Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
folender Super Contributor.
Super Contributor.
1103 views

[....Jetty311ServletContainer$Log4JLogSink] MESSAGE:Possible SSL handshake issue (server.log)

Hi!
Everytime i run the command "/etc/init.d/arcsight_services status manager" the following WARNING shows in "server.log":

[WARN ][default.com.arcsight.server.Jetty311ServletContainer$Log4JLogSink] MESSAGE:Possible SSL handshake issue. Check remote client: Socket Closed: 1ab27cfc[SSL_NULL_WITH_NULL_NULL: Socket[addr=/WWW.XXX.YYY.ZZZ,port=47603,localport=8443]], FRAME: [SeededJsseListener-12825]org.mortbay.http.SocketListener.handleConnection(SocketListener.java:157)

WWW.XXX.YYY.ZZZ = HP ArcSight ESM private IP.

Is there a problem with the HP ArcSight SSL certificate? (Its Self-Signed) 

Manager details: ESM 6.9.1 Patch1 in a VM (Red Hat Enterprise Linux Server release 6.7) with 32 CPUs, 125 GBs. RAM (49 GBs. Manager Heap Size) and plenty free space in every partition.

Regards,
Fabian

 

Labels (1)
0 Likes
8 Replies
angelo.cappelli Super Contributor.
Super Contributor.

Re: [....Jetty311ServletContainer$Log4JLogSink] MESSAGE:Possible SSL handshake issue (server.log)

Sounds like a problem with your ESM SSL cert.

0 Likes
Outstanding Contributor.. douglas.baker@h1 Outstanding Contributor..
Outstanding Contributor..

Re: [....Jetty311ServletContainer$Log4JLogSink] MESSAGE:Possible SSL handshake issue (server.log)

Historically I have seen this as a Connector registration issue. If via Console you can identify a Connector that isn't in 'running' state you may have found it, and you need to go through Destination re-regisration on that Connector to the ESM. It could also be 'something' else trying to connect to TCP:8443 (your ESM 'listening' port) and you will have to try and identify the source IP and track that down.

 

0 Likes
folender Super Contributor.
Super Contributor.

Re: [....Jetty311ServletContainer$Log4JLogSink] MESSAGE:Possible SSL handshake issue (server.log)

Hi Douglas!
All my connectors are up and running and what really seems strange and have my attention about this ERROR is that it appears only when i run the command:
/etc/init.d/arcsight_services status manager
So its a "local" error and something about checking the status of the manager produce this error.
Has anybody seen this error when running the command? 

I think im getting to something: 

[WARN ][default.com.arcsight.server.Jetty311ServletContainer$Log4JLogSink] MESSAGE:Possible SSL handshake issue. Check remote client: Socket Closed: 55d91ce7[SSL_NULL_WITH_NULL_NULL: Socket[addr=/172.16.3.33,port=55582,localport=8443]], FRAME: [SeededJsseListener-528]org.mortbay.http.SocketListener.handleConnection(SocketListener.java:157)

"SSL_NULL_WITH_NULL_NULL" seems to be an invalid cipher suit for an SSL Handshake, but as mentioned in a topic in stackoverflow it may not be an actual problem in the application using Jetty (HP ArcSight ESM) but a problem in how Jetty start the SSL connection and logs the result.
It may not be very important, but If this is happening to other people probably HP ArcSight developers might do something in future releases.

PD: The certificate is valid until 2022.

Regards,
Fabian

 

0 Likes
Outstanding Contributor.. douglas.baker@h1 Outstanding Contributor..
Outstanding Contributor..

Re: [....Jetty311ServletContainer$Log4JLogSink] MESSAGE:Possible SSL handshake issue (server.log)

As you suspect that servcies command should return something, hopefully something like;

Build versions:
        esm:6.9.1.2310.2(BE2310)
        storage:6.9.1.1863.2(BL1863)
        process management:6.9.1-2022
        installer:6.9.1-2022

manager service is available

 

Since the services is part of the installation unless you manually removed a cipher suite and the one services needs then I won't guess and maybe time for a Support ticket.

 

0 Likes
Highlighted
Trusted Contributor.. thebeno1 Trusted Contributor..
Trusted Contributor..

Re: [....Jetty311ServletContainer$Log4JLogSink] MESSAGE:Possible SSL handshake i

Hi folender,

I have the same issue with ESM V6.11

did you find some solution?

 

I see the same in ESM server.log when I tryed

telnet localhost:8443

I thing the status program is doing something similar which generate this error

It will be good if status will using openssl for testing ssl connection

peter

0 Likes
folender Super Contributor.
Super Contributor.

Re: [....Jetty311ServletContainer$Log4JLogSink] MESSAGE:Possible SSL handshake i

Hi!
I've updated the ESM to 6.11.0 Patch1 and i'm still seeing this WARN.
I also recive the error when connecting with "# telnet 127.0.0.1 8443".

I'm going to open a support ticket with HP soon about this.

Regards,
Fabian

0 Likes
Knowledge Partner
Knowledge Partner

Re: [....Jetty311ServletContainer$Log4JLogSink] MESSAGE:Possible SSL handshake i

Hi @folender

did you get any solution for the issue?

------------------------------------
Please use the Like button below, if you find this post useful or mark it as an accepted solution if it resolves your issue.
0 Likes
folender Super Contributor.
Super Contributor.

Re: [....Jetty311ServletContainer$Log4JLogSink] MESSAGE:Possible SSL handshake i

Hello!
I have a cron task running "# /etc/init.d/arcsight_services" every few minutes and that was the reason i was receving this meessage frequently in the ESM logs.

HP told me that it was an expected message and i should ignore it; so i did (and still do) that.

Regards,
Fabian Olender

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.