How to solve runtime SSL handshake failure error for NetSuite BW Plugin application
Article ID: KB0076805
Updated On:
| Products | Versions |
|---|---|
| TIBCO ActiveMatrix BusinessWorks Plug-in for NetSuite | 6.3.1 or higher |
Description
The Netsuite BW Plugin application when ran in docker gives " javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure " error when tried to with bwce_runtime.zip 2.5.0 version .
The root cause of the exception is there is no common Cipher suite for ssl handshake between our application and Netsuite backend server.
At present Netsuite server supports following cipher suites :-
# TLS 1.2 (suites in server-preferred order)
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH secp256r1 (eq. 3072 bits RSA) FS 256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH secp256r1 (eq. 3072 bits RSA) FS 128
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8) ECDH secp256r1 (eq. 3072 bits RSA) FS 256P
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH secp256r1 (eq. 3072 bits RSA) FS WEAK 256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH secp256r1 (eq. 3072 bits RSA) FS WEAK 128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH secp256r1 (eq. 3072 bits RSA) FS WEAK 256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH secp256r1 (eq. 3072 bits RSA) FS WEAK 128
The BWCE runtime environment in docker and pcf don't support above cipher suites, hence the Netsuite server rejected SSL handshake.
The root cause of the exception is there is no common Cipher suite for ssl handshake between our application and Netsuite backend server.
At present Netsuite server supports following cipher suites :-
# TLS 1.2 (suites in server-preferred order)
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH secp256r1 (eq. 3072 bits RSA) FS 256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH secp256r1 (eq. 3072 bits RSA) FS 128
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8) ECDH secp256r1 (eq. 3072 bits RSA) FS 256P
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH secp256r1 (eq. 3072 bits RSA) FS WEAK 256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH secp256r1 (eq. 3072 bits RSA) FS WEAK 128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH secp256r1 (eq. 3072 bits RSA) FS WEAK 256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH secp256r1 (eq. 3072 bits RSA) FS WEAK 128
The BWCE runtime environment in docker and pcf don't support above cipher suites, hence the Netsuite server rejected SSL handshake.
Issue/Introduction
How to solve runtime SSL handshake failure error for NetSuite BW Plugin application
Environment
All supported platforms
Resolution
Workaround 1: Add libsunec.so Elliptic curve native library library in the "JRE/lib/amd64/" path
Steps:
- Copy Oracle's Elliptic curve native library (jre/lib/amd64/libsunec.so) from java Linux x64 RPM version from https://www.java.com/en/download/manual.jsp into bwce_runtime.zip tibcojre/lib/amd64/ path, and deploy the BW application into docker container.
Workaround 2: Add Bouncy Castle security provider with the JRE
Steps:
- Download Bouncy Castle library from https://downloads.bouncycastle.org/fips-java/bc-fips-1.0.1.jar
- Open the bwce-runtime zip archive directly without unzipping it and follow below steps:-
++++
Copy the jar file to tibco.home/tibcojre64/lib/ext/
Delete the tibco.home/tibcojre64/lib/security/java.security properties file and add the edited java.security properties file with Bouncy Castle provider you’ve just downloaded to this file.
Add following line in the newly edited file:-
security.provider.n=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider (Note: Set the level of security provider 'n' accordingly)
Use this bwce-runtime.zip for bwce runtime deployments.
++++
Steps:
- Copy Oracle's Elliptic curve native library (jre/lib/amd64/libsunec.so) from java Linux x64 RPM version from https://www.java.com/en/download/manual.jsp into bwce_runtime.zip tibcojre/lib/amd64/ path, and deploy the BW application into docker container.
Workaround 2: Add Bouncy Castle security provider with the JRE
Steps:
- Download Bouncy Castle library from https://downloads.bouncycastle.org/fips-java/bc-fips-1.0.1.jar
- Open the bwce-runtime zip archive directly without unzipping it and follow below steps:-
++++
Copy the jar file to tibco.home/tibcojre64/lib/ext/
Delete the tibco.home/tibcojre64/lib/security/java.security properties file and add the edited java.security properties file with Bouncy Castle provider you’ve just downloaded to this file.
Add following line in the newly edited file:-
security.provider.n=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider (Note: Set the level of security provider 'n' accordingly)
Use this bwce-runtime.zip for bwce runtime deployments.
++++
Additional Information
NetSuite BW Plugin, SSL handshake, javax.net.ssl.SSLHandshakeException
Feedback
Yes
No
Powered by
