Support Article
SSLException when SSLV3 disabled and Hazelcast encryption enable
SA-67911
Summary
Exception is generated in the PegaCluster logs when using the java.security file that disables SSLV3 algorithms.
Error Messages
[IP]:5702 [109a7bbb64db3511382d30f3b02e286a] [3.10] Connection[id=6, /IP:5702->/IP:34676, endpoint=null, alive=false, type=NONE] closed. Reason: Exception in Connection[id=6, /IP:5702->/IP:34676, endpoint=null, alive=true, type=NONE], thread=hz._hzInstance_1_109a7bbb64db3511382d30f3b02e286a.IO.thread-in-2 javax.net.ssl.SSLException: Received fatal alert: handshake_failure at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) ~[?:1.7.0_141] at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1639) ~[?:1.7.0_141] at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1607) ~[?:1.7.0_141] at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1776) ~[?:1.7.0_141] at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1068) ~[?:1.7.0_141] at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:890) ~[?:1.7.0_141] at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:764) ~[?:1.7.0_141] at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) ~[?:1.7.0_141] at com.hazelcast.nio.ssl.SSLChannel.unwrap(SSLChannel.java:265) ~[hazelcast-enterprise-3.10_1.jar:3.10] at com.hazelcast.nio.ssl.SSLChannel.handshake(SSLChannel.java:96) ~[hazelcast-enterprise-3.10_1.jar:3.10] at com.hazelcast.nio.ssl.SSLChannel.read(SSLChannel.java:183) ~[hazelcast-enterprise-3.10_1.jar:3.10] at com.hazelcast.nio.tcp.MemberChannelInitializer.inboundProtocol(MemberChannelInitializer.java:103) ~[hazelcast-enterprise-3.10_1.jar:3.10] at com.hazelcast.nio.tcp.MemberChannelInitializer.initInbound(MemberChannelInitializer.java:75) ~[hazelcast-enterprise-3.10_1.jar:3.10] at com.hazelcast.internal.networking.nio.NioInboundPipeline.init(NioInboundPipeline.java:145) ~[hazelcast-enterprise-3.10_2.jar:3.10] at com.hazelcast.internal.networking.nio.NioInboundPipeline.process(NioInboundPipeline.java:125) ~[hazelcast-enterprise-3.10_2.jar:3.10] at com.hazelcast.internal.networking.nio.NioThread.handleSelectionKey(NioThread.java:383) [hazelcast-enterprise-3.10_2.jar:3.10] at com.hazelcast.internal.networking.nio.NioThread.handleSelectionKeys(NioThread.java:368) [hazelcast-enterprise-3.10_2.jar:3.10]
Steps to Reproduce
- Start a JVM with Hazelcast encryption enabled.
- Run the below command to connect.
openssl s_client -showcerts -connect IP:5702 -tls1 -debug
Root Cause
Pega engine requires explicit instruction to use TLS.
Resolution
Perform the following local-change:
- Set the below prconfig.xml on the Pega nodes which are involved in the handshake.
<env name="cluster/encryption/protocol" value="TLS" />
- Restart the nodes.
Published November 29, 2018 - Updated October 8, 2020
Have a question? Get answers now.
Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.