000039485 - RSA Archer GRC Collector connection failing with SSL handshake error in RSA Identity Governance & Lifecycle

Document created by RSA Customer Support Employee on Dec 11, 2020
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000039485
Applies ToRSA Product Set: RSA Identity Governance & Lifecycle
RSA Product/Service Type: Any
RSA Version/Condition: 7.0.x, 7.1.x
Issue 
An RSA Archer GRC Account Collector is connecting to a hosted Archer instance. Collector test is failing with ConnectionException.


User-added image
 

JAVA DEBUG




  • Enable SSL DEBUG,


SSL Handshake Failed error occurs when the RSA Identity Governance & Lifecycle trying to establish connection with RSA Archer. 
 

0/09/2020 13:08:55.613 DEBUG (ApplyChangesRegularThread-211) [com.aveksa.collector.archer.ArcherConnObj] URL is:https://grc.archer.rsa.com:443//api/core/security/login
10/09/2020 13:08:55.853 ERROR (ApplyChangesRegularThread-211) [com.aveksa.collector.archer.ArcherConnObj] Error:IO Exception: Received fatal alert: handshake_failure
10/09/2020 13:08:55.854 ERROR (ApplyChangesRegularThread-211) [com.aveksa.collector.archer.ArcherConnObj] Exception occurred in login:Connection Failed
10/09/2020 13:08:55.854 ERROR (ApplyChangesRegularThread-211) [com.aveksa.client.datacollector.framework.DataCollectorManager] DCM281: Collection Failed: CollectionFailedEvent[cmi = CollectionMetaInfo[{ID=2, run_id=1602266935610, collector_id=431, test-run=true, collector_name=RSA Archer GRC ADC, data_size=0, data_file=/home/oracle/wildfly-10.1.0.Final/standalone/tmp/vfs/deployment/deploymentcea33f1e4b5cf5d0/aveksa.war-f025b6a7b75c8b16/WEB-INF/LocalAgent/collected_data/2.data}] message = null cause = com.aveksa.common.ConnectException: Connection Failed]



TLS 1.2 uses a handshake that makes multiple roundtrips between the client and the server. Following SSL Debug log shows RSA Identity Governance & Lifecycle (Client) sent hello message. RSA Archer(Server) receiving hello message and responding back. But the problem occurs during the Cipher ChangeCipherSpec stage.
 

11/09/2020 14:07:34.055 INFO (default task-43) [SystemOut] *** ClientHello, TLSv1.2
11/09/2020 14:07:34.055 INFO (default task-43) [SystemOut] RandomCookie:
11/09/2020 14:07:34.055 INFO (default task-43) [SystemOut] GMT: 1588109446
11/09/2020 14:07:34.055 INFO (default task-43) [SystemOut] bytes = {
1
11/09/2020 14:07:34.057 INFO (default task-43) [SystemOut] }
11/09/2020 14:07:34.057 INFO (default task-43) [SystemOut] Session ID:
11/09/2020 14:07:34.057 INFO (default task-43) [SystemOut] {95, 169, 152, 164, 206, 190, 102, 6, 190, 190, 7, 167, 98, 161, 136, 105, 40, 179, 133, 146, 153, 154, 48, 219, 50, 42, 200, 235, 52, 159, 97, 14}
11/09/2020 14:07:34.058 INFO (default task-43) [SystemOut] Cipher Suites: [TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
11/09/2020 14:07:34.058 INFO (default task-43) [SystemOut] Compression Methods: {
11/09/2020 14:07:34.058 INFO (default task-43) [SystemOut] }
11/09/2020 14:07:34.058 INFO (default task-43) [SystemOut] Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA224withECDSA, SHA224withRSA, SHA224withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
11/09/2020 14:07:34.058 INFO (default task-43) [SystemOut] Extension server_name, server_name: [type=host_name (0), value=ip-172-31-22-157.ec2.internal]
11/09/2020 14:07:34.058 INFO (default task-43) [SystemOut] ***
11/09/2020 14:07:34.058 INFO (default task-43) [SystemOut] %% Resuming [Session-1, TLS_RSA_WITH_AES_256_CBC_SHA]
11/09/2020 14:07:34.058 INFO (default task-43) [SystemOut] *** ServerHello, TLSv1.2
11/09/2020 14:07:34.058 INFO (default task-43) [SystemOut] RandomCookie:
11/09/2020 14:07:34.058 INFO (default task-43) [SystemOut] GMT: 1588109446
11/09/2020 14:07:34.058 INFO (default task-43) [SystemOut] bytes = {
11/09/2020 14:07:34.058 INFO (default task-43) [SystemOut] ,
1/09/2020 14:07:34.067 INFO (default task-43) [SystemOut] ... no IV derived for this protocol
11/09/2020 14:07:34.068 INFO (default task-43) [SystemOut] default task-43, WRITE: TLSv1.2 Handshake, length = 81
11/09/2020 14:07:34.068 INFO (default task-43) [SystemOut] default task-43, WRITE: TLSv1.2 Change Cipher Spec, length = 1
11/09/2020 14:07:34.068 INFO (default task-43) [SystemOut] *** Finished
11/09/2020 14:07:34.068 INFO (default task-43) [SystemOut] verify_data: {
11/09/2020 14:07:34.068 INFO (default task-43) [SystemOut] ,


 
Cause

This is a known issue in the following versions:
 



  • RSA Identity Governance & Lifecycle 7.1.x

This issue is caused by a Cipher Mismatch between the Cipher suites in use by the client (RSA Identity Governance & Lifecycle) and the server (RSA Archer with Amazon ALB (Application Load Balancer) with security policy changes.   The Amazon ALB refuses SSL connections that do not adhere to the Security policy.

The following Amazon document outlines the Ciphers following Security policy FS-1-2-Res-2019-08.

https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html

During the connection negotiation process, the client and the load balancer present a list of ciphers and protocols that they each support, in order of preference. By default, the first cipher on the server's list that matches any one of the client's ciphers is selected for the secure connection.



ResolutionThis is resolved in the following version.
  • RSA Identity Governance & Lifecycle 7.2.1
RSA Identity Governance & Lifecycle 7.2.1 supports additional Cipher suites in common with Archer with Amazon ALB.
Workaround(Not recommended) Disable the security policy on the Amazon ALB to allow a less secure Cipher suite. 

Attachments

    Outcomes