How to troubleshoot an SSL connection issue on webMethods v8.2 Integration Server

Ever had to troubleshoot an SSL connection issue but overwhelmed by a “je ne sais quoi” feeling ? Let me try to ease your pain based on recent experience.

Use case :

  • Integration Server acts as an ssl client, connecting to a partner’s HTTPs server
  • Certificates are exchanged and loaded in key- and truststore on both ends
  • Calling the URL over HTTPs results in error “ssl handshake failure”.

Our first step, enable ssl debugging on the Integration Server.
Introduce two extended settings (“watt.net.ssl.debug=true” and “watt.ssl.iaik.debug=true”) and restart the Integration Server. Per default ssl debug information will be send to the standard out.

After calling the URL again over HTTPs additional debug information shows:

What are these log entries telling us ?

The Integration Server is sending message “Sending v2 client_hello” to the HTTPs server. This request is immediately rejected by the end target (ref entry “Received alert message: Alert Fatal: handshake failure” reported in ssl debug log lines).

The purpose of the SSL v2 Client Hello is listed in the TLS specification as a way for SSL Clients to allow backwards compatibility with previous versions of SSL. The specification also states that TLS Servers are allowed to reject SSL v2 Client Hello messages if they do not support the previous versions of SSL.

Per default the Integration Server can handle different cryptographic protocols (tls, sslv2, sslv3). How to discover what type of protocol the HTTPs server supports?

  1. Go to www.openssl.org
  2. Download and install the binary distribution of your preference
  3. Running following commands :
  4. to verify is HTTPs server support tls1
    openssl s_client -verify 6 -state -msg -tls1 -showcerts -connect <host>:<port>
  5. to verify is HTTPs server support ssl2
    openssl s_client -verify 6 -state -msg -ssl2 -showcerts -connect <host>:<port>
  6. to verify is HTTPs server support ssl3
    openssl s_client -verify 6 -state -msg -ssl3 -showcerts -connect <host>:<port>

Note : Replace “<host>:<port>” with the hostname and port of your end target specifications.

If the result contains “ssl handshake failure” it indicates your target is rejecting the selected protocol.

In our use case the partner only accepted tls. The issue was solved once the administrator of the HTTPs server enabled ssl v3 on his end.

Author: Johan De Wulf

blogger

blogger

Curious to know more about this topic?

Working at i8c

i8c is a system integrator that strives for an informal atmosphere between its employees, who have an average age of approx 30 years old. We invest a lot of effort in the professional development of each individual, through a direct connection between the consultants and the management (no multiple layers of middle management). We are based in Kontich, near Antwerp, but our customers are mainly located in the triangle Ghent-Antwerp-Brussels and belong to the top 500 companies in Belgium (Securex, Electrabel, UCB, etc…).

Quality Assurance

i8c is committed to delivering quality services and providing customer satisfaction. That’s why we invested in the introduction of a Quality Management System, which resulted in our ISO9001:2000 certification. This guarantees that we will meet your expectations, as a reliable, efficient and mature partner for your SOA & integration projects.

i8c - ISO9001-2015

Also worth reading

AWS AppFlow: Streamlining SaaS Integrations with AWS Services

In today’s digital world, organizations are constantly looking for ways to streamline their workflows and improve their data management processes. One of the key challenges that organizations face is integrating their various software as a service (SaaS) applications with their data management systems. This is

Read More »

Apigee Scope Validation using OpenAPI Specification

In API security and management, we often use a lot of different security mechanisms to protect the requested resource behind the API Gateway. One of these mechanisms is the validation of scopes to authorize a client on a specific sub-resource of the API. Most of

Read More »