorkQueueManager.requestComplete(WorkQueueManager.java:502)
     at com.ibm.ws.tcpchannel.internal.WorkQueueManager.attemptIO(WorkQueueManager.java:550)
     at com.ibm.ws.tcpchannel.internal.WorkQueueManager.workerRun(WorkQueueManager.java:899)
     at com.ibm.ws.tcpchannel.internal.WorkQueueManager$Worker.run(WorkQueueManager.java:981)
     at com.ibm.ws.threading.internal.Worker.executeWork(Worker.java:439)
     at com.ibm.ws.threading.internal.Worker.run(Worker.java:421)
     at java.lang.Thread.run(Thread.java:804)

    Dump of callerThis
    Object type = com.ibm.ws.channel.ssl.internal.SSLConnectionLink
      tc = class com.ibm.websphere.ras.TraceComponent@36dcb5dd
        strings[0] = "TraceComponent[com.ibm.ws.channel.ssl.internal.SSLConnectionLink,class com.ibm.ws.channel.ssl.internal.SSLConnectionLink,[SSLChannel],com.ibm.ws.channel.ssl.internal.resources.SSLChannelMessages,null]"
      LINKCONFIG = "SSLLINKCONFIG"
      sslChannel = class com.ibm.ws.channel.ssl.internal.SSLChannel@bcbee8b
        tc = class com.ibm.websphere.ras.TraceComponent@91d272f
          strings[0] = "TraceComponent[com.ibm.ws.channel.ssl.internal.SSLChannel,class com.ibm.ws.channel.ssl.internal.SSLChannel,[SSLChannel],com.ibm.ws.channel.ssl.internal.resources.SSLChannelMessages,null]"
        SSL_DISCRIMINATOR_STATE = "SSLDiscState"
        discProcess = class com.ibm.ws.channelfw.internal.discrim.DiscriminationProcessImpl@644efcf5
          tc = class com.ibm.websphere.ras.TraceComponent@dcbd8ca6
          discriminantClass = class java.lang.Class@c07da67e
          discriminationAlgorithm = class com.ibm.ws.channelfw.internal.discrim.SingleDiscriminatorAlgorithm@2fe97370
          status = 1
          STARTED = 1
          STOPPED = 2
          indexLock = class java.lang.Object@446d5b29
          masterIndex = 5
          myIndex = 3
          name = "SSL-defaultHttpEndpoint-ssl_CFINTERNAL_CHILD_0"
          discriminators = class com.ibm.ws.channelfw.internal.discrim.DiscriminatorNode@1e839c15
          discAL = class java.util.ArrayList@c57d816a
          channelList = interface com.ibm.wsspi.channelfw.Channel[1]
          changed = true
        sslConfig = class com.ibm.ws.channel.ssl.internal.SSLChannelData@36bc657e
          tc = class com.ibm.websphere.ras.TraceComponent@64137d88
          ENCRYPT_BUFFERS_DIRECT = "encryptBuffersDirect"
          DECRYPT_BUFFERS_DIRECT = "decryptBuffersDirect"
          SSLSESSION_CACHE_SIZE = "SSLSessionCacheSize"
          SSLSESSION_TIMEOUT = "SSLSessionTimeout"
          SSLSESSION_TIMEOUT_8500 = "sessionTimeout"
          DEFAULT_ENCRYPT_BUFFERS_DIRECT = "true"
          DEFAULT_DECRYPT_BUFFERS_DIRECT = "false"
          DEFAULT_SSLSESSION_CACHE_SIZE = 100
          DEFAULT_SSLSESSION_TIMEOUT = 86400
          ALIAS_KEY = "alias"
          name = "SSL-defaultHttpEndpoint-ssl_CFINTERNAL_CHILD_0"
          encryptBuffersDirect = true
          decryptBuffersDirect = false
          weight = 10
          isInbound = true
          clientAuthentication = false
          properties = class java.util.Properties@6522757c
          sslSessionCacheSize = 100
          sslSessionTimeout = 86400
        isInitialized = true
        handshakeErrorTracker = class com.ibm.ws.channel.ssl.internal.SSLHandshakeErrorTracker@c2c3bd5a
          tc = class com.ibm.websphere.ras.TraceComponent@cf9949bd
          shouldLogError = true
          maxLogEntries = 100
          numberOfLogEntries = 0
          loggingStopped = false
        alias = "defaultSSLConfig"
        endPointName = "defaultHttpEndpoint-ssl"
        inboundHost = "ibm-8heamst5mh6"
        inboundPort = "9448"
        jsseProvider = class com.ibm.ws.ssl.provider.IBMJSSEProvider@feca1757
          tc = class com.ibm.websphere.ras.TraceComponent@e7034ee2
          tc = class com.ibm.websphere.ras.TraceComponent@75e72371
          pkcsStoreList = class com.ibm.ws.ssl.core.WSPKCSInKeyStoreList@669d32fb
          sslContextCacheJAVAX = class java.util.HashMap@3521ad01
          URL_HANDLER_PROP = "java.protocol.handler.pkgs"
          PKGNAME_DELIMITER = "|"
          handlersInitialized = true
          keyManager = "IbmX509"
          trustManager = "PKIX"
          contextProvider = "IBMJSSE2"
          keyStoreProvider = null
          socketFactory = "com.ibm.websphere.ssl.protocol.SSLSocketFactory"
