Support Article
Node running on Java 7 is unable to connect to external URL
Summary
A Pega 7.1.5 monitored node running on Java 7 is unable to connect to Pega Diagnostic Cloud (PDC) external URL.
Error Messages
(.httpclient.HttpMethodDirector)DEBUG - Connection has been shutdown: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
apache.axis2.AxisFault: Connection has been shutdown: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
axis2.AxisFault.makeFault(AxisFault.java:430)
axis2.transport.http.SOAPMessageFormatter.writeTo(SOAPMessageFormatter.java:78)
at priv.util.SOAPAppenderPega.sendEvent(SOAPAppenderPega.java:327)
at priv.util.SOAPAppenderPega._append(SOAPAppenderPega.java:278)
at priv.util.SOAPAppenderPega.append(SOAPAppenderPega.java:155)
at priv.util.SOAPAppenderPega.doAppend(SOAPAppenderPega.java:901)
at log4j.helpers.AppenderAttachableImpl.appendLoopOnAppenders(AppenderAttachableImpl.java:66)
at log4j.AsyncAppender$Dispatcher.run(AsyncAppender.java:578)
at Thread.run(Thread.java:724)
Caused by:Connection has been shutdown: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
at BaseStreamWriter._finishDocument(BaseStreamWriter.java:1406)
at BaseStreamWriter.close(BaseStreamWriter.java:247)
at MTOMXMLStreamWriter.close(MTOMXMLStreamWriter.java:222)
at apache.axiom.om.impl.llom.OMSerializableImpl.serializeAndConsume(OMSerializableImpl.java:192)
at axis2.transport.http.SOAPMessageFormatter.writeTo(SOAPMessageFormatter.java:74)
javax.net.ssl.SSLException:Connection has been shutdown:javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
at sun.security.ssl.SSLSocketImpl.checkEOF(SSLSocketImpl.java:1476)
at sun.security.ssl.SSLSocketImpl.checkWrite(SSLSocketImpl.java:1488)
at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:70)
at flushBuffer(BufferedOutputStream.java:82)
at flush(BufferedOutputStream.java:140)
at ChunkedOutputStream.flush(ChunkedOutputStream.java:190)
at UTF8Writer.flush(UTF8Writer.java:103)
at BufferingXmlWriter.flush(BufferingXmlWriter.java:225)
at wstx.sw.BufferingXmlWriter.close(BufferingXmlWriter.java:198)
at wstx.sw.BaseStreamWriter._finishDocument(BaseStreamWriter.java:1404)
HandshakeException: Remote host closed connection during handshake
at ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
Caused by: java.io.EOFException: SSL peer shut down incorrectly
at sun.security.ssl.InputRecord.read(InputRecord.java:482)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:927)
... 37 more
Steps to Reproduce
- Configure Pega Diagnostic Cloud in an on-premise monitored node using the tenant URL provided
- Inspect the Pega Diagnostic Cloud System Connectivity for the connected systems. The newly defined node does not display
- Enable the SSL debug (-Djavax.net.debug=all) on the monitored node
- Enable the TLS v1.2 support (-Dhttps.protocols=TLSv1.2). SSLHandshakeException occurs in the logs
Root Cause
A defect or configuration issue in the operating environment. SSLHandshakeExceptions are caused by the lack of support of TLS v1.2 on Java 7. Pega Diagnostic Cloud allows connections using TLS 1.2 protocol because of the security reasons. TLS 1.2 is supported on Java 7 but is not enabled out-of-the-box.
The user enables it using the below arguments but is insufficient:
-Dhttps.protocols=TLSv1.2 -Dhttps.cipherSuites=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLSv1.2 SSLContext must be explicitly created and assigned as the default context.
Resolution
Upgrade to a Pega version which supports Java 8
Alternately,
Perform the following local-change:
- Add the below Java System Properties in the JAVA_OPTIONS Environment Variable:
-Dhttps.protocols=TLSv1.2
-Dhttps.cipherSuites=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- Create a custom activity with single Java step with the below content:
try {
oLog.infoForced("Creating a \"TLSv1.2\" SSLContext programmatically...");
javax.net.ssl.SSLContext context = javax.net.ssl.SSLContext.getInstance("TLSv1.2");
context.init(null,null,null);
javax.net.ssl.SSLContext.setDefault(context);
oLog.infoForced("\"TLSv1.2\" SSLContext successfully created.");
} catch (Exception e) {
oLog.fatal("Failed to create \"TLSv1.2\" SSLContext", e);
}
- Uncheck the Require authentication to run checkbox on the Activity's Security tab
- Create a custom agent to execute an activity with the Startup pattern, Advanced Execution Mode and five seconds interval in the Agent-Wide settings
- Restart the application server
- Verify the behaviour
Published October 18, 2019 - Updated October 8, 2020
Have a question? Get answers now.
Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.