Defects

All communication from Tomcat to IIS fails if Client Certificate Authentication is enabled



ID:    D22099
Published:    07 May 2015
Updated:    29 October 2015
 

Defect Id

DEF268413

Originally Reported Against

SBM 11.0

Also Affects

Service Manager 5.2.1

Resolved In

SBM 11.0
Service Manager 5.2.1

Description

The SBM Tomcat components in 11.0 run on Java 8. Due to known issues in this version, if client certificate authentication is enabled between components in SBM, all communication from Tomcat to IIS fails.  Also, if SSO is used, users cannot log in to SBM when client certificate authentication is enabled. In addition, the following errors appear:

  • In the System event log, the following error appears: The following fatal alert was generated: 20. The internal error state is 960.
  • In Application Repository, a login error (Invalid user ID or password) appears when users attempt to access the repository.
  • In the sso-idp.log file, a connection reset error appears: 
    • IssueRequestHandler.processRequest(136): Error acquiring security token: Error authenticating user "aaaa": Web Services "https://serverName:443/gsoap/gsoap_ssl.dll?sbminternalservices72" returned an error: "java.net.SocketException: Connection reset"
Once these defects (described here and here) are addressed, Serena will update the jdk that is included with SBM.

Resolution

If you have client certificate authentication enabled prior to the upgrade, you must disable it after the upgrade to SBM 11.0 is finished. Alternatively, you can leave client certificate authentication enabled, but disable TLSv1.2 and TLSv1.1 by performing the following steps:

1. On each Tomcat server, navigate to the following file:
installDirectory\Serena\SBM\Common\Tomcat 7.0\bin\common_config.bat>
2. Uncomment the "rem call :set_java_opts jdk.tls.client.protocols TLSv1" line.
3. Run the update_tomcat_config.bat file in the same directory.
4. On each IIS server, navigate to the following file:
installDirectory\Serena\SBM\Application Engine\alfssojavabridge\ javabridge_config.xml
5. After the line with the following text: “<JVMArgument>-Xrs</JVMArgument>” add a line with the following content:
 “<JVMArgument>-Djdk.tls.client.protocols=TLSv1</JVMArgument>
6. Restart the SBM services.

Note:  This issue has not been observed on Windows Server 2012 and higher.

Find Answers

Type a question or describe what you are looking for below

My Recent Searches

Welcome kb sso

Additional Assistance

  • Submit a Case Online
  • FAQs