SSL Handshake Failed !!!

Soumen

Soumen

Reputable Poster
My configuration is as followed:
WebSphere ND 8.5.5.5
IBM HTTP Server 8.5.5.5
Windows 2012 R2
TR 9.1.5.5
E9.1

I am trying to configure HTTPS with HTML and AIS. The way I have the current setup is I have a keystore with all server certificates copied over from a working Web Server running on HTTPS to IBM/HTTPServer/keys/.
I am referencing this keystore in my http.conf file with SSL Enabled.

The error I am receiving on the HTTP Server error.log is ...

[client 10.200.2.117] [1d85280] [11660] SSL0271I: SSL Handshake Failed, client closed connection without sending any data. [10.200.2.117:8827 -> 10.200.2.132:443] [10:37:32.000558745]

On the browser side it displays a "500 Internal Server Error".

As I mentioned above I have a working server with similar config (with only difference of OS which is Windows 2008 R2) setup the same way with no issues. I have done a comparative analysis between both these servers but have not found anything different. I have also checked each certificate which is installed on the server using mmc>Certificate Snap-in.

I have also referred the Oracle document on setting up SSL and have not found anything which I could be missing.

http://docs.oracle.com/cd/E24902_01/doc.91/e18841/secsoclayer.htm#EOHWU00007


My httpd.conf file setup for this port is ...

<VirtualHost 10.200.2.132:443>
SSLEnable
KeyFile "C:\IBM\HTTPServer\keys\SSBIZHUBDV\SSBIZHUBDV.kdb"
DocumentRoot "C:\IBM\WebSphere\AppServer\profiles\AppSrv01/installedApps/TXHDCWBS08Node01Cell/HTML_TXHDCWBS08_8094_DV910.ear\webclient.war/OWHTML"
ServerName SSBIZHUBDV
ServerAlias SSBIZHUBDV SSBIZHUBDV.SSSS.COM SSBIZHUBDV.SVC.SSSS.COM
Alias /jde "C:\IBM\WebSphere\AppServer\profiles\AppSrv01\installedApps\TXHDCWBS08Node01Cell\HTML_TXHDCWBS08_8094_DV910.ear\webclient.war"
TransferLog C:\IBM\HTTPServer\logs\ssbizhubdv.log
</VirtualHost>
SSLDisable
<Directory "C:\IBM\WebSphere\AppServer\profiles\AppSrv01\installedApps\TXHDCWBS08Node01Cell\HTML_TXHDCWBS08_8094_DV910.ear\webclient.war\WEB_INF">
Order Deny,Allow
Deny from All
</Directory>
<Directory "C:\IBM\WebSphere\AppServer\profiles\AppSrv01\installedApps\TXHDCWBS08Node01Cell\HTML_TXHDCWBS08_8094_DV910.ear\webclient.war">
Order Deny,Allow
Allow from All
</Directory>


And I have Virtual host entry on WebSphere as below...

ssbizhubdv 80
ssbizhubdv 443
ssbizhubdv.ssss.com 80
ssbizhubdv.ssss.com 443
ssbizhubdv.svc.ssss.com 80
ssbizhubdv.svc.ssss.com 443

On this same server connections to HTTP is working just fine ...no issues. What could be that I am missing in my setup for SSL?
 
Hi - check your firewall settings. Do a telnet to those servers:ports and see if a connection is established. This error suggests the connection is timing out.

BTW, if you don't mind me asking... I noticed that you are still using IBM Websphere and as you know the technical support for IBM products from Oracle will end Sept. 30, 2016. Are you staying with IBM or migrating to Oracle Technology stack? How does that work for you?

Thanks.
 
Hi,

I went through the same pain few weeks back, setting up https/ssl for our JAS/webservers :) I followed the Oracle document you've referenced many times and I was still getting the 'handshake' error. It's because the SSL/signer certificates are not present in the plug-ins keystore. Have a look at the document below - this resolved the issue for me.

http://www.ibm.com/support/knowledg...sphere.nd.doc/ae/tsec_sslextractsigncert.html

Do update when you've tried this; I've got to do this again for another environment/url/webserver shortly :)

Thanks/Regards,

Sanj

9.1, TR 9.1.5.5, WAS 8.5.5, SQL 2014, VMs
 
I was able to resolve the issue based on the pointers mentioned in the below documents...

http://publib.boulder.ibm.com/httpserv/ihsdiag/plugin_questions.html#GSK_ERROR_BAD_CERT
http://www-01.ibm.com/support/docview.wss?uid=swg21433593


So here is what was causing the issue.

The SSL Handshake failed message as noted in the error.log files was informational and may not be related to the actual issue.


The http_plugin.log file however was showing the below errror (which I had not checked earlier).

[Thu Mar 10 08:55:36 2016] 000028dc 00001a20 - ERROR: ws_common: websphereGetStream: Could not open stream
[Thu Mar 10 08:55:36 2016] 000028dc 00001a20 - ERROR: ws_common: websphereExecute: Failed to create the stream
[Thu Mar 10 08:55:36 2016] 000028dc 00001a20 - ERROR: ws_common: websphereHandleRequest: Failed to execute the transaction to 'TXHDCWBS08Node01_HTML_TXHDCWBS08_8094_DV910'on host 'TXHDCWBS08.svc.ssss.com'; will try another one
[Thu Mar 10 08:55:36 2016] 000028dc 00001a20 - ERROR: ws_common: websphereWriteRequestReadResponse: Failed to find an app server to handle this request
[Thu Mar 10 08:55:36 2016] 000028dc 00001a20 - ERROR: ESI: getResponse: failed to get response: rc = 2
[Thu Mar 10 08:55:36 2016] 000028dc 00001a20 - ERROR: ws_common: websphereHandleRequest: Failed to handle request
[Thu Mar 10 08:55:36 2016] 000028dc 00001a20 - ERROR: lib_stream: openStream: Failed in r_gsk_secure_soc_init: GSK_ERROR_BAD_CERT(gsk rc = 414) PARTNER CERTIFICATE DN=CN=TXHDCWBS08.svc.ssss.com,OU=TXHDCWBS08Node01Cell,OU=TXHDCWBS08Node01,O=IBM,C=US, Serial=00:da:72:24:71:2b:c7


