Troubleshoot SSL

You can troubleshoot common issues with SSL.

Difficulty connecting to a non-RFC-5746 compliant server (V5.2.6 or later)

If your client adapter cannot connect to a non-RFC-5746 compliant server, set the sendSCSVCipher property in security.properties.in to true. By default, this property is set to false and is commented out. The following example shows the default text in security.properties:

## Please define sendSCSVCipher property to true if client adapters are having 
difficulty connecting to non RFC-5746 compliant servers.
## Default sendSCSVCipher is set to false
## sendSCSVCipher=false

Difficulty connecting to a non-RFC-5746 compliant server (V5.2.5 or earlier)

If your client adapter cannot connect to a non-RFC-5746 compliant server, uncomment the following line in security.properties.in: 

renegotiationPolicy=secureConnectionAllowed|insecureConnection
   Allowed|disableInsecureRenegotiationAfterAppData|sendSCSV

Corrupt or Unusable Certificate Error Messages

If you receive the following error message:

FATAL Alert:BAD_CERTIFICATE - A corrupt or unusable certificate was received.

The information from the Perimeter log is as follows: 

ERROR <HTTPClientAdapter_HTTPClientAdapter_node1-Thread-19> 
HTTPClientAdapter_HTTPClientAdapter_node1-Thread-172105824724com.
sterlingcommerce.perimeter.api.conduit.SSLByteDataConduit@4c2b95c6:
Doing reset3 c
om.certicom.net.ssl.SSLKeyException: FATAL Alert:BAD_CERTIFICATE - 
A corrupt or unusable certificate was received. 
 at com.certicom.tls.d.b.a(Unknown Source) 
 at com.certicom.tls.d.b.do(Unknown Source)

When checking in the certificate, Sterling B2B Integrator shows a Status value of "Invalid Signature" on the naming screen. If a business process that performs an outbound HTTP POST with SSL fails on HTTP Method service with error, the following message is displayed::

HTTP Status Code: -1 
HTTP Reason Phrase: Internal Error: Connection was closed from the 
perimeter side with error: CloseCode.CONNECTION_RESET

Obtain the appropriate CA certificate for the trading partner. If the trading partner is using a self-signed certificate, the certificate itself can be used as the CA certificate.

CA and Direct Trust

When Sterling B2B Integrator is the client, if the server has a certificate issued by a CA and that certificate has the DNS name of the server in the subject Relative Distinguished Names (RDN), you can put the root CA certificate in the CA store and trust that. If SSL still does not work, try direct trust. Put the server certificate in the CA store and trust that.

If the server is using a self-signed certificate, put that in the CA store and trust it. You are doing direct trust in this case as well.

Use of SSL without a Certificate

You cannot use SSL-enabled adapters without having the required certificate or system certificate.

Disable SSL Empty Records for CBC-Mode Cipher Suite

If you selected the CBC-mode cipher suite, and SSL does not work, disable SSL Empty Records:
  1. Edit the tmp.sh file.
  2. Find the server flag for the OS you are configuring and add:
    -DDisableSSLEmptyRecords=true

Central Search page shows NULL when Sterling B2B Integrator is accessed through HTTPS

Abstract

The Central Search page shows null in both the nodes when Sterling B2B Integrator is installed as a cluster.

Symptom

Errors are observed in the UI.log file.

Cause

This is caused by the incorrect Subject Alternate Name in ASICert.

Resolution
Follow these steps:
  1. Create a new certificate by specifying the IP addresses DNS names for both the nodes.
    • Enter the IP addresses of the network interfaces you want to associate with the certificate as the SubjectAltName field.
    • Enter the DNS names of the network interfaces you want to associate with the certificate as the SubjectAltName field.
    • Use commas to separate the values.
  2. Check in noapp.properties_platform_ifcresources_ext.in for property name sslCert.
  3. Replace the value of this property by the name of the certificate created in Step 1.
  4. Restart both the nodes

The IP Addresses and DNS Names are translated to SubjectAltNames field in the actual certificate.

Unable to view the Central Search screen when using a certificate other than ASISslCert in Sterling B2B Integrator

Abstract

Unable to view Sterling B2B Integrator Central Search screen using HTTPs with a certificate other than ASISslCert.

Symptom

The Central Search screen works fine with the default certificate.

The Central Search screen shows an error message when the certificate configured is other than the default.

The noapp.properties_platform_ifcresources_ext.in is configured to use other than the default ASISslCert
#sslCert=ASISslCert

Resolution

To view the Central Search page correctly, set all the parameters below to the same value. If there are mismatches, then the Central Search page displays error.

  1. The INSTALL_IP parameter value in the sandbox.cfg file.
  2. The IP address to access the dashboard UI.
  3. The Subject Alternate Name in the newly created certificate.

If needed, create a new certificate with the right Subject Alternate Name and then override the sslCert parameter in the customer_overrides.properties file as shown below.

noapp.sslCert=<new certificate name>

Note: If you are accessing Sterling B2B Integrator using a fully qualified domain name, then create a certificate with a fully qualified domain name.