          protocolPackageHandler = "com.ibm.net.ssl.www2.protocol"
          defaultProtocol = "SSL_TLS"
          getCtxClassLoader = class com.ibm.ws.ssl.provider.AbstractJSSEProvider$3@8c6377f8
        jsseHelper = class com.ibm.websphere.ssl.JSSEHelper@f387fda1
          tc = class com.ibm.websphere.ras.TraceComponent@c78dc2f8
          GET_SSLCONFIG = class com.ibm.websphere.security.WebSphereRuntimePermission@eb786f39
          SET_SSLCONFIG = class com.ibm.websphere.security.WebSphereRuntimePermission@858b36bf
          DIRECTION_INBOUND = "inbound"
          DIRECTION_OUTBOUND = "outbound"
          DIRECTION_UNKNOWN = "unknown"
          ENDPOINT_IIOP = "IIOP"
          ENDPOINT_HTTP = "HTTP"
          ENDPOINT_SIP = "SIP"
          ENDPOINT_JMS = "JMS"
          ENDPOINT_BUS_CLIENT = "BUS_CLIENT"
          ENDPOINT_BUS_TO_WEBSPHERE_MQ = "BUS_TO_WEBSPHERE_MQ"
          ENDPOINT_BUS_TO_BUS = "BUS_TO_BUS"
          ENDPOINT_CLIENT_TO_WEBSPHERE_MQ = "CLIENT_TO_WEBSPHERE_MQ"
          ENDPOINT_LDAP = "LDAP"
          ENDPOINT_ADMIN_SOAP = "ADMIN_SOAP"
          ENDPOINT_ADMIN_IPC = "ADMIN_IPC"
          CONNECTION_INFO_DIRECTION = "com.ibm.ssl.direction"
          CONNECTION_INFO_ENDPOINT_NAME = "com.ibm.ssl.endPointName"
          CONNECTION_INFO_REMOTE_HOST = "com.ibm.ssl.remoteHost"
          CONNECTION_INFO_REMOTE_PORT = "com.ibm.ssl.remotePort"
          CONNECTION_INFO_CERT_MAPPING_HOST = "com.ibm.ssl.certMappingHost"
          CONNECTION_INFO_IS_WEB_CONTAINER_INBOUND = "com.ibm.ssl.isWebContainerInbound"
        isZOS = false
        sessionContext = null
        myFactory = class com.ibm.ws.channel.ssl.internal.SSLChannelFactoryImpl@40529d27
          existingChannels = class java.util.HashMap@54147a6
          commonProperties = null
      linkConfig = class com.ibm.ws.channel.ssl.internal.SSLLinkConfig@2e54a7dc
        tc = class com.ibm.websphere.ras.TraceComponent@b5bb4fda
          strings[0] = "TraceComponent[com.ibm.ws.channel.ssl.internal.SSLLinkConfig,class com.ibm.ws.channel.ssl.internal.SSLLinkConfig,[SSLChannel],com.ibm.ws.channel.ssl.internal.resources.SSLChannelMessages,null]"
        myConfig = class com.ibm.websphere.ssl.SSLConfig@fc42f951
          serialVersionUID = 5592062346302545106
          tc = class com.ibm.websphere.ras.TraceComponent@5ca7e462
          serialVersionUID = 4112578634029874840
          defaults = null
          hexDigit = {0123456789ABCDEF} /* array length = 16*/
          table = class java.util.Hashtable$Entry[47]
          count = 34
          threshold = 35
          loadFactor = 0.75
          modCount = 36
          serialVersionUID = 1421746759512286392
          ALTERNATIVE_HASHING_THRESHOLD_DEFAULT = 2147483647
          hashSeed = 0
          MAX_ARRAY_SIZE = 2147483639
          keySet = null
          entrySet = class java.util.Collections$SynchronizedSet@e4cce5cc
          values = null
          KEYS = 0
          VALUES = 1
          ENTRIES = 2
      sslEngine = null
      readInterface = class com.ibm.ws.channel.ssl.internal.SSLReadServiceContext@aea9c4df
        tc = class com.ibm.websphere.ras.TraceComponent@fbb807d7
          strings[0] = "TraceComponent[com.ibm.ws.channel.ssl.internal.SSLReadServiceContext,class com.ibm.ws.channel.ssl.internal.SSLReadServiceContext,[SSLChannel],com.ibm.ws.channel.ssl.internal.resources.SSLChannelMessages,null]"
        callback = null
        callerRequiredAllocation = false
        jITAllocateSize = 0
        netBuffer = null
        decryptedNetBuffers = null
        decryptedNetLimitInfo = null
        decryptedNetPosInfo = {0} /* array length = 1*/
        unconsumedDecData = null
        decryptedNetBufferReleaseRequired = false
        deviceReadContext = null
        bytesProduced = 0
        bytesRequested = 0
        netBufferMark = 0
        queuedWork = class com.ibm.ws.channel.ssl.internal.SSLReadServiceContext$QueuedWork@18e2fb76
          READ = 0
          ERROR = 1
          COMPLETE = 2
          numBytes = 0
          userCallback = null
          timeout = 0
          vc = null
          tcpReadRequestContext = null
          exception = null
          action = 0
          this$0 = class com.ibm.ws.channel.ssl.internal.SSLReadServiceContext@aea9c4df
        readCallback = class com.ibm.ws.channel.ssl.internal.SSLReadServiceContext$SSLReadCompletedCallback@31e7cfe2
          myCallback = null
          readContext = class com.ibm.ws.channel.ssl.internal.SSLReadServiceContext@aea9c4df
          this$0 = class com.ibm.ws.channel.ssl.internal.SSLReadServiceContext@aea9c4df
        readNeededInternalException = class com.ibm.ws.channel.ssl.internal.exception.ReadNeededInternalException@a2f47a96
          serialVersionUID = -3236620232328367856
          serialVersionUID = 4309702246400782423
          suppressFFDC = false
          serialVersionUID = 7351509803790105244
          serialVersionUID = -3387516993124229948
          serialVersionUID = -3042686055658047285
          detailMessage = "All available data read, but more needed, read again"
          walkback = {794148051,794126510,789757925,787921015,787848473,787915996,787915579,787695695,787695961,787698079,793524135,786624341,786624185,780368465} /* array length = 14*/
          cause = class com.ibm.ws.channel.ssl.internal.exception.ReadNeededInternalException@a2f47a96
          stackTrace = null
          ZeroElementArray = class java.lang.Throwable[0]
          ZeroStackTraceElementArray = class java.lang.StackTraceElement[0]
          suppressedExceptions = class java.util.Collections$EmptyList@c13b6602
          enableWritableStackTrace = true
        sessionClosedException = class com.ibm.ws.channel.ssl.internal.exception.SessionClosedException@6fb50474
          serialVersionUID = 2648809003861385674
          serialVersionUID = 4309702246400782423
          suppressFFDC = false
          serialVersionUID = 7351509803790105244
          serialVersionUID = -3387516993124229948
          serialVersionUID = -3042686055658047285
          detailMessage = "SSL engine is closed"
          walkback = {794148064,794126510,789757925,787921015,787848473,787915996,787915579,787695695,787695961,787698079,793524135,786624341,786624185,780368465} /* array length = 14*/
          cause = class com.ibm.ws.channel.ssl.internal.exception.SessionClosedException@6fb50474
          stackTrace = null
          ZeroElementArray = class java.lang.Throwable[0]
          ZeroStackTraceElementArray = class java.lang.StackTraceElement[0]
          suppressedExceptions = class java.util.Collections$EmptyList@c13b6602
          enableWritableStackTrace = true
        connectionLink = class com.ibm.ws.channel.ssl.internal.SSLConnectionLink@e158ff53
        buffers = null
        defaultBuffers = interface com.ibm.wsspi.bytebuffer.WsByteBuffer[1]
          defaultBuffers[0] = null
        config = class com.ibm.ws.channel.ssl.internal.SSLChannelData@36bc657e
        myVC = class com.ibm.ws.channelfw.internal.InboundVirtualConnectionImpl@78d2199
        myVCHashCode = 126689689
      writeInterface = class com.ibm.ws.channel.ssl.internal.SSLWriteServiceContext@df57a0fd
        tc = class com.ibm.websphere.ras.TraceComponent@98c3b740
          strings[0] = "TraceComponent[com.ibm.ws.channel.ssl.internal.SSLWriteServiceContext,class com.ibm.ws.channel.ssl.internal.SSLWriteServiceContext,[SSLChannel],com.ibm.ws.channel.ssl.internal.resources.SSLChannelMessages,null]"
        callback = null
        encryptedAppBuffer = null
        queuedWork = class com.ibm.ws.channel.ssl.internal.SSLWriteServiceContext$QueuedWork@38e1156d
          numBytes = 0
          userCallback = null
          timeout = 0
          vc = null
          tcpWriteRequestContext = null
          exception = null
          isWrite = true
          this$0 = class com.ibm.ws.channel.ssl.internal.SSLWriteServiceContext@df57a0fd
        handshakeCallback = class com.ibm.ws.channel.ssl.internal.SSLWriteServiceContext$MyHandshakeCompletedCallback@a3062a01
          writeContext = class com.ibm.ws.channel.ssl.internal.SSLWriteServiceContext@df57a0fd
          numBytes = 0
          timeout = 0
          netBuffer = null
          decryptedNetBuffer = null
          this$0 = class com.ibm.ws.channel.ssl.internal.SSLWriteServiceContext@df57a0fd
        asyncBytesToWrite = 0
        asyncTimeout = 0
        connectionLink = class com.ibm.ws.channel.ssl.internal.SSLConnectionLink@e158ff53
        buffers = null
        defaultBuffers = interface com.ibm.wsspi.bytebuffer.WsByteBuffer[1]
          defaultBuffers[0] = null
