Bluemix liberty runtime handshake failure while accessing dashDB datasource - ibm-cloud

Suddenly I am getting an SSL error message when I am trying to access a dashDb from an auto-configured liberty server, from somewhere deep in the DB2 driver. I have verified in the deployed files that the default keystore is auto-configured into the liberty server.
What is happening here?
java.security.cert.CertPathValidatorException: The certificate issued by CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US is not trusted; internal cause is:
[ERROR ] CWPKI0022E: SSL HANDSHAKE FAILURE: A signer with SubjectDN CN=*.services.dal.bluemix.net, O=International Business Machines Corporation, L=Armonk, ST=New York, C=US was sent from the target host. The signer might need to be added to local trust store /home/vcap/app/wlp/usr/servers/BluemixServer/resources/security/key.jks, located in SSL configuration alias defaultSSLConfig. The extended error message from the SSL handshake exception is: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is
[err] java.sql.SQLNonTransientException: [jcc][t4][2030][11211][4.19.49] A communication error occurred during operations on the connection's underlying socket, socket input stream,
or socket output stream. Error location: Reply.fill() - socketInputStream.read (-1). Message: java.security.cert.CertificateException: PKIXCertPathBuilderImpl could not build a valid CertPath.. ERRORCODE=-4499, SQLSTATE=08001 DSRA0010E: SQL State = 08001, Error Code = -4,499
[err] at com.ibm.db2.jcc.am.kd.a(Unknown Source)

There was a change to dashDB last Friday which enhanced security requirements for cipher specs of applications accessing dashDB. If your application was working before last week and is not now, you may need to update your cipher.

Please refer to IBM technical report via this link

We can connect to dashDB with one of the following Liberty for java buildpacks. Please try redeploying your application and make sure that database URI has :sslConnection=true at the end.
Build packs
buildpack_liberty-for-java_v3.8-20170308-1507.zip (newest)
buildpack_liberty-for-java_v3.4.1-20161030-2241.zip (oldest)

Related

0000004a SSLHandshakeE E SSLC0008E: Unable to initialize SSL connection

I am using Eclipse and have a Websphere in my local. I got the below error.
00000048 SSLHandshakeE E SSLC0008E: Unable to initialize SSL
connection. Unauthorized access was denied or security settings have
expired. Exception is javax.net.ssl.SSLException: Unrecognized SSL
message, plaintext connection? at com.ibm.jsse2.b.a(b.java:33) at
com.ibm.jsse2.nc.a(nc.java:456) at
com.ibm.jsse2.nc.unwrap(nc.java:373) at
javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:26) at
com.ibm.ws.ssl.channel.impl.SSLConnectionLink.readyInbound(SSLConnectionLink.java:534)
at
com.ibm.ws.ssl.channel.impl.SSLConnectionLink.ready(SSLConnectionLink.java:294)
at
com.ibm.ws.tcp.channel.impl.NewConnectionInitialReadCallback.sendToDiscriminators(NewConnectionInitialReadCallback.java:214)
at
com.ibm.ws.tcp.channel.impl.NewConnectionInitialReadCallback.complete(NewConnectionInitialReadCallback.java:113)
My Eclipse is running on 64 bit.
I checked my Websphere 8.5.0.2 which is on 32 bit, will that cause any issue. I am using Windows 10.
Please let me know how to fix this issue.
Thanks
That often means plaintext is being sent to a secure port.

How to change IP in Postgresql jira databse

I have a server on which I have installed Jira application. Now we have changed the IP schema and since then I am not able to access Jira. In catalina.out log I have found below error
2016-04-18 13:12:55,958 localhost-startStop-1 ERROR [o.o.c.entity.jdbc.DatabaseUtil] Unable to establish a connection with the database... Error was:org.postgresql.util.PSQLException: Connection refused. Check that the hostname and port are correct and that the postmaster is accepting TCP/IP connections.
2016-04-18 13:12:55,959 localhost-startStop-1 ERROR [o.o.c.entity.jdbc.DatabaseUtil] Could not get table name information from the database, aborting.
2016-04-18 13:12:55,982 localhost-startStop-1 ERROR [NoModule] Error getting datasource via DBCP: JdbcDatasourceInfo{uri='jdbc:postgresql://192.168.1.228:5432/jira', driverClassName='org.postgresql.Driver', username='super', password='********', isolationLevel='null', connectionProperties=null, connectionPoolInfo=ConnectionPoolInfo{maxSize=20, minSize=20, initialSize=null, maxIdle=20, maxWait=30000, sleepTime=300000, lifeTime=600000, deadLockMaxWait=600000, deadLockRetryWait=10000, validationQuery=null, minEvictableTimeMillis=null, timeBetweenEvictionRunsMillis=null, poolPreparedStatements=null, testOnBorrow=null, testOnReturn=null, testWhileIdle=null, maxOpenPreparedStatements=null, numTestsPerEvictionRun=null, removeAbandonedTimeout=300, validationQueryTimeout=null, defaultCatalog=null}}
java.lang.RuntimeException: javax.management.InstanceAlreadyExistsException: com.atlassian.jira:name=BasicDataSource
Any idea where and how to change that IP?
I go into /opt/atlassian/jira/bin folder and run ./config.sh
There I entered proper details and then save the config.
This time dbconfig.xml file generated in /var/atlassian/application-data/jira/ folder.
And my issue resolved.

