This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Unable to access UI using https after adding certificate to enable SSL on the UI?

on ‎03-03-2016 10:17 AM

Not applicable
2 1 462

Are you having this Problem?: after adding certificate to enable SSL on the UI you cannot access the UI using https.

Assuming you have followed the steps in the OPDK Operations Guide you may still have an issue accessing

https://ms_IP:9443

It may return SSL_PROTOCOL_ERROR

The reason for this is that there is an incompatibility between OpenJDK and the standard version of the Network Security Services (nss) in some linux distros . Certain cyphers (Elliptic Curve Cryptography (ECC) are not in the standard OpenJDK libraries, but are in the Oracle JDK. One symptom is, when someone tries to use https the following error(s) will be logged to start.out:

p.nettyException -Exception caught inNetty
java.lang.RuntimeException: java.security.InvalidAlgorithmParameterException
	at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1345)~[na:1.7.0_95]
	at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:519)~[na:1.7.0_95]
	at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:799)~[na:1.7.0_95]
	at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:767)~[na:1.7.0_95]
	at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)~[na:1.7.0_95]Causedby: java.security.ProviderException: java.security.InvalidAlgorithmParameterException
	at sun.security.ec.ECKeyPairGenerator.generateKeyPair(ECKeyPairGenerator.java:146)~[sunec.jar:1.7.0_95]
	at java.security.KeyPairGenerator$Delegate.generateKeyPair(KeyPairGenerator.java:704)~[na:1.7.0_95]
	at sun.security.ssl.ECDHCrypt.<init>(ECDHCrypt.java:65)~[na:1.7.0_95]
	at sun.security.ssl.ServerHandshaker.setupEphemeralECDHKeys(ServerHandshaker.java:1367)~[na:1.7.0_95]
	at sun.security.ssl.ServerHandshaker.trySetCipherSuite(ServerHandshaker.java:1154)~[na:1.7.0_95]Causedby: java.security.InvalidAlgorithmParameterException:null
	at sun.security.ec.ECKeyPairGenerator.generateECKeyPair(NativeMethod)~[sunec.jar:1.7.0_95]
	at sun.security.ec.ECKeyPairGenerator.generateKeyPair(ECKeyPairGenerator.java:126)~[sunec.jar:1.7.0_95]
	at java.security.KeyPairGenerator$Delegate.generateKeyPair(KeyPairGenerator.java:704)~[na:1.7.0_95]
	at sun.security.ssl.ECDHCrypt.<init>(ECDHCrypt.java:65)~[na:1.7.0_95]
	at sun.security.ssl.ServerHandshaker.setupEphemeralECDHKeys(ServerHandshaker.java:1367)~[na:1.7.0_95]

The version of nss should be at least 3.19, to use ECC ciphers with OpenJDK. To check the nss version you can type:

sudo yum info nss

To resolve the issue type:

sudo yum upgrade nss

and ensure the version is at least 3.19, then restart the apigee components on that server.

NB. It is recommended that you run a "sudo yum upgrade" anyway to pick up any critical security patches before using a server in anger!

Topic Labels
Comments
DChiesa
Staff
‎03-03-2016 11:21 AM

Super helpful, thanks for the note!

Version history
Last update:
‎03-03-2016 10:17 AM
Updated by: