000036547 - Unable to display the Back Office interface for RSA Adaptive Authentication (On-Premise) using HTTPS

Document created by RSA Customer Support Employee on Jul 21, 2018
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000036547
Applies ToRSA Product Set: Adaptive Authentication (OnPrem)
RSA Product/Service Type: Back Office
RSA Version/Condition: 7.1 P6
Apache Tomcat: 6.0.53
Java: 1.7.0-u131
MSSQL: 2008 R2
Windows: 2012 R2
IssueCustomer had stopped using TLS v1 and v1.1, and was only using TLS v1.2.  At that point, they were unable to go to and display the RSA Adaptive Authentication (On-Premise) Back Office web page with HTTPS. 

After turning on the option -Djavax.net.debug=SSL in the Tomcat Java Options tab, we were able to see the following in the Tomcat stdout log:

*** ClientHello, TLSv1
main, called close()
main, called closeInternal(true)
main, SEND TLSv1.2 ALERT:  warning, description = close_notify
main, WRITE: TLSv1.2 Alert, length = 2
[Raw write]: length = 7
0000: 15 03 03 00 02 01 00                               .......
main, called closeSocket(selfInitiated)
main, waiting for close_notify or alert: state 5
main, received EOFException: ignored
main, called closeInternal(false)
main, close invoked again; state = 5
main, handling exception: java.io.IOException: SQL Server did not return a response. The connection has been closed.
main, called closeSocket()
Finalizer, called close()
Finalizer, called closeInternal(true)
Resolution- Since this was Windows Server 2012, we checked and confirmed registry keys associated with TLS appear to be set correctly.
Confirmed MSSQL version 10.50.6560.0 is greater than the minimum MSSQL version that supports TLS v1.2, which is 10.50.6542.0.

Confirmed Tomcat server.xml is specifying TLSv1.2 in the connector:

<Connector port="22300" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" 
    keystoreFile="C:\Program Files\Apache Software Foundation\Tomcat 6.0_Tomcat6_Core\conf\keystore.jks" keystorePass="changeit" 
    SSLEnabled="true" scheme="https" secure="true" clientAuth="false" SSLProtocol="TLSv1.2"/>

 Confirmed the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files are in place.

Set the following in the Java Options tab under Tomcat:
  • -Dhttps.protocols=TLSv1.2  
  • -Djdk.tls.client.protocols=TLSv1.2
Updated to the most recent sqljdbc drivers, sqljdbc41.jar, found on the Microsoft Support website under the "Client Component Downloads, JDBC 6.0" heading.

Added a certificate to a Java keystore with the following command:
"%JAVA_HOME%\bin\keytool" -genkey -keyalg RSA -alias localhost -keystore "C:\Program Files\Apache Software Foundation\Tomcat 7.0\conf\tomcat_keystore.jks" -storepass changeit -validity 360 -keysize 2048

Once all of these were put in place, the customer was able to use HTTPS and display the Back Office web page (e.g. https://localhost:8443/backoffice) we were able to see the SSL handshake and data transmission take place with TLS v1.2.