IBM Support

ServiceNow Gateway is unable to contact the ServiceNow™ server, TLS 1.0 and 1.1 retired by ServiceNow.

Troubleshooting


Problem

The Java™ Gateway for ServiceNow is unable to contact to the ServiceNow server that uses an SSL connection.

Symptom

The Gateway was working but now it fails to connect.
The Gateway log file contains a message like this:
Error: [Main Gateway] Unable to reach the ServiceNow server - please double-check the value of 'Gate.ServiceNow.Host'.
But the ServiceNow server is available from the Gateway server

Cause

With the recent ServiceNow server upgrade, ServiceNow is deprecating the use of TLS 1.0 and 1.1. Customers are required to use TLS 1.2 or newer for all communications with their instances.  See the related url section for a link to the ServiceNow notice.
The Netcool ServiceNow Gateway needs to be configured to use TLS 1.2.

Diagnosing The Problem

Follow this step to determine which version of TLS is being used in the handshake;
1. Add these options into the ServiceNow Gateway file called nco_g_servicenow.env;

JRE_OPTS="-Djavax.net.debug=ssl:handshake:verbose"
or
JRE_OPTS="-Djavax.net.debug=all"
2. Run the Gateway in debug mode. It creates a message for the ClientHello.  The version of TLS is displayed in this message.
For more information on Java™ properties,  see:

Resolving The Problem

The objective is to upgrade IBM Java™ to version 1.8, which supports TLS 1.2 and is enabled by default.
1. If you are using OMNIbus 8.1 FP17 or newer, then IBM Java 1.8 is already installed with Netcool/OMNIbus™ .
2. If you are using Netcool/OMNIbus 8.1 Fix Pack 17 (FP 17) and IBM Java 1.7 then make the following change to the ServiceNow Gateway file called nco_g_servicenow.env. These properties enforce the use of TLS 1.2;
JRE_OPTS="-Djdk.tls.client.protocols=TLSv1.1,TLSv1.2 -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2"
Restart/Start the ServiceNow Gateway to see whether the Gateway works properly.
3. If the workaround in step 2 does not resolve the problem, install openjdk-1.8.0 on the ServiceNow Gateway server. OpenJDK is an open source implementation of the Java Platform.
The following steps assume that openjdk-1.8.0 patch 131 is installed in /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-11.b12.el7.x86_64
It is not mandatory to use patch 131.
3i) Define the location of the java binary in your installation of openjdk-1.8.0 by setting the JRE_DIR property in the Gateway file called nco_g_servicenow.env.
JRE_DIR points to the directory containing the 'jre' directory.  For example, if the java binary is in /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-11.b12.el7.x86_64/jre/bin then set JRE_DIR  to /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-11.b12.el7.x86_64
JRE_DIR=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-11.b12.el7.x86_64
3ii) Set LD_LIBRARY_PATH to point to the directory containing libjvm.so file.
For example, if libjvm.so is in /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-11.b12.el7.x86_64/jre/lib/amd64/server then set LD_LIBRARY_PATH that directory;
LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-11.b12.el7.x86_64/jre/lib/amd64/server
export LD_LIBRARY_PATH
Start the ServiceNow Gateway from the command line in the same terminal where you set LD_LIBRARY_PATH to see whether the Gateway works properly.
If none of these solutions work contact IBM support for further troubleshooting.

Document Location

Worldwide

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSSHTQ","label":"Tivoli Netcool\/OMNIbus"},"Component":"Java Gateway for ServiceNow","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Product Synonym

nco_g_servicenow

Document Information

Modified date:
15 October 2019

UID

ibm11086927

Page Feedback