        config = class com.ibm.ws.channel.ssl.internal.SSLChannelData@36bc657e
        myVC = class com.ibm.ws.channelfw.internal.InboundVirtualConnectionImpl@78d2199
        myVCHashCode = 126689689
      deviceServiceContext = class com.ibm.ws.tcpchannel.internal.TCPConnLink@16d71101
        strings[0] = "TCPConnLink@383193345: tcpChannel=com.ibm.ws.tcpchannel.internal.NioTCPChannel@b469b061"
        strings[1] = "TCPConnLink@383193345: closed=false"
        strings[2] = "TCPConnLink@383193345: socketIOChannel=com.ibm.ws.tcpchannel.internal.NioSocketIOChannel@6ec0a414"
        strings[3] = "NioSocketIOChannel@1858118676: closed=false"
        strings[4] = "NioSocketIOChannel@1858118676: processClose=true"
        strings[5] = "NioSocketIOChannel@1858118676: checkCancel=false"
        strings[6] = "NioSocketIOChannel@1858118676: tcpChannel=com.ibm.ws.tcpchannel.internal.NioTCPChannel@b469b061"
        strings[7] = "NioSocketIOChannel@1858118676: socket=Socket[addr=/192.168.0.8,port=60174,localport=9448]"
        strings[8] = "NioSocketIOChannel@1858118676: remoteAddr=/192.168.0.8"
        strings[9] = "NioSocketIOChannel@1858118676: remotePort=60174"
        strings[10] = "NioSocketIOChannel@1858118676: localAddr=/192.168.0.8"
        strings[11] = "NioSocketIOChannel@1858118676: localPort=9448"
        strings[12] = "NioSocketIOChannel@1858118676: channel=java.nio.channels.SocketChannel[connected local=/192.168.0.8:9448 remote=/192.168.0.8:60174]"
        strings[13] = "TCPConnLink@383193345: numReads=1"
        strings[14] = "TCPConnLink@383193345: numWrites=0"
        strings[15] = "TCPConnLink@383193345: callCompleteLocal=false"
      deviceReadInterface = class com.ibm.ws.tcpchannel.internal.NioTCPReadRequestContextImpl@f9c8b09a
        strings[0] = "NioTCPReadRequestContextImpl@-104288102: aborted=false"
        strings[1] = "NioTCPReadRequestContextImpl@-104288102: forceQueue=false"
        strings[2] = "NioTCPReadRequestContextImpl@-104288102: ioAmount=1"
        strings[3] = "NioTCPReadRequestContextImpl@-104288102: ioCompleteAmt=197"
        strings[4] = "NioTCPReadRequestContextImpl@-104288102: ioDoneAmt=0"
        strings[5] = "NioTCPReadRequestContextImpl@-104288102: lastIOAmt=197"
        strings[6] = "NioTCPReadRequestContextImpl@-104288102: isRead=true"
        strings[7] = "NioTCPReadRequestContextImpl@-104288102: timeoutInterval=60000"
        strings[8] = "NioTCPReadRequestContextImpl@-104288102: timeoutTime=1385066745277"
        strings[9] = "NioTCPReadRequestContextImpl@-104288102: link=com.ibm.ws.tcpchannel.internal.TCPConnLink@16d71101"
        strings[10] = "TCPConnLink@383193345: tcpChannel=com.ibm.ws.tcpchannel.internal.NioTCPChannel@b469b061"
        strings[11] = "TCPConnLink@383193345: closed=false"
        strings[12] = "TCPConnLink@383193345: socketIOChannel=com.ibm.ws.tcpchannel.internal.NioSocketIOChannel@6ec0a414"
        strings[13] = "NioSocketIOChannel@1858118676: closed=false"
        strings[14] = "NioSocketIOChannel@1858118676: processClose=true"
        strings[15] = "NioSocketIOChannel@1858118676: checkCancel=false"
        strings[16] = "NioSocketIOChannel@1858118676: tcpChannel=com.ibm.ws.tcpchannel.internal.NioTCPChannel@b469b061"
        strings[17] = "NioSocketIOChannel@1858118676: socket=Socket[addr=/192.168.0.8,port=60174,localport=9448]"
        strings[18] = "NioSocketIOChannel@1858118676: remoteAddr=/192.168.0.8"
        strings[19] = "NioSocketIOChannel@1858118676: remotePort=60174"
        strings[20] = "NioSocketIOChannel@1858118676: localAddr=/192.168.0.8"
        strings[21] = "NioSocketIOChannel@1858118676: localPort=9448"
        strings[22] = "NioSocketIOChannel@1858118676: channel=java.nio.channels.SocketChannel[connected local=/192.168.0.8:9448 remote=/192.168.0.8:60174]"
        strings[23] = "TCPConnLink@383193345: numReads=1"
        strings[24] = "TCPConnLink@383193345: numWrites=0"
        strings[25] = "TCPConnLink@383193345: callCompleteLocal=false"
        strings[26] = "NioTCPReadRequestContextImpl@-104288102: callback=com.ibm.ws.tcpchannel.internal.NewConnectionInitialReadCallback@e1928539"
        strings[27] = "NioTCPReadRequestContextImpl@-104288102: jitAllocateSize=0"
        strings[28] = "NioTCPReadRequestContextImpl@-104288102: jitAllocateAction=true"
      deviceWriteInterface = class com.ibm.ws.tcpchannel.internal.NioTCPWriteRequestContextImpl@249455ae
