BSA: Error while adding new AO configuration connection from BSA console - AO Connection Failed: Secure Connection to AO failed. Please check your secure connection setup

Version 2
    Share This:

    This document contains official content from the BMC Software Knowledge Base. It is automatically updated when the knowledge article is modified.


    PRODUCT:

    BladeLogic Server Automation - Configuration Module


    COMPONENT:

    BladeLogic Server Automation


    APPLIES TO:

    BSA 8.x



    PROBLEM:

    The following issue is encountered after following the below steps as described in the product documentation:

    Login to BSA Console
    Configuration --> Integration Configuration --> AO Configuration
    Add a new connection
    Provide AO host/Port/Grid Name/User Name/Password and check ssl Enabled?

    This fails with the following error:
     

    AO Connection Failed: Secure Connection to AO failed. Please check your secure connection setup
      
    Or during a Workflow Job run where you may see the below trace in the BSA appserver Log:  
    [24 Jul 2018 10:55:44,619] [WorkItem-Thread-57] [ERROR] [BLAdmin:BLAdmins:] [Workflow] The following WSDL exception occurred:      WSDLException: faultCode=WSDL4JWrapper : : javax.wsdl.WSDLException:       WSDLException: faultCode=WSDL4JWrapper : : javax.net.ssl.SSLHandshakeException:        Received fatal alert: handshake_failurejavax.xml.ws.WebServiceException: The following WSDL exception occurred: WSDLException:    faultCode=WSDL4JWrapper : : javax.wsdl.WSDLException: WSDLException:     faultCode=WSDL4JWrapper : : javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure [...] Caused by: javax.wsdl.WSDLException: WSDLException: faultCode=WSDL4JWrapper : : javax.net.ssl.SSLHandshakeException:   Received fatal alert: handshake_failure        at org.apache.axis2.jaxws.util.WSDL4JWrapper.commonPartsURLConstructor(WSDL4JWrapper.java:203)         ... 26 more Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure         at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) [...]

     


    CAUSE:

    AO certificates from CDP keystore is not imported to BSA cacerts or incompatible ciphers for SSL handshake.


    SOLUTION:

    There are a number of possible causes to this error.

    First, check that all of the documented steps in Enabling secure communication with BMC Atrium Orchestrator are followed, most importantly that the certificate exported from each CDP's keystore has been imported to the BSA AppServer's keystore (<install>/NSH/br/java/lib/security/cacerts for Linux or <install>\NSH\jre\lib\security\cacerts for Windows) on all BSA application servers and the application server has been restarted after.

    Additionally check:

    The TLS versions configured for BSA and BAO match.  For BAO look at the <BAO Install>\tomcat\conf\server.xml  for a section like:

    <Connector SSLEnabled="true" URIEncoding="UTF-8" ciphers="SSL_RSA_WITH_3DES_EDE_CBC_SHA,...TLS_ECDH_anon_WITH_AES_256_CBC_SHA"  clientAuth="false" keystoreFile="C:\Program Files\BMC Software\BAO\CDP\tomcat\conf\.keystore" maxSwallowSize="-1" maxThreads="150"  port="38080" protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" secure="true"  sslProtocol="TLS" useServerCipherSuitesOrder="true" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"/>
    For BSA look in the   <install>\NSH\br\deployments\<deploymentName>\options\appserver-options.properties file for:  
    EnabledAppserverClientProtocols=TLSv1,TLSv1.2
      
    or an argument like the following in the   JVMArgs setting:  
    -Dhttps.protocols=TLSv1.1,TLSv1.2
      


    Check that the list of Ciphers used by BAO and BSA contain common ciphers (they don't have to exactly match but must share at least one common cipher). 
    For BAO   look at the <BAO Install>\tomcat\conf\server.xml  in the same section above:  
    ciphers="SSL_RSA_WITH_3DES_EDE_CBC_SHA,...TLS_ECDH_anon_WITH_AES_256_CBC_SHA"
    For BSA   <install>\NSH\br\deployments\<deploymentName>\options\appserver-options.properties:  
    EnabledCipherSuites=TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA
      















      

     


    Article Number:

    000134204


    Article Type:

    Solutions to a Product Problem



      Looking for additional information?    Search BMC Support  or  Browse Knowledge Articles