iaik.security.ssl.SSLException: Peer sent alert: Alert Fatal: handshake failure

Hi All,

I am using webMethod 9.8.

One of our partner changes their ciphers to 256 and because of that I am getting below error:

iaik.security.ssl.SSLException: Peer sent alert: Alert Fatal: handshake failure.

After changing all the ciphers in our environment still, I am getting the same issue.

below are wraper debug logs :

Please provide suggeting :

wraper logs.docx (59.7 KB)

Hi Masroor,

can you provide some more details pelase?

I.e. a list of applied Fixes from UpdateManager.
Esp. for SCG_Entrust-, SIN- and SSX-Components.

Additionally I cannot find any errors in the log you have provided.

Regards,
Holger

Hi Holger,

Below are fixed we installed in our IS.

B2B Installed Packages
These fixes exist in the specified installation directory
Install Directory:/softwareag/softwareag98

Installed? Fix Name


  1. [I] All fixes
    
  2. [I]   Adapters
    
  3. [I]     Adapter 9.0 For JDBC 9.0 Fix 6
    
  4. [I]   Common Library
    
  5. [I]     Universal Messaging Common Libraries 9.8 Fix 11
    
  6. [I]     SCG_9.8_Audit_Fix3
    
  7. [I]     MIG_9.8_MigrationFramework_Fix1
    
  8. [I]     SCG_9.8_TPL_Fix2
    
  9. [I]   Database Configuration
    
  10. [I] DC_9.8_DBS_Fix7
  11. [I] Infrastructure
  12. [I] Libraries
  13. [I] Shared Libraries Light Weight Queue 9.8 Fix 1
  14. [I] Integration Server
  15. [I] IS_9.8_Core_Fix6
  16. [I] IS_9.8_SPM_Fix1
  17. [I] Shared Bundles
  18. [I] Universal Messaging Shared Bundles 9.8 Fix 11
  19. [I] Terracotta
  20. [I] Terracotta 4.3.0 Fix 3 (TESCommon) [Upgrades to 4.3.1]
  21. [I] Terracotta 4.3.0 Fix 3 (TESOSGi) [Upgrades to 4.3.1]
  22. [I] Trading Networks
  23. [I] TNS_9.8_Fix4
  24. [I] eStandards
  25. [I] webMethods eStandards Common Framework 7.1 Fix 15
  26. [I] RosettaNet Module 7.1 SP2 Fix 8
  27. [I] webMethods Process Engine
  28. [I] Process Engine 9.8 Fix 8

If anything else you required please let me know.

Thanks and regards,
Masroor Alam

Hi Masroor,

at least I am mising Fix for Security INfrastructure (SIN_9.8_Fix3).

Are you allowed to use unlimited JCE policies?
If so, are they applied to /jre/lib/security/?

Where did you change the ciphers?
Was the IntegrationServer stopped and restarted after doing the modifications?

Regards,
Holger

Hi Holger,

Thank you for your responce,

I am not sure about JCE.

but for ciphers I updated through Extended settings.
And Yes I already restarted the IS.
Please look Extended settings :

watt.config.systemProperties=javax.net.debug=ssl
watt.core.validation.skipMandatoryFields=true
watt.net.jsse.client.enabledCipherSuiteList=TLS_RSA_WITH_AES_256_CBC_SHA256
watt.net.jsse.client.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2
watt.net.jsse.server.enabledCipherSuiteList=TLS_RSA_WITH_AES_256_CBC_SHA256[b]
watt.net.jsse.server.enabledProtocols=TLSv1,TLSv1.1,TLSv1.2
watt.net.ssl.client.cipherSuiteList=default
watt.net.ssl.client.handshake.maxVersion=tls
watt.net.ssl.client.handshake.minVersion=tls
watt.net.ssl.client.hostnameverification=false
watt.net.ssl.client.strongcipheronly=false
watt.net.ssl.debug=true
watt.net.ssl.server.cipherSuiteList=default
watt.net.ssl.server.clientHandshakeTimeout=20000
watt.net.ssl.server.handshake.maxVersion=tls
watt.net.ssl.server.handshake.minVersion=tls
watt.security.cert.wmChainVerifier.trustByDefault=true
watt.security.ssl.ignoreExpiredChains=false
watt.server.classloader.pkgpriority=WmPRT
watt.server.cluster.aliasList=TN2
watt.server.compile=/softwareag/softwareag98/jvm/jvm/bin/javac -classpath {0} -d {1} {2}
watt.server.db.blocktimeout=-1
watt.server.db.connectionCache=server
watt.server.db.maintainminimum=false
watt.server.db.provider=
watt.server.db.share.ISInternal=false
watt.server.deprecate.validate.emptystring=false
watt.server.ns.hideWmRoot=false
watt.server.package.parallel.threads=6
watt.server.rg.internalregistration.timeout=180
watt.server.smtpTransportSecurity=none
watt.ssl.iaik.debug=true

Hi Masroor,

please check if you are using JSSE or not for your communication.