        strings[0] = "NioTCPWriteRequestContextImpl@613701038: aborted=false"
        strings[1] = "NioTCPWriteRequestContextImpl@613701038: forceQueue=false"
        strings[2] = "NioTCPWriteRequestContextImpl@613701038: ioAmount=0"
        strings[3] = "NioTCPWriteRequestContextImpl@613701038: ioCompleteAmt=0"
        strings[4] = "NioTCPWriteRequestContextImpl@613701038: ioDoneAmt=0"
        strings[5] = "NioTCPWriteRequestContextImpl@613701038: lastIOAmt=0"
        strings[6] = "NioTCPWriteRequestContextImpl@613701038: isRead=false"
        strings[7] = "NioTCPWriteRequestContextImpl@613701038: timeoutInterval=0"
        strings[8] = "NioTCPWriteRequestContextImpl@613701038: timeoutTime=0"
        strings[9] = "NioTCPWriteRequestContextImpl@613701038: link=com.ibm.ws.tcpchannel.internal.TCPConnLink@16d71101"
        strings[10] = "TCPConnLink@383193345: tcpChannel=com.ibm.ws.tcpchannel.internal.NioTCPChannel@b469b061"
        strings[11] = "TCPConnLink@383193345: closed=false"
        strings[12] = "TCPConnLink@383193345: socketIOChannel=com.ibm.ws.tcpchannel.internal.NioSocketIOChannel@6ec0a414"
        strings[13] = "NioSocketIOChannel@1858118676: closed=false"
        strings[14] = "NioSocketIOChannel@1858118676: processClose=true"
        strings[15] = "NioSocketIOChannel@1858118676: checkCancel=false"
        strings[16] = "NioSocketIOChannel@1858118676: tcpChannel=com.ibm.ws.tcpchannel.internal.NioTCPChannel@b469b061"
        strings[17] = "NioSocketIOChannel@1858118676: socket=Socket[addr=/192.168.0.8,port=60174,localport=9448]"
        strings[18] = "NioSocketIOChannel@1858118676: remoteAddr=/192.168.0.8"
        strings[19] = "NioSocketIOChannel@1858118676: remotePort=60174"
        strings[20] = "NioSocketIOChannel@1858118676: localAddr=/192.168.0.8"
        strings[21] = "NioSocketIOChannel@1858118676: localPort=9448"
        strings[22] = "NioSocketIOChannel@1858118676: channel=java.nio.channels.SocketChannel[connected local=/192.168.0.8:9448 remote=/192.168.0.8:60174]"
        strings[23] = "TCPConnLink@383193345: numReads=1"
        strings[24] = "TCPConnLink@383193345: numWrites=0"
        strings[25] = "TCPConnLink@383193345: callCompleteLocal=false"
        strings[26] = "NioTCPWriteRequestContextImpl@613701038: callback=null"
      sslConnectionContext = class com.ibm.ws.channel.ssl.internal.SSLConnectionContextImpl@37cf4958
        tc = class com.ibm.websphere.ras.TraceComponent@d402d2bd
          strings[0] = "TraceComponent[com.ibm.ws.channel.ssl.internal.SSLConnectionContextImpl,class com.ibm.ws.channel.ssl.internal.SSLConnectionContextImpl,[SSLChannel],com.ibm.ws.channel.ssl.internal.resources.SSLChannelMessages,null]"
        sslConnLink = class com.ibm.ws.channel.ssl.internal.SSLConnectionLink@e158ff53
        isOutbound = false
      discState = null
      connected = false
      closed = false
      isInbound = true
      syncConnectFailure = false
      vcHashCode = 126689689
      sslContext = class javax.net.ssl.SSLContext@25f0a769
        a = class com.ibm.jsse2.IBMJSSEProvider2@4a1f15ac
          serialVersionUID = -7704267969561265640
          a = null
          b = null
          c = "IBM JSSE provider2 (implements IbmX509 key/trust factories, SSLv3, TLSv1)"
          z = class java.lang.String[5]
          serialVersionUID = -4298000515446427739
          debug = null
          name = "IBMJSSE2"
          info = "IBM JSSE provider2 (implements IbmX509 key/trust factories, SSLv3, TLSv1)"
          version = 1.7
          entrySet = null
          entrySetCallCount = 0
          initialized = true
          legacyChanged = false
          servicesChanged = false
          legacyStrings = class java.util.LinkedHashMap@731bd6dd
          serviceMap = null
          legacyMap = class java.util.LinkedHashMap@98fd70fe
          serviceSet = class java.util.Collections$UnmodifiableSet@905f32c0
          ALIAS_PREFIX = "Alg.Alias."
          ALIAS_PREFIX_LOWER = "alg.alias."
          ALIAS_LENGTH = 10
          previousKey = class java.security.Provider$ServiceKey@531388b6
          knownEngines = class java.util.HashMap@2e470e7a
          serialVersionUID = 4112578634029874840
          defaults = null
          hexDigit = {0123456789ABCDEF} /* array length = 16*/
