My Liberty for Java app is throwing the following exception when I attempt to connect with the dashDB Service on Bluemix:
[err] SQLException informationjava.sql.SQLNonTransientException:
[jcc][t4][2030][11211][4.8.86] A communication error occurred during
operations on the connection's underlying socket, socket input stream,
or socket output stream. Error location: T4Agent.sendRequest().
Message: Received fatal alert: handshake_failure. ERRORCODE=-4499,
SQLSTATE=08001 DSRA0010E: SQL State = 08001, Error Code = -4,499
This looks like it may be an SSL failure. Try following the instructions in this technote: http://www-01.ibm.com/support/docview.wss?uid=swg22001150.
You will need to make sure you are using the correct version of Java, the correct JDBC driver, and ensure that your ciphers are set up properly.
This could be due to the dashdb ssl certificate not being available in the truststore used by your liberty application.
You have a few options:
repackage liberty with the truststore
import the certificate programatically at runtime
You can see more information on both of these options here: Add certificate to truststore to enable SSL communication
Related
I'm trying to establish an SSL connection to a Sybase ASE 15.7 using JDBC driver with no luck.
I tried the following options:
Using JTDS 1.25 driver (jtds-1.2.5.jar)
With the following connection string: jdbc:jtds:sybase://host:port;databaseName=dbname;ssl=request
I got Network error IOException: Connection refused
Using Jconnect 4 (jconn4.jar)
with the following connection string:
jdbc:sybase:Tds:host:port/dbname?ENABLE_SSL=true
I got java.sql.SQLException: JZ00L: Login failed. Examine the SQLWarnings chained to this exception for the reason(s)
...
java.sql.SQLException: I/O Error: DB server closed connection.
I checked the Sybase log see the following error:
kernel SSL or Crypto Error Message: 'The SSL handshake failed. Root error: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol'.
it looks like the Sybase server expects SSL connection but the java client still not using SSL (although connection string property marks ssl=true).
tried searching Sybase documentation with not much luck, neither for this error nor for SSL with JConnect.
Any answer will be much appreciated - i'm flexible with the type of driver and the configuration.
Thanks
After much investigation, I found a solution. 2 actually.
Using trust all certificate JDBC connection string parameter:
if you don't mind to trust all certificates (do this only if you entirely trust the network you're working in, especially not anything going on the public internet), you may add a connection string indicating the SSLSocketFactory creating the connection to trust all certificates. The connection string will look as follows: jdbc:sybase:Tds:host:port/dbname?ENABLE_SSL=true&SSL_TRUST_ALL_CERTS=true
Using the sybase certificate:
the certificate needs to be imported to the java application trust store.
in case you're not working with a designated trust store, it may be imported to the Java default trust store found under $JAVA_HOME\jreX\lib\security\cacerts. The certificate may be imported using keytool as explained here.
Although zuckermanori's answer provides some key details, adding more steps below which are required -
Provide right jdbc jar which supports ssl while creating spark session. I was earlier using jconn3-6.0.0.jar which doesnt support ssl. Later, I used jconnect-16.0_SP02.jar which worked fine.
Example pyspark command to pass the driver jar would be -
pyspark --jars
/path/to/your/jdbc/driver/jar
Provide additional java args as follows in the same command to provide trust store location(which has the certificates) -
--conf spark.driver.extraJavaOptions="-Djavax.net.ssl.trustStore=/path/to/truststore -Djavax.net.ssl.trustStorePassword=your_truststore_password"
3. Use right string to load driver in option. Earlier I was using 'com.sybase.jdbc4.jdbc.SybDriver' which didnt work. Then below worked for me -
.option("driver", "com.sybase.jdbc4.jdbc.SybDriver")
4. Use right connection string to provide additional ssl options as per the driver. E.g. -
.option("url", "jdbc:sybase:Tds:host_name:ssl_port/database_name?ENABLE_SSL=true&SSL_TRUST_ALL_CERTS=true&ssl=request")
Additional options required -
.option("ssl", True).option("sslmode", "require")
To sum it up, this is how your pyspark command should look like(if you are using yarn mode, then truststore should be accessible on all nodes. Below is the example of spark local mode) -
pyspark --jars /path/to/your/jdbc/driver/jar --conf spark.driver.extraJavaOptions="-Djavax.net.ssl.trustStore=/path/to/truststore -Djavax.net.ssl.trustStorePassword=your_truststore_password" --master local
And this is how your jdbc read look like -
spark.read.format("jdbc").option("url", "jdbc:sybase:Tds:host_name:ssl_port/database_name?ENABLE_SSL=true&SSL_TRUST_ALL_CERTS=true&ssl=request").option("driver", "com.sybase.jdbc4.jdbc.SybDriver").option("ssl", True).option("sslmode", "require").option("user", "your_user_name").option("password", "your_password").option("dbtable", "db.dbo.table_name").load().show(5)
I had the following error when calling a service that requests at least TLS (no SSL3 for you Poodle!).
