Layer7 Access Management

Tech Tip : CA Single Sign-On : Siteminder as OAuth client: javax.net.ssl.SSLException

  • 1.  Tech Tip : CA Single Sign-On : Siteminder as OAuth client: javax.net.ssl.SSLException

    Posted 06-20-2018 09:59 AM

    Issue


    We are setting up Siteminder as OAuth client, but we get a Java exception in our FWSTrace.log when we try to recover the Access Token:

    [05/02/2018][08:45:53][20655][3415492352][1384abd9-79ccf279-9bcecd80-f2f6199d-b4388867-1][MessageDispatcher.java][dispatchMessage][Exception:
    javax.net.ssl.SSLException: Fatal Alert received: Handshake Failure.

    We have access to the OAuth authorization server's SSL configuration, which is as follows:

    SSLEngine on
    SSLHonorCipherOrder On
    SSLCipherSuite kEECDH+ECDSA:kEECDH:kEDH:HIGH:+SHA:!RSA:!3DES:!RC4:!aNULL:!eNULL:!LOW:!MD5:!EXP:!DSS:!PSK:!SRP:!kECDH:!kDH:!SEED
    SSLCompression Off
    SSLProtocol all -SSLv2 -SSLv3

    Is there some configuration/limit about allowed SSL ciphers in affwebservices' OAuth servlet?

     


    Environment


    12.52 SP1

     

     

    Resolution


    DE297147 - SSL Backchannel communication is using limited number of ciphers

    You are right, the 12.52.x affwebservices is using limited cipher suites resulting in SSL Handshake failure.

    This code was changed in 12.6 where we now retrieve ciphers from a new configuration file called SSLCipherConfig.properties.

    Also there were upgrade of BESAFE components SSLJ from 5.1 to 6.1.3 on R12.6 Access Gateway.

    This issue has also be fixed in the 12.52 SP1 CR9 agent to allow SSL BackChannel with more ciphersuites.

     

     

    KB000102791