          table = class java.util.Hashtable$Entry[47]
          count = 21
          threshold = 35
          loadFactor = 0.75
          modCount = 23
          serialVersionUID = 1421746759512286392
          ALTERNATIVE_HASHING_THRESHOLD_DEFAULT = 2147483647
          hashSeed = 0
          MAX_ARRAY_SIZE = 2147483639
          keySet = null
          entrySet = null
          values = null
          KEYS = 0
          VALUES = 1
          ENTRIES = 2
        b = class com.ibm.jsse2.gc@1de5cabc
          a = null
          b = class com.ibm.jsse2.r@a3d4174c
          c = class com.ibm.jsse2.zb@308e417b
          d = class com.ibm.jsse2.zb@417ce49c
          e = true
          f = class com.ibm.ws.ssl.core.WSX509KeyManager@a0e9eb
          g = class com.ibm.jsse2.wc@d2d65c29
          h = class java.security.SecureRandom@aa4e33de
          i = class java.lang.String[2]
          z = class java.lang.String[14]
          z = "Could not obtain parameters"
        c = "SSL_TLS"
        d = class javax.net.ssl.SSLContext@cb628f68
          a = class com.ibm.jsse2.IBMJSSEProvider2@4a1f15ac
          b = class com.ibm.jsse2.gc@b2bb7152
          c = "SSL_TLS"
          d = class javax.net.ssl.SSLContext@cb628f68
          z = class java.lang.String[6]
        z = class java.lang.String[6]
          z[0] = "SSLContext"
          z[1] = "Default"
          z[2] = "setDefaultSSLContext"
          z[3] = " does not support this operation"
          z[4] = "Provider: "
          z[5] = " doesn't support this operation"
      targetAddress = null
      tc = class com.ibm.websphere.ras.TraceComponent@b0644e7a
        strings[0] = "TraceComponent[com.ibm.wsspi.channelfw.base.OutboundProtocolLink,class com.ibm.wsspi.channelfw.base.OutboundProtocolLink,[ChannelFramework],com.ibm.ws.channelfw.internal.resources.ChannelfwMessages,null]"
      linkOnDeviceSide = class com.ibm.ws.tcpchannel.internal.TCPConnLink@16d71101
      linkOnApplicationSide = null
      vc = class com.ibm.ws.channelfw.internal.InboundVirtualConnectionImpl@78d2199
        discStatus = null
        dp = null
        tc = class com.ibm.websphere.ras.TraceComponent@c9b51587
          strings[0] = "TraceComponent[com.ibm.ws.channelfw.internal.VirtualConnectionImpl,class com.ibm.ws.channelfw.internal.VirtualConnectionImpl,[ChannelFramework],com.ibm.ws.channelfw.internal.resources.ChannelfwMessages,null]"
        ONE_MILLISECOND_IN_NANOSECONDS = 1000000
        stateStore = class java.util.HashMap@3aaddd38
          DEFAULT_INITIAL_CAPACITY = 16
          MAXIMUM_CAPACITY = 1073741824
          DEFAULT_LOAD_FACTOR = 0.75
          EMPTY_TABLE = class java.util.HashMap$Entry[0]
          table = class java.util.HashMap$Entry[16]
          size = 3
          threshold = 12
          loadFactor = 0.75
          modCount = 3
          ALTERNATIVE_HASHING_THRESHOLD_DEFAULT = 2147483647
          hashSeed = 0
          entrySet = null
          serialVersionUID = 362498820763181265
          keySet = null
          values = null
        READ_PENDING = 4097
        READ_WAITING = 4098
        READ_FINISHING = 4100
        WRITE_PENDING = 4112
        WRITE_WAITING = 4128
        WRITE_FINISHING = 4160
        CLOSE_PENDING = 4352
        IN_USE_MASK = 4096
        IN_USE_MASK_CLEAR_OUT = -4097
        READ_PENDING_CLEAR_OUT = -7
        READ_FINISHING_CLEAR_OUT = -4
        READ_WAITING_CLEAR_OUT = -6
        READ_DONE_CLEAR_OUT = -8
        WRITE_PENDING_CLEAR_OUT = -97
        WRITE_FINISHING_CLEAR_OUT = -49
        WRITE_WAITING_CLEAR_OUT = -81
        WRITE_DONE_CLEAR_OUT = -113
        CLOSE_NOT_ALLOWED_MASK = 341
        FINISH_NOT_ALLOWED_MASK = 256
        READ_NOT_ALLOWED_MASK = 263
        WRITE_NOT_ALLOWED_MASK = 368
        READ_OUTSTANDING = 7
        WRITE_OUTSTANDING = 112
        closeWaiting = false
        currentState = 0
        readOutWithClosePending = false
        writeOutWithClosePending = false
        inetAddressingValid = true
        connDesc = class com.ibm.ws.channelfw.internal.ConnectionDescriptorImpl@a4f61efb
          remoteHostName = null
          localHostName = null
          remoteHostAddress = null
          localHostAddress = null
          addrLocal = class java.net.Inet4Address@8823528b
          addrRemote = class java.net.Inet4Address@663b95b9
        fileChannelCapable = 2

