Client requested protocol TLSv1 not enabled or not supported

A forum for discussing DataStage<sup>®</sup> basics. If you're not sure where your question goes, start here.

Moderators: chulett, rschirm, roy

Post Reply
Criaz91
Participant
Posts: 8
Joined: Thu Nov 09, 2017 6:24 am

Client requested protocol TLSv1 not enabled or not supported

Post by Criaz91 »

Hi

When I click on "Edit assembly" button in Hierarchical Data stage then I get the following error message on engine tier:

---------------------------------------------------------------------------------------------------------------------------------

Code: Select all

[10/18/17 13:24:29:428 GMT] 0003a4b2 SSLHandshakeE E   SSLC0008E: Unable to initialize SSL connection.  Unauthorized access was denied or security settings have expired.  Exception is javax.net.ssl.SSLHandshakeException: Client requested protocol TLSv1 not enabled or not supported
	at com.ibm.jsse2.ab.y(ab.java:439)
	at com.ibm.jsse2.nc.b(nc.java:227)
	at com.ibm.jsse2.nc.c(nc.java:339)
	at com.ibm.jsse2.nc.wrap(nc.java:256)
	at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:25)
	at com.ibm.ws.ssl.channel.impl.SSLUtils.handleHandshake(SSLUtils.java:744)
	at com.ibm.ws.ssl.channel.impl.SSLConnectionLink.readyInbound(SSLConnectionLink.java:565)
	at com.ibm.ws.ssl.channel.impl.SSLConnectionLink.ready(SSLConnectionLink.java:294)
	at com.ibm.ws.tcp.channel.impl.NewConnectionInitialReadCallback.sendToDiscriminators(NewConnectionInitialReadCallback.java:214)
	at com.ibm.ws.tcp.channel.impl.NewConnectionInitialReadCallback.complete(NewConnectionInitialReadCallback.java:113)
	at com.ibm.ws.tcp.channel.impl.AioReadCompletionListener.futureCompleted(AioReadCompletionListener.java:175)
	at com.ibm.io.async.AbstractAsyncFuture.invokeCallback(AbstractAsyncFuture.java:217)
	at com.ibm.io.async.AsyncChannelFuture.fireCompletionActions(AsyncChannelFuture.java:161)
	at com.ibm.io.async.AsyncFuture.completed(AsyncFuture.java:138)
	at com.ibm.io.async.ResultHandler.complete(ResultHandler.java:204)
	at com.ibm.io.async.ResultHandler.runEventProcessingLoop(ResultHandler.java:775)
	at com.ibm.io.async.ResultHandler$2.run(ResultHandler.java:905)
	at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1862)
Caused by: javax.net.ssl.SSLHandshakeException: Client requested protocol TLSv1 not enabled or not supported
	at com.ibm.jsse2.j.a(j.java:24)
	at com.ibm.jsse2.nc.a(nc.java:132)
	at com.ibm.jsse2.ab.a(ab.java:130)
	at com.ibm.jsse2.ab.a(ab.java:207)
	at com.ibm.jsse2.cb.a(cb.java:657)
	at com.ibm.jsse2.cb.a(cb.java:625)
	at com.ibm.jsse2.ab.r(ab.java:528)
	at com.ibm.jsse2.ab$1.a(ab$1.java:2)
	at com.ibm.jsse2.ab$1.run(ab$1.java:1)
	at java.security.AccessController.doPrivileged(AccessController.java:366)
	at com.ibm.jsse2.ab$c_.run(ab$c_.java:11)
	at com.ibm.ws.ssl.channel.impl.SSLUtils.handleHandshake(SSLUtils.java:831)
	... 12 more
.
---------------------------------------------------------------------------------------------------------------------------------

Protocol TLSv1 is disabled on our engine tier (WAS 8.5.5.1 & Infospehere Information Server 11.3.1.2), only TLSv1.2 is allowed (engine tier is installed on SUSE linux).
I get above mentioned error message on Client tier (IIS 11.3.1.2) in Datastage Designer, what is installed on Windows Server 2012. We're using on both tier java version "1.7.0".

Somebody have any idea how to force DataStage client to use only TLSv1.2? I already tried to add "Dcom.ibm.jsse2.overrideDefaultTLS=true -Dcom.ibm.jsse2.overrideDefaultProtocol=TLSv12" in Hierarchical Data stage JVM optional arguments, but it didn't work for me.

Any assistance would be appreciated, thank you in advance.
qt_ky
Premium Member
Premium Member
Posts: 2895
Joined: Wed Aug 03, 2011 6:16 am
Location: USA

Post by qt_ky »

Try checking the settings and the APAR mentioned in this tech note:

http://www-01.ibm.com/support/docview.w ... wg21699845
Choose a job you love, and you will never have to work a day in your life. - Confucius
Criaz91
Participant
Posts: 8
Joined: Thu Nov 09, 2017 6:24 am

Post by Criaz91 »

Hi, APAR JR52781 is included in "IBM InfoSphere Information Server, Version 11.3.1.2" what we have currently installed, and I did every steps on that page before I posted my question here and it didn't help.
qt_ky
Premium Member
Premium Member
Posts: 2895
Joined: Wed Aug 03, 2011 6:16 am
Location: USA

Post by qt_ky »

Would have been nice to know that... Have you tried working with Support?
Choose a job you love, and you will never have to work a day in your life. - Confucius
Criaz91
Participant
Posts: 8
Joined: Thu Nov 09, 2017 6:24 am

Post by Criaz91 »

yes, today I contacted support regarding this issue.
skathaitrooney
Participant
Posts: 103
Joined: Tue Jan 06, 2015 4:30 am

Post by skathaitrooney »

Did you manage to resolve it ?
skathaitrooney
Participant
Posts: 103
Joined: Tue Jan 06, 2015 4:30 am

Post by skathaitrooney »

I performed all the steps mentioned n the IBM tech-note and in the Hierarchial stage passed these Optional Arguments

Code: Select all

-Dcom.ibm.jsse2.overrideDefaultTLS=true -Dcom.ibm.jsse2.overrideDefaultProtocol=TLSv12
It works for me.

Did you manage to work it through ?
cdp
Premium Member
Premium Member
Posts: 113
Joined: Tue Dec 15, 2009 9:28 pm
Location: New Zealand

Post by cdp »

Hi had a similar issue when trying to call the Microsoft Dynamics 365 API on DS 11.3 fp1 recently... Microsoft disabled support for TLS1, which is perfectly understandable!

I did not need to apply a patch, we just upgraded the JDK and added the following line to the Hierarchical Stage properties:
-Dcom.ibm.jsse2.overrideDefaultTLS=true -Dcom.ibm.jsse2.overrideDefaultProtocol=TLSv12
See here:
http://www-01.ibm.com/support/docview.w ... wg22008850

Wasted days trying to find the issue (Thanks WireShark !) and very tempted to blame it all on Microsoft :roll:
Seriously IBM... TLS v1 in 2018 ??????! :x
Criaz91
Participant
Posts: 8
Joined: Thu Nov 09, 2017 6:24 am

Post by Criaz91 »

I contacted our support, and they recommended that we should use TLSv1 instead of TLSv1.2, if we would like to use hierarchical stage...fix exist, but not for 11.3.

Here is the url for that fix (11.5 ): https://www-01.ibm.com/support/docview. ... wg1JR57423
Criaz91
Participant
Posts: 8
Joined: Thu Nov 09, 2017 6:24 am

Post by Criaz91 »

cdp - Thanks for your response, I will try your suggestion later :), we're using again TLSv1 for now.
Post Reply