Release Automation

  • 1.  Access URL : handshake_failure issue

    Posted Sep 21, 2016 04:45 AM

    I have the following issue when I use a Access URL action: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

     

    I have made the following tests:

     

    Web site A and B are using a server certificate coming from the same CA
    The CA Root certificate is registered in cacerts on Agent X
    The CA Root certificate is not registered on agent Y

     

    Access URL web site A
    From Agent X: OK
    From Agent Y: Cannot complete operation: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

     

    Access URL web site B
    From Agent X: Cannot complete operation: Received fatal alert: handshake_failure
    From Agent Y: Cannot complete operation: Received fatal alert: handshake_failure

     

    Test with curl on website A
    curl --cacert ca_root_certificate.pem web_site_A_URL
    OK

     

    Test with curl on web site B
    curl --cacert ca_root_certificate.pem web_site_B_URL
    OK

     

    So, we can see that Access URL for Web site A is ok if the root ca is in the agent truststore, but it doesn't work for Web site B.

    However, it works with curl, so I suspect the issue is on the agent side.

     

    What could be the root cause ? How to troubleshot this issue ? (I don't have access to web site A or B servers).



  • 2.  Re: Access URL : handshake_failure issue

    Broadcom Employee
    Posted Sep 21, 2016 04:55 AM

    Hi,

    The first error you mentioned is occurring for fact that the path on Agent B it took to find truststore doesn't have the certificates.

     

    PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

     

    The other two looks straight where they don't have the certificate for site B resulting in handshake failure.

     

    Can you provide some more information like what OS Agents are running on, also you can enable ssl debugging following instruction on linkEnable java SSL(all) debugging - (RA/tomcat)  

     

    Also I wanted to ask if you are running Agent on SSL or non-ssl, you can look at nimi_config.xml file on Agent and search for <trust_store> it will point you to truststore agents are using and your certs from site A, B should be part of it.

     

    Regards,

    Saurabh



  • 3.  Re: Access URL : handshake_failure issue

    Posted Sep 21, 2016 05:13 AM

    Hi Saurabh,

     

    Thanks for your fast answwer.

     

    The agents X and Y are Windows 2008 R2 and are running non-ssl.

     

    The cert is the same for site A and B and it is part of <Agent X>/jre/lib/security/cacerts truststore. It works fine for site A, but not for site B. 

    I don't understand why do you mention the trustore defined in nimi_config.xml, I tought this truststore is used for agent/nes communication if ssl is enabled, but not for communication between agent and Access URL actions targets.



  • 4.  Re: Access URL : handshake_failure issue

    Broadcom Employee
    Posted Sep 21, 2016 05:24 AM

    Hi Stephane,

     The agent will search in hierarchy of truststore before making communication to secure connection. I don't remember the correct chronological order but it will try to find in both of the places (if not able to find in first place it search)

     

    I just made suggestion as I have seen in one of my past experience where the cert was part of cacerts but still the file been traversed was nolio.jks under conf folder to looks for certificate. So I recommended same.

     

    However if you still want to be very sure enable debug for SSL and it will show us the exact truststore been searched. 

     

    If you still want to root cause I will prefer to open support case with logs from agent post enabling SSL debug will do. Also share if possible with us the truststore of agents or listing of certs "keytool -list -v -keystore /jre/lib/security/cacerts >agentcert.txt

     

    Thanks,



  • 5.  Re: Access URL : handshake_failure issue

    Broadcom Employee
    Posted Sep 21, 2016 08:53 AM

    I had to restart the agent for it to stop getting the "unable to find valid certification" message after importing the certificate into jre/lib/security/cacerts. If you still gett the message then in addition to what Saurabh has offered you might want to verify that:

    a. you have restarted the agent; and

    b. the owner of the agent process has permissions to the truststore you've imported the certificate to (in this case jre/lib/security/cacerts).



  • 6.  Re: Access URL : handshake_failure issue

    Broadcom Employee
    Posted Sep 21, 2016 09:55 AM

    Hi Stepahne

     

    There are a few other possibilities why this could fail .

    With the curl command you are saying that the cert to trust is this specific root certificate

    The agent needs to find this  in the truststore of in the default java cacerts store.

    and need to follow  the whole chain.

     

    Are these certificates issued by a intermediate CA or by the root CA itself.

    if there is intermediate CA used you need to load this too in the cacerts store beside

    the root CA certificate . Also the webserver needs to be able to provide both root CA and

    intermediate CA .

     

    The SSL debug should show the handshake and give some clue what goes wrong

     

    regards

    Dirk



  • 7.  Re: Access URL : handshake_failure issue
    Best Answer

    Posted Sep 21, 2016 10:49 AM

    After a deep investigation with Wireshark tool, I finally found that the cipher suites used by the CA RA agent were not accepted by the server. This server only accepts 258bits ciphers whereas CA RA agent has only 128 bits cipher suites.

     

    So, I have downloaded the latest JCE (Java Cryptography Extension) for JRE 7 and replaced the files local_policy.jar and US_export_policy.jar in <agent root folder>/jre/lib/security

     

    And now, it works like a charm.



  • 8.  Re: Access URL : handshake_failure issue

    Broadcom Employee
    Posted Sep 21, 2016 11:06 AM

    Thanks for sharing valuable information Stephane