     I would guess that the issue is still a SSL certificate SP800 incompatibility. When I force firefox to use just TLSv1.2 I get a similar problem. I am thinking then the issue is that SP800 is requiring TLS 1.2 which is then failing.

    However I have no ideas on what other certificate to try that is compatible with both SP800 and my browser. IE also gives the same results. I've just fiddled more with FF.

    If anyone has suggestions on what I could do differently, I would appreciate it.

    The Liberty documentation is pretty scant on exactly what to create taht would be compatible with most browsers. It just has this:
    Certificates must be signed with a signature algorithm of SHA256, SHA384, or SHA512. Valid signatureAlgorithms include:

    • SHA256withRSA
    • SHA384withRSA
    • SHA512withRSA
    • SHA256withECDSA
    • SHA384withECDSA
    • SHA512withECDSA

     

    Thanks! Lisa

  • Alaine
    Alaine
    5 Posts

    Re: Liberty and SP800-131 setup is failing

    ‏2013-11-21T22:02:25Z  

    Missed this the first time,  is FBFWCASSLConfig set as the default SSL Configuration?

    eg.   

    <sslDefault sslRef="FBFWCASSLConfig" />

  • LHuston
    LHuston
    5 Posts

    Re: Liberty and SP800-131 setup is failing

    ‏2013-11-21T22:59:02Z  
    • Alaine
    • ‏2013-11-21T22:02:25Z

    Missed this the first time,  is FBFWCASSLConfig set as the default SSL Configuration?

    eg.   

    <sslDefault sslRef="FBFWCASSLConfig" />

    I went ahead and added that, but it didnt' chaneg the outcome. I believe teh correct SSL certificate and keystore is being used, since it works fine in SSL with SP800 turned off and in TLSv1 mode. I can log into my application and view the certifcate being used, which is the correct one.

    Here is my current SSL configuration in the server.xml just in case I have missed something:

    <keyStore id="defaultKeyStore"

    location="mykey.jks"

    type="JKS" password="{xor}xyz/>

    <sslDefault sslRef="FBFWCASSLConfig" />

    <ssl id="FBFWCASSLConfig"

    keyStoreRef="defaultKeyStore"

    serverKeyAlias="256selfsigned"

    clientAuthentication="true"

    sslProtocol="TLSv1.2" />

     

     

     

  • Alaine
    Alaine
    5 Posts

    Re: Liberty and SP800-131 setup is failing

    ‏2013-11-21T23:08:43Z  
    • LHuston
    • ‏2013-11-21T22:59:02Z

    I went ahead and added that, but it didnt' chaneg the outcome. I believe teh correct SSL certificate and keystore is being used, since it works fine in SSL with SP800 turned off and in TLSv1 mode. I can log into my application and view the certifcate being used, which is the correct one.

    Here is my current SSL configuration in the server.xml just in case I have missed something:

    <keyStore id="defaultKeyStore"

    location="mykey.jks"

    type="JKS" password="{xor}xyz/>

    <sslDefault sslRef="FBFWCASSLConfig" />

    <ssl id="FBFWCASSLConfig"

    keyStoreRef="defaultKeyStore"

    serverKeyAlias="256selfsigned"

    clientAuthentication="true"

    sslProtocol="TLSv1.2" />

     

     

     

    Well you are missing a quote on the password  eg.  password="{xor}xyz"

    I really would have expected an error related to the keystore load  in that case though.  So I was assuming it was a typo in the post,  figured you did not want to put your real password here.

    Anyway,  the error suggests that the server is using SSL for protocol and not TLSv1.2.   I assumed it was not picking up the SSL configuration.   So can you collect trace Liberty string SSL=all  and enable JSSE trace -Djavax.net.debug=all.   I can take a look.