com.ibm.websphere.sca.ServiceUnavailableException: Could not obtain a connection to the destination or Exception was happened on the connection. Failed to process the request. Unsupported record version Unknown-0.0
at com.ibm.ws.http.imprt.handler.HTTPImportService.sendHTTPRequest(HTTPImportService.java:254)
at com.ibm.ws.http.imprt.handler.HTTPImportHandler.processMessage(HTTPImportHandler.java:261)
at com.ibm.ws.sca.internal.message.impl.MessageDispatcherImpl.processMessageWithPCI(MessageDispatcherImpl.java:785)
at com.ibm.ws.sca.internal.message.impl.MessageDispatcherImpl.processMessage(MessageDispatcherImpl.java:1626)
at com.ibm.ws.sca.internal.message.impl.ManagedMessageImpl.process(ManagedMessageImpl.java:999)
at com.ibm.ws.sca.uow.handler.UOWNativeWASStrategyImpl.transactionImportExport(UOWNativeWASStrategyImpl.java:455)
at com.ibm.ws.sca.uow.handler.JoinUOWNativeHandler.processMessage(JoinUOWNativeHandler.java:168)
at com.ibm.ws.sca.internal.message.impl.MessageDispatcherImpl.processMessageWithPCI(MessageDispatcherImpl.java:785)
at com.ibm.ws.sca.internal.message.impl.MessageDispatcherImpl.processMessage(MessageDispatcherImpl.java:1626)
at com.ibm.ws.sca.internal.message.impl.ManagedMessageImpl.process(ManagedMessageImpl.java:990)
at com.ibm.ws.sibx.mediation.flowaction.impl.sca.SCAInvocationAction.invokeSync(SCAInvocationAction.java:554)
at com.ibm.ws.sibx.mediation.flowaction.impl.sca.RetryControl.invokeByStyle(RetryControl.java:379)
at com.ibm.ws.sibx.mediation.flowaction.impl.sca.RetryControl.invokeWithRetry(RetryControl.java:253)
at com.ibm.ws.sibx.mediation.flowaction.impl.sca.ServiceInvocation.complete(ServiceInvocation.java:127)
at com.ibm.ws.sibx.mediation.flowaction.impl.sca.FlowActionFactoryImpl.create(FlowActionFactoryImpl.java:750)
at com.ibm.ws.sibx.mediation.primitives.serviceinvoke.ServiceInvokeMediation.invokeFlowAction(ServiceInvokeMediation.java:651)
at com.ibm.ws.sibx.mediation.primitives.serviceinvoke.ServiceInvokeMediation.mediate(ServiceInvokeMediation.java:564)
at com.ibm.ws.sibx.scax.mediation.engine.JavaMediationPrimitive.performInvocation(JavaMediationPrimitive.java:741)
at com.ibm.ws.sibx.scax.mediation.engine.JavaMediationPrimitive.performInvocationWithCatch(JavaMediationPrimitive.java:577)
at com.ibm.ws.sibx.scax.mediation.engine.JavaMediationPrimitive.invoke(JavaMediationPrimitive.java:397)
at com.ibm.ws.sibx.scax.mediation.engine.SIBXJavaMediationPrimitive.invoke(SIBXJavaMediationPrimitive.java:108)
at com.ibm.ws.sibx.scax.mediation.engine.MediationPrimitive.invokeConnections(MediationPrimitive.java:344)
at com.ibm.ws.sibx.scax.mediation.engine.JavaMediationPrimitive.fireOutputTerminals(JavaMediationPrimitive.java:843)
at com.ibm.ws.sibx.scax.mediation.engine.JavaMediationPrimitive.performInvocation(JavaMediationPrimitive.java:763)
at com.ibm.ws.sibx.scax.mediation.engine.JavaMediationPrimitive.performInvocationWithCatch(JavaMediationPrimitive.java:577)
at com.ibm.ws.sibx.scax.mediation.engine.JavaMediationPrimitive.invoke(JavaMediationPrimitive.java:397)
at com.ibm.ws.sibx.scax.mediation.engine.MediationPrimitive.invokeConnections(MediationPrimitive.java:344)
at com.ibm.ws.sibx.scax.mediation.engine.JavaMediationPrimitive.fireOutputTerminals(JavaMediationPrimitive.java:843)
at com.ibm.ws.sibx.scax.mediation.engine.JavaMediationPrimitive.performInvocation(JavaMediationPrimitive.java:763)
at com.ibm.ws.sibx.scax.mediation.engine.JavaMediationPrimitive.performInvocationWithCatch(JavaMediationPrimitive.java:577)
at com.ibm.ws.sibx.scax.mediation.engine.JavaMediationPrimitive.invoke(JavaMediationPrimitive.java:397)
at com.ibm.ws.sibx.scax.mediation.engine.MediationPrimitive.invokeConnections(MediationPrimitive.java:344)
at com.ibm.ws.sibx.scax.mediation.engine.Input.invoke(Input.java:245)
The config was Websphere 8.0.0.7 with Websphere Process Server 8.0.1.2 and I was calling to an HTTP service using an HTTP import through https, the WAS was already using a SSL configuration with TLS (tried several options, all same error) and the ssl.client.props file is already following the IBM recommendations (tried several combinations).
