Troubleshooting DataPower
Troubleshooting guide for resolving common DataPower connectivity and configuration issues with Instana.
Resolving handshake failures with DataPower
The Instana agent cannot connect to DataPower due to a handshake_failure error in agent logs. As a result, DataPower is not monitored in the Instana UI.
Root Cause
A handshake failure occurs when there is a Cipher suite or TLS version mismatch between the Instana agent JVM and DataPower. For example, if DataPower is configured to offer only RSA-based ciphers (such as AES256-GCM-SHA384) while the agent JVM has TLS_RSA_* disabled by default, no common cipher is available to complete the handshake.
Diagnosis
To confirm the issue:
-
Check which cipher suites DataPower offers:
openssl s_client -connect <datapower-host>:<port> -tls1_2 2>&1 | grep "Cipher is" -
Check JVM disabled algorithms (path depends on agent installation type):
Agent:
cat agent-install-dir/jvm/conf/security/java.security | grep "jdk.tls.disabledAlgorithms"
Solution 1 (Workaround): Modify JVM security
Edit the JVM security file:
agent-install-dir/jvm/conf/security/java.security
Before:
jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, DTLSv1.0, RC4, DES, \
MD5withRSA, DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
ECDH, TLS_RSA_*, \
include jdk.disabled.namedCurvesAfter:
jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, DTLSv1.0, RC4, DES, \
MD5withRSA, DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
ECDH, \
include jdk.disabled.namedCurvesRestart the Instana agent.
Solution 2 (Permanent Solution): Configure DataPower with ECDHE
Configure the DataPower XML Management Interface SSL profile to support ECDHE cipher suites compatible with both DataPower and the Instana agent JVM. Common cipher suites include:
-
ECDHE-RSA-AES256-GCM-SHA384 -
ECDHE-RSA-AES128-GCM-SHA256
For detailed instructions on configuring SSL profiles in DataPower, see the IBM DataPower documentation.