WEBGUI and REST services fail with a protocol exception. Why?
If the WEBGUI and REST services in your cluster fail to start with a javax.net.ssl.SSLHandshakeException: Client requested protocol TLSv1 not enabled or not supported error in the logs, your TLS settings might not be enabled for the specified protocol version.
Both the cluster management console and the
REST web servers are, by default, enabled for TLSv1.2. When your clients use other TLS versions, you
must enable these versions in the wsm.conf file for the cluster management console and in the
wsm_rest.conf file for REST.
Important: Though older TLS versions
can be enabled, these options are vulnerable to BEAST (Browser Exploit Against SSL/TLS) or POODLE
(Padding Oracle On Downgraded Legacy Encryption) attacks. Review any security implications before
enabling these options.
- Edit the configuration files for the web server:
- For the cluster management console web server, edit the wsm.conf file at %EGO_CONFDIR%\wsm.conf on Windows and $EGO_CONFDIR/wsm.conf on Linux®.
- For the REST web server, edit the wsm_rest.conf file at %EGO_CONFDIR%\wsm_rest.conf on Windows and $EGO_CONFDIR/wsm_rest.conf on Linux.
- Update the ssl_protocol parameter (which defaults to
TLSv1.2) to accept multiple protocol versions. Use one of the following options:
- SSL: Enables TLS 1.0, 1.1, and 1.2 protocols.
- SSL_TLSv2: Enables all SSL 3.0 and TLS 1.0, 1.1, and 1.2 protocols.
For example:-Dssl_protocol=SSL_TLSv2
- Save your changes.
- Restart one or both
services:
egosh service stop WEBGUI egosh service start WEBGUI
egosh service stop REST egosh service start REST