Are you having this Problem?: after adding certificate to enable SSL on the UI you cannot access the UI using https.
Assuming you have followed the steps in the OPDK Operations Guide you may still have an issue accessing
https://ms_IP:9443
It may return SSL_PROTOCOL_ERROR
The reason for this is that there is an incompatibility between OpenJDK and the standard version of the Network Security Services (nss) in some linux distros . Certain cyphers (Elliptic Curve Cryptography (ECC) are not in the standard OpenJDK libraries, but are in the Oracle JDK. One symptom is, when someone tries to use https the following error(s) will be logged to start.out:
p.nettyException -Exception caught inNetty java.lang.RuntimeException: java.security.InvalidAlgorithmParameterException at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1345)~[na:1.7.0_95] at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:519)~[na:1.7.0_95] at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:799)~[na:1.7.0_95] at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:767)~[na:1.7.0_95] at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)~[na:1.7.0_95]Causedby: java.security.ProviderException: java.security.InvalidAlgorithmParameterException at sun.security.ec.ECKeyPairGenerator.generateKeyPair(ECKeyPairGenerator.java:146)~[sunec.jar:1.7.0_95] at java.security.KeyPairGenerator$Delegate.generateKeyPair(KeyPairGenerator.java:704)~[na:1.7.0_95] at sun.security.ssl.ECDHCrypt.<init>(ECDHCrypt.java:65)~[na:1.7.0_95] at sun.security.ssl.ServerHandshaker.setupEphemeralECDHKeys(ServerHandshaker.java:1367)~[na:1.7.0_95] at sun.security.ssl.ServerHandshaker.trySetCipherSuite(ServerHandshaker.java:1154)~[na:1.7.0_95]Causedby: java.security.InvalidAlgorithmParameterException:null at sun.security.ec.ECKeyPairGenerator.generateECKeyPair(NativeMethod)~[sunec.jar:1.7.0_95] at sun.security.ec.ECKeyPairGenerator.generateKeyPair(ECKeyPairGenerator.java:126)~[sunec.jar:1.7.0_95] at java.security.KeyPairGenerator$Delegate.generateKeyPair(KeyPairGenerator.java:704)~[na:1.7.0_95] at sun.security.ssl.ECDHCrypt.<init>(ECDHCrypt.java:65)~[na:1.7.0_95] at sun.security.ssl.ServerHandshaker.setupEphemeralECDHKeys(ServerHandshaker.java:1367)~[na:1.7.0_95]
The version of nss should be at least 3.19, to use ECC ciphers with OpenJDK. To check the nss version you can type:
sudo yum info nss
To resolve the issue type:
sudo yum upgrade nss
and ensure the version is at least 3.19, then restart the apigee components on that server.
NB. It is recommended that you run a "sudo yum upgrade" anyway to pick up any critical security patches before using a server in anger!
Super helpful, thanks for the note!