Remedy - Server - TLS 1.0 error when consuming an external web service from a Filter or Escalation

Version 2
    Share This:

    This document contains official content from the BMC Software Knowledge Base. It is automatically updated when the knowledge article is modified.


    PRODUCT:

    Remedy AR System Server


    COMPONENT:

    AR System


    APPLIES TO:

    Remedy AR System Server with Java version 1.7 or lower



    QUESTION:

    When consuming an external web service (via a Filter or Escalation) that requires TLS 1.1 or 1.2, you may receive the following error (or similar) related to an unsupported TLS version:
    .............
    Error encountered while executing a Web Service: UNSUPPORTED_CLIENT: TLS 1.0 has been disabled. Please use TLS 1.1 or 1.2 (ARERR 9130)

    .............


     


    ANSWER:

    To resolve this problem, you must set the following Java argument to enable Java to allow a larger list of TLS protocol versions when it connect to different sites.

    -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2

      
    For ARServer 8.x (and lower):
    -  Add this JVM argument in the armonitor.cfg file, to the line that starts the Java Plugin Server, for example: 
    ......................... 
    "C:\<path>\Java\jre\bin\java" -Xmx512m -classpath "C:\BMCSoftware\ARSystem\pluginsvr;C:\BMCSoftware\ARSystem\pluginsvr\arpluginsvr81_build001.jar;C:\BMCSoftware\ARSystem\approval\bin\armaskingImpl81_build001.jar;C:\BMCSoftware\ARSystem\arserver\api\lib\arcmnapp81_build001.jar" -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2 com.bmc.arsys.pluginsvr.ARPluginServerMain -x <server_name> -i "C:\BMCSoftware\ARSystem" –m
    ......................... 
    *Requires a restart of the Java plugin server or ARServer 

    For ARServer 9.x (and higher):
    - Add this JVM argument to the arserver.config file, by creating a new “jvm.option.#” line, where # is the next available number, for example (if “jvm.option.14 is the last numbered option): 
    ......................... 
    jvm.option.15=-Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2
    ......................... 
    *Requires a restart of the ARServer 

    Note:
    This occurs when the default TLS client version of Java is version 1.0, and the external endpoint URL site requires TLS 1.1 or 1.2 to communicate. 
    The best approach is to have Java version upgraded to 1.8 since the TLS version for clients is by default is enabled using the TLS version 1.2 which is backwards compatible with earlier TLS versions. 

    Check the following from the Java website: 
    https://blogs.oracle.com/java-platform-group/entry/diagnosing_tls_ssl_and_https
    .............................. 
    The following chart depicts the protocols and algorithms supported in each JDK version:                                                                                                                                                      
     JDK 8
    (March 2014 to present)
    JDK 7
    (July 2011 to present)
    JDK 6
    (2006 to end of public updates 2013)
    TLS ProtocolsTLSv1.2 (default)
    TLSv1.1
    TLSv1
    SSLv3
    TLSv1.2
    TLSv1.1
    TLSv1 (default)
    SSLv3

    TLS v1.1 (JDK 6 update 111 and above)
    TLSv1 (default)
    SSLv3
    JSSE Ciphers:Ciphers in JDK 8Ciphers in JDK 7Ciphers in JDK 6
    Reference:JDK 8 JSSEJDK 7 JSSEJDK 6 JSSE
    Java Cryptography Extension, Unlimited Strength (explained later)JCE for JDK 8JCE for JDK 7JCE for JDK 6
    ...................... 



      

     


    Article Number:

    000118650


    Article Type:

    FAQ/Procedural



      Looking for additional information?    Search BMC Support  or  Browse Knowledge Articles