Then we moved to FIPS with transitional support but another issue appeared
com.ibm.websphere.sca.ServiceUnavailableException: Could not obtain a
connection to the destination or Exception was happened on the
connection. Failed to process the request. SSL protocol cannot be
enabled in FIPS/SP800_131/suiteb mode
at com.ibm.ws.http.imprt.handler.HTTPImportService.sendHTTPRequest(HTTPImportService.java:254)
at com.ibm.ws.http.imprt.handler.HTTPImportHandler.processMessage(HTTPImportHandler.java:261)
at com.ibm.ws.sca.internal.message.impl.MessageDispatcherImpl.processMessageWithPCI(MessageDispatcherImpl.java:785)
at com.ibm.ws.sca.internal.message.impl.MessageDispatcherImpl.processMessage(MessageDispatcherImpl.java:1626)
at com.ibm.ws.sca.internal.message.impl.ManagedMessageImpl.process(ManagedMessageImpl.java:999)
at com.ibm.ws.sca.uow.handler.UOWNativeWASStrategyImpl.transactionImportExport(UOWNativeWASStrategyImpl.java:455)
at com.ibm.ws.sca.uow.handler.JoinUOWNativeHandler.processMessage(JoinUOWNativeHandler.java:168)
The problem was within the HTTP import internal component (was using SSL as a hardcoded configuration) so I wrote my own HTTP client in a custom Java and called it a day. No fix pack at that moment.
I got the following exception while connecting to Mail server from IBM WAS.
javax.mail.MessagingException: Could not convert socket to TLS; nested exception is: java.net.SocketException: java.security.PrivilegedActionException: java.io.FileNotFoundException: D:\Program Files (x86)\IBM\WebSphere\AppServer\jre\lib\security\cacerts (The system cannot find the path specified.)
My question is:
What is the certificate that I should import? Is it the mail server's certificate which needs to be imported into WAS? Should I ask the mail server admin to share the certificate?
Once I figure out which certificate, I plan to follow these instructions to import it:
How to connect to a secure website using SSL in Java with a pkcs12 file?
That link is not the correct way to use mail sessions in WAS. Check this Websphere 7 javax.mail.MessagingException: SSLSocketFactory is null.
Try to use default SSL WebSphere configuration and Mail session resource. You will need to add your mail server certificate to the Trust store (NodeDeaultTrustStore or CellDefaultTrustStore depending whether you use standalone or network deployment version).
It should be possible to get mail server cert using a browser, when you connect using https://mailserver:port/ it should give you certificate which you could save locally and add to truststore. If you will have problems contact mail server admin.
PrivilegedActionException also suggest that you may have Java 2 security enabled. Check if it is enabled and if you really need it.
I try to connect to a wss (Secure Websocket) server with a java applet but the ssl handshake fails without any helpfull log entrys.
If I connect to wss://echo.websocket.org the handshake works fine, so I think it's not a general java code error.
If I try to connect to my own server, the HelloDone bit is sent (verified by wireshark) but the connections ends in a hang-up and it's not in the log. Normally there should be the following message in the log: "*** ServerHelloDone"
See my java console log of "javax.net.debug=sll"
http://pastebin.com/ZuvKww4J
It is not truncated, it simply ends there.
After a couple of seconds the tcp connection timeout message is added to the log.
I use the following example of java code:
https://github.com/TooTallNate/Java-WebSocket/blob/master/src/main/example/SSLClientExample.java
But instead of keystore I use:
sslContext.init( null, null, null );
For the server I have two different test systems:
At port 443 a ha-proxy
at port 8443 a stunnel.
I tried to isolate the error with different methods. First I forced with stunnel the same cipher as echo.websocket.org "SSL_RSA_WITH_RC4_128_SHA" but no success.
Second I checked if the ssl certificate itself is still valid. But as web browser and normal https connection by my java applet, are accepted from the server (Same server. ha-proxy orstunnel) everything is working at that point to.
Problem was solved by maintainer of Java-WebSocket.
Big thans
How to create Tomcat keystore file using JAVA
I am creating a http connection to SSL enabled tomcat server but it generates error SSL Handshake failed
So I want to create a keystore at runtime as i will be contacting multiple SSL enabled servers (Don't know this approach will be successfull or not)
Please suggest a way to how to create a tomcat keystore file using java program or any other way to bypass SSL handshake
Where are you getting sslhandshake error exactly? While client wants to connect to tomcat server or while tomcat server is trying to connect to other servers for some purpose? And can you paste the exception trace?
In either case, it does not make any sense to create keystore programatically in a server but one can inspect java's keytool source code to play on keystores.
http://grepcode.com/file/repository.grepcode.com/java/root/jdk/openjdk/7-b147/sun/security/tools/KeyTool.java/
Look at the How-To guide SSL configuration on Tomcat's official site
http://tomcat.apache.org/tomcat-4.1-doc/ssl-howto.html