  • LHuston
    LHuston
    5 Posts

    Re: Liberty and SP800-131 setup is failing

    ‏2013-11-22T14:23:14Z  
    • Alaine
    • ‏2013-11-21T23:08:43Z

    Well you are missing a quote on the password  eg.  password="{xor}xyz"

    I really would have expected an error related to the keystore load  in that case though.  So I was assuming it was a typo in the post,  figured you did not want to put your real password here.

    Anyway,  the error suggests that the server is using SSL for protocol and not TLSv1.2.   I assumed it was not picking up the SSL configuration.   So can you collect trace Liberty string SSL=all  and enable JSSE trace -Djavax.net.debug=all.   I can take a look.

    Yes, I changed the password and left off a quote mark.

    I turned on the tracing. I think changing the certificate to a 256 did make a difference from the error two days ago. It seems to ahve a new error about not liking the certificate chain.

    The behavior is that I turn on the server it asks for a security exception, which is reasonable since I have a self created certificate and then I get a the "connection was interrupted" page.

    I am attaching the message and trace files from a single call to the server from the web page.

    The exception seems to be:
    O Default Executor-thread-3, fatal error: 40: null cert chain
    javax.net.ssl.SSLHandshakeException: null cert chain
    [11/22/13 8:15:43:705 CST] 00000026 SystemOut                                                    O %% Invalidated:  [Session-4, SSL_DHE_RSA_WITH_AES_128_CBC_SHA]
    [11/22/13 8:15:43:705 CST] 00000026 SystemOut                                                    O Default Executor-thread-3
    [11/22/13 8:15:43:705 CST] 00000026 SystemOut                                                    O , SEND TLSv1.2 ALERT: 
    [11/22/13 8:15:43:706 CST] 00000026 SystemOut                                                    O fatal,
    [11/22/13 8:15:43:706 CST] 00000026 SystemOut                                                    O description = handshake_failure
    [11/22/13 8:15:43:706 CST] 00000026 SystemOut                                                    O Default Executor-thread-3, WRITE: TLSv1.2 Alert, length = 2
    [11/22/13 8:15:43:707 CST] 00000026 SystemOut                                                    O Default Executor-thread-3, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLHandshakeException: null cert chain
     

    Attachments

  • Alaine
    Alaine
    5 Posts

    Re: Liberty and SP800-131 setup is failing

    ‏2013-11-22T15:38:10Z  
    • LHuston
    • ‏2013-11-22T14:23:14Z

    Yes, I changed the password and left off a quote mark.

    I turned on the tracing. I think changing the certificate to a 256 did make a difference from the error two days ago. It seems to ahve a new error about not liking the certificate chain.

    The behavior is that I turn on the server it asks for a security exception, which is reasonable since I have a self created certificate and then I get a the "connection was interrupted" page.

    I am attaching the message and trace files from a single call to the server from the web page.

    The exception seems to be:
    O Default Executor-thread-3, fatal error: 40: null cert chain
    javax.net.ssl.SSLHandshakeException: null cert chain
    [11/22/13 8:15:43:705 CST] 00000026 SystemOut                                                    O %% Invalidated:  [Session-4, SSL_DHE_RSA_WITH_AES_128_CBC_SHA]
    [11/22/13 8:15:43:705 CST] 00000026 SystemOut                                                    O Default Executor-thread-3
    [11/22/13 8:15:43:705 CST] 00000026 SystemOut                                                    O , SEND TLSv1.2 ALERT: 
    [11/22/13 8:15:43:706 CST] 00000026 SystemOut                                                    O fatal,
    [11/22/13 8:15:43:706 CST] 00000026 SystemOut                                                    O description = handshake_failure
    [11/22/13 8:15:43:706 CST] 00000026 SystemOut                                                    O Default Executor-thread-3, WRITE: TLSv1.2 Alert, length = 2
    [11/22/13 8:15:43:707 CST] 00000026 SystemOut                                                    O Default Executor-thread-3, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLHandshakeException: null cert chain
     

    You have client authentication enabled on the Liberty server.   That error suggests your browser does not have a key.   YOu need to import a personal certificate into your browser and make sure the Liberty server has the signer in it's truststore.   Or you can turn of clientAuthentication.

  • LHuston
    LHuston
    5 Posts

    Re: Liberty and SP800-131 setup is failing

    ‏2013-11-22T17:16:04Z  
    • Alaine
    • ‏2013-11-22T15:38:10Z

    You have client authentication enabled on the Liberty server.   That error suggests your browser does not have a key.   YOu need to import a personal certificate into your browser and make sure the Liberty server has the signer in it's truststore.   Or you can turn of clientAuthentication.

    Perfect! That did it. I turned off the clientAuthentication since it doesn't look required for the spec and isn't necessary for the environment I am supporting.

    Thank you very much! Lisa