Troubleshooting
Problem
When an email listener is configured to connect securely to a mail server that uses SMTP or IMAP that supports only the TLSv1.2 protocol, the connection fails during the SSL handshake. This problem occurs even if the WebSphere Application Server is configured to support only the TLSv1.2 protocol.
The details shown are observed in the log:
[1/18/19 16:24:22:678 EST] 00000936 SystemOut O DEBUG: getProvider() returning javax.mail.Provider[STORE,imaps,com.sun.mail.imap.IMAPSSLStore,Sun Microsystems, Inc]
[1/18/19 16:24:22:678 EST] 00000936 SystemOut O DEBUG: mail.imap.fetchsize: 16384
[1/18/19 16:24:22:678 EST] 00000936 SystemOut O DEBUG: mail.imap.statuscachetimeout: 1000
[1/18/19 16:24:22:678 EST] 00000936 SystemOut O DEBUG: mail.imap.appendbuffersize: -1
[1/18/19 16:24:22:678 EST] 00000936 SystemOut O DEBUG: mail.imap.minidletime: 10
[1/18/19 16:24:22:678 EST] 00000936 SystemOut O DEBUG: disable AUTH=PLAIN
[1/18/19 16:24:22:678 EST] 00000936 SystemOut O DEBUG: trying to connect to host "mail.myimaphostname.com", port 993, isSSL true
[1/18/19 16:24:22:681 EST] 00000936 SystemOut O
Is initial handshake: true
[1/18/19 16:24:22:681 EST] 00000936 SystemOut O Ignoring unsupported cipher suite: SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
[1/18/19 16:24:22:681 EST] 00000936 SystemOut O Ignoring unsupported cipher suite: SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
...
[1/18/19 16:24:22:682 EST] 00000936 SystemOut O Ignoring unsupported cipher suite: SSL_ECDH_RSA_WITH_AES_128_GCM_SHA256
[1/18/19 16:24:22:682 EST] 00000936 SystemOut O Ignoring unsupported cipher suite: SSL_DHE_RSA_WITH_AES_128_GCM_SHA256
[1/18/19 16:24:22:682 EST] 00000936 SystemOut O Ignoring unsupported cipher suite: SSL_DHE_DSS_WITH_AES_128_GCM_SHA256
[1/18/19 16:24:22:683 EST] 00000936 SystemOut O %% No cached client session
[1/18/19 16:24:22:683 EST] 00000936 SystemOut O *** ClientHello, TLSv1
[1/18/19 16:24:22:678 EST] 00000936 SystemOut O DEBUG: mail.imap.fetchsize: 16384
[1/18/19 16:24:22:678 EST] 00000936 SystemOut O DEBUG: mail.imap.statuscachetimeout: 1000
[1/18/19 16:24:22:678 EST] 00000936 SystemOut O DEBUG: mail.imap.appendbuffersize: -1
[1/18/19 16:24:22:678 EST] 00000936 SystemOut O DEBUG: mail.imap.minidletime: 10
[1/18/19 16:24:22:678 EST] 00000936 SystemOut O DEBUG: disable AUTH=PLAIN
[1/18/19 16:24:22:678 EST] 00000936 SystemOut O DEBUG: trying to connect to host "mail.myimaphostname.com", port 993, isSSL true
[1/18/19 16:24:22:681 EST] 00000936 SystemOut O
Is initial handshake: true
[1/18/19 16:24:22:681 EST] 00000936 SystemOut O Ignoring unsupported cipher suite: SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
[1/18/19 16:24:22:681 EST] 00000936 SystemOut O Ignoring unsupported cipher suite: SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
...
[1/18/19 16:24:22:682 EST] 00000936 SystemOut O Ignoring unsupported cipher suite: SSL_ECDH_RSA_WITH_AES_128_GCM_SHA256
[1/18/19 16:24:22:682 EST] 00000936 SystemOut O Ignoring unsupported cipher suite: SSL_DHE_RSA_WITH_AES_128_GCM_SHA256
[1/18/19 16:24:22:682 EST] 00000936 SystemOut O Ignoring unsupported cipher suite: SSL_DHE_DSS_WITH_AES_128_GCM_SHA256
[1/18/19 16:24:22:683 EST] 00000936 SystemOut O %% No cached client session
[1/18/19 16:24:22:683 EST] 00000936 SystemOut O *** ClientHello, TLSv1
[1/18/19 16:24:22:685 EST] 00000936 SystemOut O pool-6-thread-11, received EOFException: error
[1/18/19 16:24:22:685 EST] 00000936 SystemOut O pool-6-thread-11, handling exception: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
[1/18/19 16:24:22:685 EST] 00000936 SystemOut O pool-6-thread-11, SEND TLSv1 ALERT: fatal, description = handshake_failure
[1/18/19 16:24:22:685 EST] 00000936 SystemOut O pool-6-thread-11, handling exception: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
[1/18/19 16:24:22:685 EST] 00000936 SystemOut O pool-6-thread-11, SEND TLSv1 ALERT: fatal, description = handshake_failure
The log indicates that the protocol TLSv1 is being selected by the client and is ignoring all unsupported TLSv1.2 cipher suites. When the connection to the mail server is attempted, the mail server closes the connection because it accepts the TLSv1.2 protocol only.
Cause
The Maximo application uses the JavaMail API version 1.4.2, included with WebSphere Application Server ND, to facilitate the sending and receiving of emails to and from email servers. The email client does not use the application server mail facilities, that is, the connection from the client to the mail server is launched outside of the application server container.
Since the default protocol used by the JavaMail API is TLSv1, this protocol is used if not overridden by the Maximo system properties.
Environment
Tivoli's process automation engine 7.6
WebSphere 8.5
Diagnosing The Problem
The JVM argument and Maximo system property assists with troubleshooting.
JVM Argument:
-Djavax.net.debug=true
Maximo system property:
mail.debug=true
Once changed, restart the application server.
The logs contain the email and SSL debug output.
Resolving The Problem
The Maximo system properties shown can be added to enable the TLSv1.2 protocol:
For SMTP:
mail.smtp.ssl.protocols=TLSv1
mail.smtps.ssl.protocols=TLSv1
For IMAP:
mail.imap.ssl.protocols=TLSv1
mail.imaps.ssl.protocols=TLSv1
For POP3:
mail.pop3.ssl.protocols=TLSv1
mail.pop3s.ssl.protocols=TLSv1.2
The properties do not exist in Maximo by default. You can add them to the system properties application and perform a live refresh. Once completed, restart the JVM to ensure the changes are picked up.
When the system completes startup and the email listener runs, you see a similar stack trace, however the ClientHello message displays TLSv1.2 as shown:
[1/21/19 14:50:00:161 EST] 000000cf SystemOut O *** ClientHello, TLSv1.2
Document Location
Worldwide
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSLKT6","label":"IBM Maximo Asset Management"},"Component":"Email Listener","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.6","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}}]
Was this topic helpful?
Document Information
Modified date:
20 April 2022
UID
ibm10796282