Highlighted
Super Contributor.. Super Contributor..
Super Contributor..
162 views

SSL and TLS not working after upgrade to 9.64

Jump to solution

Hi,

We have a couple of webservice integrations with other systems that open incidents and change records in Service Manager via soap or rest calls. That have worked well for years and we are using SSL.

Recently we upgraded from SM 9.51 to 9.64 and two of the webservice integrations stopped working. The container logs dosent write anything at all when the remote systems try to connect to SM. I really mean that there are zero lines in the container log files, which is a bit odd.

If we switch to http the integrations starts working.

So do you know what have changed between version 9.51 and 9.64 in regards of SSL or TLS?
I havent found anything in the release notes for the version in between.

Anyone have had this problem?

 

0 Likes
1 Solution

Accepted Solutions
Highlighted
Super Contributor.. Super Contributor..
Super Contributor..

We have found the root cause to the problem.

We did a trace with Wireshark while the remote system was trying to connect to Service Manager. The output from the Wireshark:

 

Since TLS 1.0 is not supported in Service Manager from version 9.52 the remote system cannot connect to Service Manager. The remote system is a .NET application using .NET FrameWork 4.5.2. The supported versions in .NET are:

.NET Framework 4.5 and 4.5.1: SSLv3 and TLSv1
.NET Framework 4.5.2: SSLv3, TLSv1, and TLSv1.1
.NET Framework 4.6 and higher: TLSv1, TLSv1.1, and TLS1.2

So the solution was to upgrade the version of .NET FrameWork in the remote system.

View solution in original post

6 Replies
Highlighted
Micro Focus Expert
Micro Focus Expert

Best guess is that you have not regenerated your security certificate for upgrade from 9.51 to 9.64.

Reason for the guess is that I had a customer that patched from 9.52 to 9.52P5 and SSL broke. We regen the certs and it worked. The root cause was missing documentation. In 9.51P1, the certificate security algorithm strength was increased but this info was not included in the 9.52P2 to 9.52P5 online help. The online help has now been corrected to include the change in security algorithm from P1.

https://softwaresupport.softwaregrp.com/doc/KM02903724?fileName=SM952_P1_ReleaseNotes.pdf

"Weak" Java certificates no longer accepted
The Service Manager server no longer accepts Java certificates that are generated by using certain
"weak" algorithms. If you used these algorithms to generate your Java certificates, you must now
regenerate them by using a more complex algorithm, such as RSA.

Perhaps, you are still using old weak security algorithm from 9.51 which are rejected by SM from 9.51P1 onwards.

0 Likes
Highlighted
Super Contributor.. Super Contributor..
Super Contributor..

Hi Jas1

The web client (web tier) is working fine, using SSL/TSO towards the SM application server. I guess that means we can rule out weak java certificates as the roost cause?

It is just two webservice integrations that have stopped working.

0 Likes
Highlighted
Micro Focus Expert
Micro Focus Expert

If you can use HTTPS to login to your server from the web client, you can definitely rule out weak java cert as the root cause.
Normally, when HTTP works but HTTPS fails, it is usually caused by the certificates.

You may need to retest your REST calls via a tool like POSTMAN or others to see if you get any errors from SM when you try to run them.  Maybe, 9.64 has different soap and REST requirements from 9.51 and tools like POSTMAN may show the error/requirements that is stopping the REST calls from being processed. 

I can't find anything in the release notes either but I do recall seeing a few poss of folks trying to get REST to work.

0 Likes
Highlighted
Super Contributor.. Super Contributor..
Super Contributor..

We have found the root cause to the problem.

We did a trace with Wireshark while the remote system was trying to connect to Service Manager. The output from the Wireshark:

 

Since TLS 1.0 is not supported in Service Manager from version 9.52 the remote system cannot connect to Service Manager. The remote system is a .NET application using .NET FrameWork 4.5.2. The supported versions in .NET are:

.NET Framework 4.5 and 4.5.1: SSLv3 and TLSv1
.NET Framework 4.5.2: SSLv3, TLSv1, and TLSv1.1
.NET Framework 4.6 and higher: TLSv1, TLSv1.1, and TLS1.2

So the solution was to upgrade the version of .NET FrameWork in the remote system.

View solution in original post

Highlighted
Micro Focus Expert
Micro Focus Expert

Well done , Bjørn !

I considered TLS but according to https://docs.microfocus.com/itom/Service_Manager:9.64/TLS12SupportConfig, TLS 1.2 was supported from 9.41 and you're on 9.51 already before upgrading, so I ruled that out.

0 Likes
Highlighted
Super Contributor.. Super Contributor..
Super Contributor..

(I tried to post a jpg of the Wireshark trace in my solution above but the function for attaching images is a bit cumbersome: the preview look ok but when posting I get an error message about "wrong HTML element" or something like that. Tried with .jpg and .png - but I think readers understand the post anyway)

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.