Can you check IntegrationServer server.log or System out log (usually redirected to nohoup.out or something similar) for further informations?

See IntegrationServer readme for IS_9.8_Core_Fix6 for details how to configure the extended settings.

Eventually you wnat to check trhe server.log with enhanced logging level activated:


Note: When the logging facility 0006 Server SSL Interface is 
set to the Debug logging level, Integration Server writes 
messages about protocols used for inbound and outbound ports to 
the server log. At the Trace logging level, Integration Server 
writes messages about the enabled cipher suites.

Regards,
Holger

Hi Masroor,

I think you need to have “JCE Unlimited Strength Jurisdiction Policy Files” onto your server to implement keys of 256.
You can check the JCE details at server startup.

I am not sure if this could be the reason, other members on the forum can confirm about the same.

Regards,
Syed Faraz Ahmed

Hi faraz,

Thank you for your kind response.

I am new in this technology so do we have any document which helps me to understand detail configuration of ciphers.
I guess I need to reconfigure ciphers in an extended setting.

Team, please help me out.

Thanks,

Masroor Alam

Hi Masroor,

Unfortunately, i haven’t done this kind of changes on webMethods.
We had a requirement to support keys with 256 Bits for a Java project. For which we had done the changes.
Please share your email I’d. We can discuss more on that.

Regards,
Syed Faraz Ahmed

Hi Faraz,

Thank you.

please find my mail id : masroor.alam@capgemini.com

Regards,
Masroor Alam

Hi Holger/Faraz,
Thank you for your guidance.

We installed IS_core_fix11 in our IS and EGW as well.
Now we are able to connect with our partner.

But we are still getting issue between B2B and EGW :

Unable to establish connection to Enterprise Gateway Server frdrtsueai16q. Internal Server was not authenticated on the Enterprise Gateway

Thanks and regards,

Masroor Alam

Hi Holger/Faraz/Masroor,

Kindly please give me a help

Our public platform faces the same problem.
We want to know if WM can support SSLv2 as well after installing IS_core_fix11.

Looking forward to your reply

Thanks.
Jay Xu

Hi Xu,

sslv2 is still available, but it is only configured for outgoing connections by default.

Generally usage of SSL v2 and SSL v3 should be avoided whenever possible.

Please note that TLS V1.1 and TLS V1.2 require a JVM version 7 or newer and the usage of JSSE for the connection.
The older Entrust library is currently only supporting TLS V1 but not TLS V1.1 and TLS V1.2.

Regards,
Holger

Hi Holger,

Thanks for your information.

If IS Core Fix15 installed, how we can configurate without affecting the existing connections in the Extended Settings:
watt.net.ssl.client.cipherSuiteList=default
watt.net.ssl.client.handshake.maxVersion=tls
watt.net.ssl.client.handshake.minVersion=sslv2

Our environment is:
os:linux
webMethods 8.2

Kindly please give advice in advanced.

Best regards,
Xu Jay

Hi Xu,

you should make sure that the servers at your partner side you are connecting to can handle TLS for transport security.

After that you can change “watt.net.ssl.client.handshake.minVersion=sslv2” to “watt.net.ssl.client.handshake.minVersion=tls” to switch of sslv2 and sslv3. “tls” stands for TLS v1.0 here.

This setting is the only one which is configured to allow sslv2 and sslv3 by default, all other settings in this context are already set to tls by default.

Regards,
Holger

Hi Holger,

The server at partner side can handle TLS v1.0 for transport security.

We want to know if our environment can use both sslv2 and TLS v1.0 when outgoing, and how we can set in Extended Settings. Because we connect to another partners using sslv2.

Best regards,
Xu Jay

Hi Xu,

in this case you should the settings on the default values.

But you should get in contact with those partners who are still requiring sslv2 and check if they can update their systems to at least TLS v1.0 to enable you to update the client minVersion to tls.

Regards,
Holger

Hi Holger,

Thanks for your nice guidance.

We will configurate extended settings as your advice.

Best regards,
Xu Jay

Hello Holger,

Kindly please give suggestion in advanced.

I don’t find anywhere else can set signing and encrypting algorithm in TN and IS. When sending message, algorithm is acquiescent sha1.
I would like to know if wm8.2 can support sha256 or above when signing and encrypting. if not, what need we do? How can we achieve this in minimum change?

Thanks a lot.

Xu Jay

Hi Xu,

which service are you using to sign messages?

Please check the IS Built-In-Services Reference for the services you are using.
They should have an optional Input parameter named hashAlgorithm or signatureAlgorithm, which defines the method.
SHA1 or SHA-1 is the default, set this to SHA256 or SHA-256 if it is possible according to Built-In-Services Reference.

Regards,
Holger