Menu
▾
▴
Re: [Sblim-devel] SBLIM-CIM-Client with TLS connectivity issues
|
From: Dave H. <hel...@li...> - 2015-06-04 15:35:07
|
Hi Sami, The v2.1.4 is a bit old, consider upgrading to the latest as found here (although what I'm going to suggest should work with the older version): https://sourceforge.net/projects/sblim/files/sblim-cim-client2/ If you are having trouble connecting over TLS you can try setting the config properties: https.protocol and https.cipherSuite. I have found it is sometimes not sufficient to set only the higher protocol (which should happen by default anyway) but also to specify the cipher suite, as some servers are restricted to a certain ciphers in addition to being restricted to a certain protocol level. But you can try just setting the protocol(s), like: java -Dhttps.protocols="TLSv1,TLSv1.1,TLSv1.2" ... If some variation of this does not help you may have a mismatch in the cipher suite. When this happens you may get a nice message telling you this or you may just get a handshake failure. It's helpful to see what's going on at the server, too. But from the client side, one way to see if this is happening is to set javax.net.debug=all, which you can also do via the cmdline or by a System.setProperty(). This should show some debug output for the SSL handshake, etc. One way to find a compatible cipher is to test with openssl s_client. First make sure you server supports the protocol level you are expecting. Note some older openssl do not support the newer -tls options on the cmdline here. You should do this on a machine with newer openssl and ciphers installed: $ openssl s_client -connect <ip>:5989 -ssl3 $ openssl s_client -connect <ip>:5989 -tls1 $ openssl s_client -connect <ip>:5989 -tls1_1 $ openssl s_client -connect <ip>:5989 -tls1_2 If you can connect at the expected protocol level look for the Cipher: in the output. Now you want to try to find a JSSE cipher that matches. I found this pretty good reference on which ciphers are available on each JRE version. You may have to upgrade to Java 8. http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html If you find a compatible cipher suite you can try specifying it like: java -Dhttps.protocols="TLSv1.2" -Dhttps.cipherSuites="TLS_RSA_WITH_AES_256_GCM_SHA384" ... If the cipher suite you saw using openssl s_client is not available in your JSSE (you should get a "Unsupported ciphersuite" exception) you can try some other available cipher and hopefully that will work. If none of that helps let me know what you are seeing in your javax.net.debug=all output. Dave H. On 05/20/2015 07:04 AM, Samidurai Nadarajan wrote: > Team, > > We are using sblim-cim-client2 APIs (2.1.4) to connect CIMOM Providers. > Looks recently IBM has implemented TLS support in their provider on IBM > V7000 storage array (SSL support is disabled). > > Now we are not able to connect IBM CIMOM Provider using sblim APIs. Also > I have configured ssl.Protocol=TLS and ssl.Protocol=SSL_TLS. But still I > am not able to connect to the provider. > > Can anyone tried to connect provider with TLS mode? Could you please let > me know whether I need to perform any other configuration changes? > > -- > Thanks, > Sami > > > ------------------------------------------------------------------------------ > One dashboard for servers and applications across Physical-Virtual-Cloud > Widest out-of-the-box monitoring support with 50+ applications > Performance metrics, stats and reports that give you Actionable Insights > Deep dive visibility with transaction tracing using APM Insight. > http://ad.doubleclick.net/ddm/clk/290420510;117567292;y > > > > _______________________________________________ > Sblim-devel mailing list > Sbl...@li... > https://lists.sourceforge.net/lists/listinfo/sblim-devel > |
