BSA version 8.7 webservice communication with BAO 7.6 does not work with certificate error

Version 1
    Share:|

    This document contains official content from the BMC Software Knowledge Base. It is automatically updated when the knowledge article is modified.


    PRODUCT:

    BMC Atrium Orchestrator Application Adapters


    COMPONENT:

    BMC Atrium Orchestrator Content



    PROBLEM:

    When integrating BAO 7.6.03 running content 20.15.03 witn BSA 8.7, we are receiving invalid certificate error even though the certificates are correct. The adapter goes into false state and in the gridlog, it states that it cannot download and install the certificate from appserver. 

    javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
        at com.realops.commons.ssl.CertificateManagement.installCerts(CertificateManagement.java:143)
        at com.realops.adapter.ws.soap.SoapRpcActorAdapter.performAction(SoapRpcActorAdapter.java:784)
        at com.realops.adapter.bladelogic.cli.tunnel.BladeLogicCLITunnel.performAction(BladeLogicCLITunnel.java:392)
        at com.realops.adapter.bladelogic.cli.tunnel.BladeLogicCLITunnel.getSessionId(BladeLogicCLITunnel.java:82)
        at com.realops.adapter.bladelogic.cli.tunnel.BladeLogicCLITunnel.initialize(BladeLogicCLITunnel.java:56)
        at com.realops.adapter.bladelogic.operationsmanager.BladeLogicOperationsManagerActorAdapter.initialize(BladeLogicOperationsManagerActorAdapter.java:743)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
        at java.lang.reflect.Method.invoke(Unknown Source)
        at com.realops.common.util.proxy.ContextClassLoaderDecoratorFactory$IsolatedInvocationHandler.doInvoke(ContextClassLoaderDecoratorFactory.java:79)
        at com.realops.common.util.proxy.AbstractInvocationHandler.invoke(AbstractInvocationHandler.java:89)
        at com.sun.proxy.$Proxy228.initialize(Unknown Source)
        at com.realops.foundation.adapterframework.AdapterManager.startAdapter(AdapterManager.java:2028)
        at com.realops.foundation.adapterframework.AdapterManager.startAdapter(AdapterManager.java:1944)
        at com.realops.foundation.adapterframework.AdapterManager.restartAdaptersInMap(AdapterManager.java:1447)
        at com.realops.foundation.adapterframework.AdapterManager.configurationUpdated(AdapterManager.java:1263)
        at com.realops.foundation.adapterframework.AdapterConfigurationObserver.configurationUpdated(AdapterConfigurationObserver.java:82)
        at com.realops.foundation.configuration.Configuration$ConfigurationObserverContainer.notifyConfigurationUpdated(Configuration.java:369)
        at com.realops.foundation.configuration.Configuration.notifyConfigurationUpdated(Configuration.java:190)
        at com.realops.foundation.configuration.ArchiveConfiguration$ActivationObserver.onActiveLibrariesModified(ArchiveConfiguration.java:1692)
        at com.realops.foundation.librarymanager.RepositoryLibraryManager$ActiveLibrariesObserverContainer.notifyActiveLibrariesModified(RepositoryLibraryManager.java:1636)
        at com.realops.foundation.librarymanager.RepositoryLibraryManager.activate(RepositoryLibraryManager.java:686)
        at com.realops.foundation.librarymanager.DefaultSharedLibraryManager.activate(DefaultSharedLibraryManager.java:585)
        at com.realops.foundation.librarymanager.DefaultSharedLibraryManager.activate(DefaultSharedLibraryManager.java:496)
        at com.realops.foundation.librarymanager.Activation.performOn(Activation.java:925)
        at com.realops.foundation.librarymanager.Activation.access$100(Activation.java:51)
        at com.realops.foundation.librarymanager.Activation$ActivationTask.run(Activation.java:142)
        at java.lang.Thread.run(Unknown Source)
    Caused by: java.io.EOFException: SSL peer shut down incorrectly
        at com.sun.net.ssl.internal.ssl.InputRecord.read(Unknown Source)
        ... 33 more
    02 Mar 2016 15:41:22,728 INFO  CertificateManagement : Could not obtain server certificate chain
    02 Mar 2016 15:41:22,728 DEBUG CertificateManagement : Certificate installation aborted since certificate is not valid.
    02 Mar 2016 15:41:22,728 ERROR CertificateManagement : SSL security Exception: Certificate downloaded from <HOSTNAME>:10843 is invalid.
    java.security.cert.CertificateException: Certificate downloaded from <HOSTNAME>:10843 is invalid.


    CAUSE:

    BSA 8.7 uses Java 1.8 which doesn't allow SSLv2Hello or SSLv3 Protocols


    SOLUTION:

    1. Connect to the server where you have installed the BSA appserver.
    2. Stop the appserver service
    3. Open an NSH console and run command "blasadmin".
    4. Run the command "show appserver EnabledCipherSuites"
    5. Copy the returned values.
    6. Run the command "set Appserver EnabledCipherSuitesForWebservices <paste the copied cipher values from step (5)>"
    7. Run the command "set Appserver SslBackwardCompatibility false" (run only if current value is true)
    8. Start the appserver service
    9. Restart the BSA adapter in BAO Grid Manager.

    If you set the SslBackwardCompatibility to true, BSA is not going to explicity set any of the protocols in the system. So whatever protocols by default are supported by java are going to be picked up and as the jdk 1.8 used by BSA doesn't allow you to use sslv2hello or sslv3 protocols at all, you will see SSL handshake failure. If you set it to false, BSA already have protocols specified into its appserver-options file (locate the appserver-options.properties file in <installDirectory>/br/deployments/<deploymentName>/options/, and open it for editing.)which basically is the blasadmin settings will be picked up and the connection will work. 


    Article Number:

    000105714


    Article Type:

    Solutions to a Product Problem



      Looking for additional information?    Search BMC Support  or  Browse Knowledge Articles