Defects
All communication from Tomcat to IIS fails if Client Certificate Authentication is enabled
| ID: | D22099 | |
| Published: | 07 May 2015 | |
| Updated: | 29 October 2015 |
Defect Id
DEF268413
Originally Reported Against
SBM 11.0
Also Affects
Service Manager 5.2.1
Resolved In
SBM 11.0
Service Manager 5.2.1
Service Manager 5.2.1
Description
The SBM Tomcat components in 11.0 run on Java 8. Due to known issues in this version, if client certificate authentication is enabled between components in SBM, all communication from Tomcat to IIS fails. Also, if SSO is used, users cannot log in to SBM when client certificate authentication is enabled. In addition, the following errors appear:
- In the System event log, the following error appears: The following fatal alert was generated: 20. The internal error state is 960.
- In Application Repository, a login error (Invalid user ID or password) appears when users attempt to access the repository.
- In the sso-idp.log file, a connection reset error appears:
- IssueRequestHandler.processRequest(136): Error acquiring security token: Error authenticating user "aaaa": Web Services "https://serverName:443/gsoap/gsoap_ssl.dll?sbminternalservices72" returned an error: "java.net.SocketException: Connection reset"
Resolution
If you have client certificate authentication enabled prior to the upgrade, you must disable it after the upgrade to SBM 11.0 is finished. Alternatively, you can leave client certificate authentication enabled, but disable TLSv1.2 and TLSv1.1 by performing the following steps:
1. On each Tomcat server, navigate to the following file:
installDirectory\Serena\SBM\Common\Tomcat 7.0\bin\common_config.bat>
2. Uncomment the "rem call :set_java_opts jdk.tls.client.protocols TLSv1" line.
3. Run the update_tomcat_config.bat file in the same directory.
4. On each IIS server, navigate to the following file:
installDirectory\Serena\SBM\Application Engine\alfssojavabridge\ javabridge_config.xml
5. After the line with the following text: “<JVMArgument>-Xrs</JVMArgument>” add a line with the following content:
“<JVMArgument>-Djdk.tls.client.protocols=TLSv1</JVMArgument>
6. Restart the SBM services.
Note: This issue has not been observed on Windows Server 2012 and higher.
