SSL and TLS not working after upgrade to 9.64

Hi,

We have a couple of webservice integrations with other systems that open incidents and change records in Service Manager via soap or rest calls. That have worked well for years and we are using SSL.

Recently we upgraded from SM 9.51 to 9.64 and two of the webservice integrations stopped working. The container logs dosent write anything at all when the remote systems try to connect to SM. I really mean that there are zero lines in the container log files, which is a bit odd.

If we switch to http the integrations starts working.

So do you know what have changed between version 9.51 and 9.64 in regards of SSL or TLS?
I havent found anything in the release notes for the version in between.

Anyone have had this problem?

 

  • Best guess is that you have not regenerated your security certificate for upgrade from 9.51 to 9.64.

    Reason for the guess is that I had a customer that patched from 9.52 to 9.52P5 and SSL broke. We regen the certs and it worked. The root cause was missing documentation. In 9.51P1, the certificate security algorithm strength was increased but this info was not included in the 9.52P2 to 9.52P5 online help. The online help has now been corrected to include the change in security algorithm from P1.

    https://softwaresupport.softwaregrp.com/doc/KM02903724?fileName=SM952_P1_ReleaseNotes.pdf

    "Weak" Java certificates no longer accepted
    The Service Manager server no longer accepts Java certificates that are generated by using certain
    "weak" algorithms. If you used these algorithms to generate your Java certificates, you must now
    regenerate them by using a more complex algorithm, such as RSA.

    Perhaps, you are still using old weak security algorithm from 9.51 which are rejected by SM from 9.51P1 onwards.

  • Hi Jas1

    The web client (web tier) is working fine, using SSL/TSO towards the SM application server. I guess that means we can rule out weak java certificates as the roost cause?

    It is just two webservice integrations that have stopped working.

  • If you can use HTTPS to login to your server from the web client, you can definitely rule out weak java cert as the root cause.
    Normally, when HTTP works but HTTPS fails, it is usually caused by the certificates.

    You may need to retest your REST calls via a tool like POSTMAN or others to see if you get any errors from SM when you try to run them.  Maybe, 9.64 has different soap and REST requirements from 9.51 and tools like POSTMAN may show the error/requirements that is stopping the REST calls from being processed. 

    I can't find anything in the release notes either but I do recall seeing a few poss of folks trying to get REST to work.

  • Verified Answer

    We have found the root cause to the problem.

    We did a trace with Wireshark while the remote system was trying to connect to Service Manager. The output from the Wireshark:

     

    Since TLS 1.0 is not supported in Service Manager from version 9.52 the remote system cannot connect to Service Manager. The remote system is a .NET application using .NET FrameWork 4.5.2. The supported versions in .NET are:

    .NET Framework 4.5 and 4.5.1: SSLv3 and TLSv1
    .NET Framework 4.5.2: SSLv3, TLSv1, and TLSv1.1
    .NET Framework 4.6 and higher: TLSv1, TLSv1.1, and TLS1.2

    So the solution was to upgrade the version of .NET FrameWork in the remote system.

  • Well done , Bjørn !

    I considered TLS but according to https://docs.microfocus.com/itom/Service_Manager:9.64/TLS12SupportConfig, TLS 1.2 was supported from 9.41 and you're on 9.51 already before upgrading, so I ruled that out.

  • (I tried to post a jpg of the Wireshark trace in my solution above but the function for attaching images is a bit cumbersome: the preview look ok but when posting I get an error message about "wrong HTML element" or something like that. Tried with .jpg and .png - but I think readers understand the post anyway)