Fixes are available
8.0.0.11: WebSphere Application Server V8.0 Fix Pack 11
8.5.5.7: WebSphere Application Server V8.5.5 Fix Pack 7
8.5.5.8: WebSphere Application Server V8.5.5 Fix Pack 8
8.0.0.12: WebSphere Application Server V8.0 Fix Pack 12
8.5.5.9: WebSphere Application Server V8.5.5 Fix Pack 9
8.5.5.10: WebSphere Application Server V8.5.5 Fix Pack 10
8.5.5.11: WebSphere Application Server V8.5.5 Fix Pack 11
8.0.0.13: WebSphere Application Server V8.0 Fix Pack 13
8.5.5.12: WebSphere Application Server V8.5.5 Fix Pack 12
8.0.0.14: WebSphere Application Server V8.0 Fix Pack 14
8.5.5.13: WebSphere Application Server V8.5.5 Fix Pack 13
8.0.0.15: WebSphere Application Server V8.0 Fix Pack 15
8.5.5.14: WebSphere Application Server V8.5.5 Fix Pack 14
8.5.5.15: WebSphere Application Server V8.5.5 Fix Pack 15
8.5.5.17: WebSphere Application Server V8.5.5 Fix Pack 17
8.5.5.20: WebSphere Application Server V8.5.5.20
8.5.5.18: WebSphere Application Server V8.5.5 Fix Pack 18
8.5.5.19: WebSphere Application Server V8.5.5 Fix Pack 19
8.5.5.16: WebSphere Application Server V8.5.5 Fix Pack 16
8.5.5.21: WebSphere Application Server V8.5.5.21
APAR status
Closed as program error.
Error description
The LDAP server should respond with a server hello specifying the highest SSL protocol it can use to communicate (TLSv1) but instead responds with an alert. We should provide a way to specify a particular SSL protocol to use for Client Hello. Custom property required
Local fix
n/a
Problem summary
**************************************************************** * USERS AFFECTED: IBM WebSphere Edge Load Balancer users * **************************************************************** * PROBLEM DESCRIPTION: When using the ldaps or https * * advisor, the user may want to control * * the SSL protocol level * **************************************************************** * RECOMMENDATION: * **************************************************************** The https and ldaps advisors will attempt communication using TLSv1.2. If a server can not communicate using this protocol level, they should respond in the Server Hello with the highest level protocol they can use and the SSL session will be established using the lowest common protocol.
Problem conclusion
There may be occasions with the server does not recognize the higher level protocols and requires a lower level protocol to be used. LB has added custom properties which can be specified to force a particular SSL protocol level. The custom properties are : lb.https.protocol lb.ldaps.protocol Valid values are currently: SSL SSLv3 TLS TLSv1 TLSv1.1 TLSv1.2 SSL_TLS SSL_TLSv2 The meaning of these protocols are defined in the IBMJSSE2 provider and may be expanded in the future. http://www-01.ibm.com/support/knowledgecenter/SSYKE2_7.0.0/com.i bm.java.security.component.71.doc/security-component/jsse2Docs/p rotocols.html?lang=en To enable the custom property, set the appropriate property in the dsserver, cbrserver or ssserver script prior to starting the server. This example forces the ldaps advisor to use TLSv1 instead of TLSv1.2 (based on LB for ipv4 on AIX) : /opt/ibm/edge/lb/java/jre/bin/java -Dlb.ldaps.protocol="TLSv1" -Djava.net.pref erIPv4Stack=true -Djava.net.preferIPv6Stack=false -cp $LB_CLASSPATH $LB_INSTALL_ PATH $LB_CLIENT_KEYS $LB_SERVER_KEYS -Djava.protocol.handler.pkgs=com.ibm.net.ss l.internal.www.protocol com.ibm.internet.nd.server.SRV_KNDConfigServer $LB_RMIPO RT $LB_LOGDIR $LB_SAVEDIR $LB_BINDIR $LB_CONFIGFILE $LB_RMISERVERPORT & Fix levels: Load Balancer for ipv4 7.0.0.36 8.0.0.11 8.5.5.7 Load Balancer for ipv4 and ipv6 7.0.0.40 8.0.0.11 8.5.5.7
Temporary fix
Comments
APAR Information
APAR number
PI42048
Reported component name
WEBS LOAD BALAN
Reported component ID
5724H8811
Reported release
700
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2015-05-29
Closed date
2015-06-02
Last modified date
2015-06-02
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
WEBS LOAD BALAN
Fixed component ID
5724H8811
Applicable component levels
R700 PSY
UP
R800 PSY
UP
R850 PSY
UP
Document Information
Modified date:
27 April 2022