000037971 - RSA Identity Governance & Lifecycle ServiceNow connector fails with  "handshake_failure"

Document created by RSA Customer Support Employee on Sep 23, 2019Last modified by RSA Customer Support Employee on Sep 23, 2019
Version 6Show Document
  • View in full screen mode

Article Content

Article Number000037971
Applies ToRSA Product Set: Identity Governance & Lifecycle
RSA Version/Condition: 6.8.1, 6.9.1, 7.0.1, 7.0.2
 
IssueThe RSA Identity Governance & Lifecycle ServiceNow AFX connector fails with the following exception in the AFX ServiceNow connector log file.

The path and name of the AFX connector log file varies by installation. Typically the file is called /home/oracle/AFX/esb/logs/esb.AFX-CONN-ServiceNow.log or something very similar.
 
"9/01/19 12:20:12.796 PM","Error","Fulfillment","CreateServiceRequest",
"Error occured while executing the capability javax.xml.ws.WebServiceException:
Could not send Message.... ... Caused by: javax.net.ssl.SSLHandshakeException:
SSLHandshakeException invoking https://myserver.service-now.com/command.do?SOAP:
Received fatal alert: handshake_failure ....
Caused by: javax.net.ssl.SSLHandshakeException:
Received fatal alert: handshake_failure


 This could affect RSA Identity Governance & Lifecycle ServiceNow collectors, however, at the time of writing this RSA Knowledge Base Article, there have been no such reported failures.

 
Cause

This failure occurs when the Web Service client, (RSA Identity Governance & Lifecycle AFX Connnector) attempts to negotiate an SSL connection using the TLS 1.0 or TLS 1.1 protocol and the Web Services server (ServiceNow) has disabled TLS 1.0 and TLS 1.1 connections and enforces SSL connections over TLS 1.2.
 



This is a known issue in the following versions.



  • RSA Identity Governance & Lifecycle 6.8.1
  • RSA Identity Governance & Lifecycle 6.9.1
  • RSA Identity Governance & Lifecycle 7.0.0
  • RSA Identity Governance & Lifecycle 7.0.1



 

ResolutionThis issue does not occur in versions of RSA Identity Governance & Lifcycle that use Java 1.8. To resolve this issue, upgrade to a current version of RSA Identity Governance & Lifecycle that uses Java 1.8:
  • RSA Identity Governance & Lifecycle 7.1.0
  • RSA Identity Governance & Lifecycle 7.1.1

 
WorkaroundYou may be able to workaround this issue depending on the version by upgrading Java to the latest version supported by your product.

How to upgrade Java for your specific environment (check the below versions for compatibility before attempting to upgrade Java using one of these methods):
  • For Hardware Appliances, run the latest appliance updater. 
  • For Software installations using WebLogic and WebSphere, upgrade the Java version on your application servers to Java 1.7 build 181 or later.
  • For Software Appliances using WildFly, upgrade your Java using the Java supplied in the latest patch for your RSA Identity Governance & Lifecycle version.

Versions of RSA Identity Governance & Lifecycle where Java can be upgraded: 
  • RSA Identity Governance & Lifecycle 6.8.1 - running Java 1.6. There are no known workarounds.  TLS 1.2 is not supported by Java 1.6.
  • RSA Identity Governance & Lifecycle 6.9.1 - running Java 1.6. There are no known workarounds.  TLS 1.2 is not supported by Java 1.6. 
  • RSA Identity Governance & Lifecycle 7.0.0 - running Java 1.7  Upgrade to Java 1.7 build 181 or later. For example 1.7.0_1811.7.0_181. To do this apply the java updater upgradeJDK17_u181.tar included in 7.0.2 P15 (Do NOT apply the patch as this is a 7.0.2 patch kit.)
  • RSA Identity Governance & Lifecycle 7.0.1 - running Java 1.7.  Upgrade to Java 1.7 build 181 or later. For example 1.7.0_1811.7.0_181.  To do this apply the java updater upgradeJDK17_u181.tar included in 7.0.2 P15 (Do NOT apply the patch as this is a 7.0.2 patch kit.)
  • RSA Identity Governance & Lifecycle 7.0.2 - running Java 1.7. Apply 7.0.2 P15 and apply the java updater upgradeJDK17_u181.tar included in 7.0.2 P15.

NOTE: Java1.7.0_1811.7.0_181 is not supported and has not been tested on RSA Identity Governance & Lifecycle 7.0.0 or 7.0.1. RSA does not guarantee that other features of the product will not be affected. Caution should be used when using this work around. RSA reserves the right to request that a customer upgrade to a supported version of the product should they encounter issues.


 
NotesClick here to see the ServiceNow article that describes the timeline for deprecating support for TLS 1.0 and TLS 1.1.
 
 

Attachments

    Outcomes