Skip to main content

This content has been archived and is no longer being updated. Links may not function; however, this content may be relevant to outdated versions of the product.

Support Article

Unable to establish SSL connection for Pega IAC

SA-19355

Summary



A PRPC node is being configured in the prgateway servlet.  User provides a secured connection (SSL) to load balancer which redirect to the PRPC server.
An error is thrown "invalid certificate error".
When the URL of the PRPC server is used instead of the load balancer, no error is thrown.

 


Error Messages



No error message but Invalid certificate error is thrown.


Steps to Reproduce



Configure a node in the prgateway servlet to connect to a load balancer with SSL.


Root Cause



This is an SSL interoperability issue between the client (the JVM) and the server (load balancer).
After debugging the SSL error, we found the server returned the message "
Unrecognized name". This is linked to a new SSL feature called SNI (server name indication). This feature helps managing certificate on servers.
Starting from Oracle JVM version 7, client jvm has this feature turned on and are sending a hostname to the server (the load balance in this case).
The load balancer didn't recognized the name provided, returned the message and then the client (the JVM) throws the error.

Note: Some users ignore this "". The Oracle JVM version 7 does not.  See Oracle defect "JDK-7127374 " resolved as "not an issue".



Resolution



This is not a PRPC issue and is entirely environmental.

There are several way to address this:
- Use Oracle JVM 6 or below as it is not using the SNI feature. However it is preferable not to downgrade a JVM and look for other solution.
- Disable SNI on the client jvm by adding the following parameter to your jvm
-Djsse.enableSNIExtension=false.
- Configure the SNI feature on the server (the load balancer in this case).

 
Suggest Edit

Published February 9, 2016 - Updated October 8, 2020

Did you find this content helpful? Yes No

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.

We'd prefer it if you saw us at our best.

Pega Community has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice
Contact us