IJ27949: "GETHTTP CANNOT CONNECT USING TLS1.0 OR 1.1"

Direct links to fixes

7.1.0-TIV-NCI-WINDOWS-FP0020
7.1.0-TIV-NCI-ZLINUX-FP0020
7.1.0-TIV-NCI-AIX-FP0020
7.1.0-TIV-NCI-SOLARIS-FP0020
7.1.0-TIV-NCI-LINUX-FP0020
7.1.0-TIV-NCI-FP0020-README.txt
IBM Tivoli Netcool/Impact V7.1.0 Fix Pack 20 (7.1.0-TIV-NCI-FP0020)

APAR status

Closed as program error.

Error description

Tested with TLS 1.0, 1.1 and 1.2.



GetHTTP no longer
connects to 1.0 or 1.1. And it looks like this is a result of
the upgrade to the httpclient library.






GetHTTP("tls-v1-0.badssl.com", 1010, "https", "/", "", "GET",
"", null, null, HeadersToSend, HttpProperties); // TLS1.0 fails
in FP19

GetHTTP("tls-v1-1.badssl.com", 1011, "https", "/", "",
"GET", "", null, null, HeadersToSend, HttpProperties); //
TLS1.1 fails in FP19

GetHTTP("tls-v1-2.badssl.com", 1012,
"https", "/", "", "GET", "", null, null, HeadersToSend,
HttpProperties); // TLS1.2 works in FP19

Local fix

```
NA
```

Problem summary

****************************************************************
* USERS AFFECTED:                                              *
* All Impact Users                                             *
****************************************************************
* PROBLEM DESCRIPTION:                                         *
* When connecting to a SSL endpoint, the GetHTTP policy        *
* function and RESTful DSA only allows for TLS 1.2. The policy *
* fails with a "Unhandled Exception: Server chose TLSv1, but   *
* that protocol version is not enabled or not supported by the *
* client" exception.                                           *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
The Apache HTTP client library for the GetHTTP and RESTful
functions was updated to the 5.0 release in Fixpack 19. The SSL
connection code only supports TLS 1.2 by default.

Problem conclusion

Support for TLS 1.0 and 1.1 was added back to the GetHTTP and
RESTful policy functions.

The list of supported protocols is set by
<IMPACT_HOME>/wlp/usr/servers/NCI/jvm.options in the
https.protocols parameter.

-Dhttps.protocols=SSL_TLSv2

This problem was introduced by APAR IJ24292 which is contained
in the following maintenance packages:
| MDVREGR 7.1.0-TIV-NCI-FP00019 |

The fix for this APAR is contained in the following maintenance
packages:
|Fix Pack | 7.1.0-TIV-NCI-FP0020

Temporary fix

Comments

APAR Information

APAR number
IJ27949
Reported component name
NETCOOL/IMPACT
Reported component ID
5724O59IS
Reported release
710
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2020-09-15
Closed date
2020-09-25
Last modified date
2020-09-25

APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:

Modules/Macros

```
UNKNOWN
```

Fix information

Fixed component name
NETCOOL/IMPACT
Fixed component ID
5724O59IS

Applicable component levels

R710 PSY
UP

[{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSSHYH","label":"Tivoli Netcool\/Impact"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"710"}]

Document Information

Modified date:
27 August 2021

Tips

IJ27949: "GETHTTP CANNOT CONNECT USING TLS1.0 OR 1.1"

Direct links to fixes

Subscribe

APAR status

Closed as program error.

Error description

Local fix

Problem summary

Problem conclusion

Temporary fix

Comments

APAR Information

APAR number

Reported component name

Reported component ID

Reported release

Status

PE

HIPER

Special Attention

Submitted date

Closed date

Last modified date

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Modules/Macros

Fix information

Fixed component name

Fixed component ID

Applicable component levels

R710 PSY

Document Information

Share your feedback

Need support?