Socket error 10053 software caused connection abort

I have a application which will receive files from FTP and uploaded in to Mainframe server.
I am getting a "Socket error 10053 software caused connection abort" when I assign
FTPTransfertype = ftASCII
If I change this to FtBinary I'm not getting this error but data not uploaded properly in this mode.
I am getting this error only in application server (Production server) not in the development server (here I faced this issue only once in the FTPTransfertype = ftASCII assignment)
I have changed the FTP connectivity mode to Passive but its not working..
Please help me on this.
I recomment to see Microsoft Windows Socket Errors page:
https://msdn.microsoft.com/en-us/library/windows/desktop/ms740668(v=vs.85).aspx
In your case:
Software caused connection abort. An established connection was
aborted by the software in your host computer, possibly due to a data
transmission time-out or protocol error.

HSM: Error while opening connection to the HSM

Receiving the CKR_GENERAL_ERROR when the application tries to open a connection to the H/W HSM.
The error in detail is:
50004-Crypto API could not be open.
Caused by: xxx.xxx.xxx.cryptoapi.CryptoApiSysException: Error opening session!!
Caused by: iaik.pkcs.pkcs11.wrapper.PKCS11Exception: CKR_GENERAL_ERROR
at iaik.pkcs.pkcs11.wrapper.PKCS11Implementation.C_Initialize(Native Method) ~[pkcs11Wrapper-1.2.18.jar:1.2.18]
at iaik.pkcs.pkcs11.Module.initialize(Module.java:307) ~[pkcs11Wrapper-1.2.18.jar:1.2.18]
Could anyone please tell what might be the reason for this error? The application works fine with the software HSM.
H/W HSM details:
ProtectToolkit C Key management utility : 4.2.0 (even tried with 4.3.0)
Manufacturer : Eracom
Hardware version : 66.00
Firmware version : 2.02
CKR_GENERAL_ERROR is the general error message thrown by most of the PKCS#11 complaint API. Since you have the error while connecting to the HSM hardware Please make sure you do the following things:
You have successfully done the client (you app) to h/w hsm NTL configuration. Here's a link!
Verify that you have a valid slot number and partition password (PIN) while opening the session and login to the hsm.
Also, you can check HSM logs (usually residing on your hsm client installation directory in your application) to know what is the exact cause for the problem. Here's You can refer to my previous response on finding luna safenet client logs!

Routing Remote Actors: Peer not authenticated

I am I am trying to route remote actors following this example:
http://doc.akka.io/docs/akka/snapshot/scala/routing.html#Remotely_Deploying_Routees
Here is the code:
val system = ActorSystem("RemoteSystem", ConfigFactory.load.getConfig("remotecreation"))
val addresses = Seq(AddressFromURIString("akka://ActorApplication#172.17.100.224:2552"),
AddressFromURIString("akka://ActorApplication#172.17.100.232:2552"))
val worker = system.actorOf(Props[authNetActor.AuthNetActorMain].withRouter(RemoteRouterConfig(RoundRobinRouter(5), addresses)))
However I am getting an error saying that one of the server ip addresses is not authenticated.
Here is the error (this is from: 172.17.100.224:2552):
[ERROR] [09/20/2012 18:13:02.192] [ActorApplication-akka.actor.default-dispatcher-11 [akka://ActorApplication/remote/RemoteSystem#172.17.100.231:2554/user/$a/c1] peer not authenticated
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:371)
at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:390)
at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:148)
at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:149)
at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:121)
at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:562)
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:415)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:820)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:776)
at dispatch.BlockingHttp$class.dispatch$BlockingHttp$$execute(Http.scala:45)
at dispatch.BlockingHttp$$anonfun$execute$1$$anonfun$apply$3.apply(Http.scala:58)
at dispatch.BlockingHttp$$anonfun$execute$1$$anonfun$apply$3.apply(Http.scala:58)
at scala.Option.getOrElse(Option.scala:108)
at dispatch.BlockingHttp$$anonfun$execute$1.apply(Http.scala:58)
at dispatch.Http.pack(Http.scala:25)
at dispatch.BlockingHttp$class.execute(Http.scala:53)
at dispatch.Http.execute(Http.scala:21)
at dispatch.HttpExecutor$class.x(executor.scala:36)
at dispatch.Http.x(Http.scala:21)
at dispatch.HttpExecutor$class.when(executor.scala:50)
at dispatch.Http.when(Http.scala:21)
at dispatch.HttpExecutor$class.apply(executor.scala:60)
at dispatch.Http.apply(Http.scala:21)
at models.AuthorizeNet$.AuthorizeNetDPM(main.scala:187)
at authNetActor.AuthNetActorMain$$anonfun$receive$1.apply(AuthNetActor.scala:68)
at authNetActor.AuthNetActorMain$$anonfun$receive$1.apply(AuthNetActor.scala:12)
at akka.actor.Actor$class.apply(Actor.scala:318)
at authNetActor.AuthNetActorMain.apply(AuthNetActor.scala:9)
at akka.actor.ActorCell.invoke(ActorCell.scala:626)
at akka.dispatch.Mailbox.processMailbox(Mailbox.scala:197)
at akka.dispatch.Mailbox.run(Mailbox.scala:179)
at akka.dispatch.ForkJoinExecutorConfigurator$MailboxExecutionTask.exec(AbstractDispatcher.scala:516)
at akka.jsr166y.ForkJoinTask.doExec(ForkJoinTask.java:259)
at akka.jsr166y.ForkJoinPool$WorkQueue.runTask(ForkJoinPool.java:975)
at akka.jsr166y.ForkJoinPool.runWorker(ForkJoinPool.java:1479)
at akka.jsr166y.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:104)
The error occurs only for this server and the difference between them are that the code path is different and they create actor systems on their own local ip addresses. Otherwise the code for these two actor systems are the same.
I'm not sure exactly how to fix this error or why it is thrown for just one server.
Any help is appreciated, thanks.
It seems an SSL handshaking exception.
Maybe the involved server have not a valid SSL certificate, or you have not registered the untrusted certificate in the client keystore.