Based on the error message "GSK_ERROR_BAD_CERT(gsk rc = 414) PARTNER CERTIFICATE " I refered this doc which was mentioned below.

http://www-01.ibm.com/support/docview.wss?uid=swg21433593

It mentioned the cause of the issue as ..

"The cause of this problem is that the plug-in keystore does not have the correct SSL signer certificate to match with the SSL personal certificate from the WebSphere Application Server node."


So I went did the following ...

1. Copied over the below files from the working WebSphere machine to the non-working WebSphere machine under
\IBM\WebSphere\Plugins\config\

2. On WebSphere Console start from Step 20 on document mentioned above.

3. Restart
 
Hi,

I went through the same pain few weeks back, setting up https/ssl for our JAS/webservers :) I followed the Oracle document you've referenced many times and I was still getting the 'handshake' error. It's because the SSL/signer certificates are not present in the plug-ins keystore. Have a look at the document below - this resolved the issue for me.

http://www.ibm.com/support/knowledg...sphere.nd.doc/ae/tsec_sslextractsigncert.html

Do update when you've tried this; I've got to do this again for another environment/url/webserver shortly :)

Thanks/Regards,

Sanj

9.1, TR 9.1.5.5, WAS 8.5.5, SQL 2014, VMs



Thanks ... yes the plugins keystore is what was causing the issue. It is so frustrating because none of the Oracle documents mentions this IMPORTANT step. I have an open SR with Oracle on this and I asked them to document this in their SSL setup.
 
BTW, if you don't mind me asking... I noticed that you are still using IBM Websphere and as you know the technical support for IBM products from Oracle will end Sept. 30, 2016. Are you staying with IBM or migrating to Oracle Technology stack? How does that work for you?

Thanks.

We are currently in negotiation phase through our partners with both IBM and Oracle related to this. I guess the direction we will eventually go (Red Stack or Blue Stack) will depend largely on the pricing and licensing cost.
 
I'm going to comment on this architecture - because its a terribly bad methodology. Doing SSL directly at the Websphere or Weblogic server is a bad idea - there are plenty of whitepapers and documents that talk about SSL Offloading at the Loadbalancer. You're restricting the performance and scalability of the J2EE servers if you are performing SSL on the Websphere/Weblogic. Its a horrible, horrible load on those servers.

All decent load-balancer devices perform SSL Offloading - including the open-source Zen Loadbalancer : http://www.zenloadbalancer.com/manage-certificates-with-zen-load-balancer/

Seriously, you should reconsider SSL and whether you should be performing SSL Offloading instead.
 
Jon,

I totally agree with you that doing SSL directly on the JAS server is a horrible architecture. We have been running CITRIX NetScaler ever since we upgraded to 9.1 back in 2014 and ever since we have always had the SSL certificates on the load balancer performing SSL offloading. But we faced major issues while trying to deploy AIS mobility in JDE. We could not make SSL offloading work on load balancer with the AIS apps. We engaged both CITRIX and Oracle (Oracle ofcourse was not much help here) for this and even they could not give us a solution to make SSL offloading work for AIS. We have been working with them for months now. Eventually CITRIX suggested SSL-BRIDGE (which is basically keeping the certificate on WebSphere) protocol which seemed to work.

So we rolled out a separate WebSPhere instance with AIS and HTML component specifically for Mobility and keep the certificate on WebSphere. Trust me as a CNC I would never approve of such an architecture but there are components which are out of my scope. If your infrastructure team throws there hands at you saying this is the best we can do for now ... you are left with no choice. Hope you get my point here! ;-)
 
Ugh - thats terrible news for AIS. Sounds like JDE needs to pull their finger out and figure out a better way to get this working. SSL Offloading is an architecture that even Oracle recommends - so for this to be an issue with AIS is a major bug. Thankyou for clarifying the situation - but I did want to still put the point across for those people interested in SSL in the future that visit this page !!!
 
We run AIS (as well as everything else) in both our 9.1 and 9.2 labs and the SSL is handled by a separate Apache Web server which runs as a reverse proxy. There was an issue with the earlier JDE mobile apps that the version of MAF they had been built with only supported the older 128bit keys but this has since been updated.

I'm not sure what the deal is with Websphere but there are some settings that need to be set on the WebLogic server to get SSL to work but nothing major.

Edit: If you think getting the AIS SSL offloading is difficult you should try putting ADF components behind load balancers with SSL. That is more art than science and we had to resort to network sniffing the REST calls between the ADF server, AIS server and JAS server just to work it out. Logged a call with Oracle for some help at the time but after 20 days all they could say was the developer responsible was on leave :)
 
Last edited:
Thank you for valued feedback and comments Jon. I would agree it's not the best method and on our Production system, we are using a F5 solution with SSL configured on the F5. The SSL setup I've discussed here is configured for a single JAS instance (Training Environment).

Thanks,

Sanj
 
Back
Top