IBM Support

PI42048: ADD A CUSTOM PROPERTY TO LDAPS ADVISORY TO DENOTE PROTOCOL LEVEL

Fixes are available

8.0.0.11: WebSphere Application Server V8.0 Fix Pack 11
8.5.5.7: WebSphere Application Server V8.5.5 Fix Pack 7
8.5.5.8: WebSphere Application Server V8.5.5 Fix Pack 8
8.0.0.12: WebSphere Application Server V8.0 Fix Pack 12
8.5.5.9: WebSphere Application Server V8.5.5 Fix Pack 9
8.5.5.10: WebSphere Application Server V8.5.5 Fix Pack 10
8.5.5.11: WebSphere Application Server V8.5.5 Fix Pack 11
8.0.0.13: WebSphere Application Server V8.0 Fix Pack 13
8.5.5.12: WebSphere Application Server V8.5.5 Fix Pack 12
8.0.0.14: WebSphere Application Server V8.0 Fix Pack 14
8.5.5.13: WebSphere Application Server V8.5.5 Fix Pack 13
8.0.0.15: WebSphere Application Server V8.0 Fix Pack 15
8.5.5.14: WebSphere Application Server V8.5.5 Fix Pack 14
8.5.5.15: WebSphere Application Server V8.5.5 Fix Pack 15
8.5.5.17: WebSphere Application Server V8.5.5 Fix Pack 17
8.5.5.20: WebSphere Application Server V8.5.5.20
8.5.5.18: WebSphere Application Server V8.5.5 Fix Pack 18
8.5.5.19: WebSphere Application Server V8.5.5 Fix Pack 19
8.5.5.16: WebSphere Application Server V8.5.5 Fix Pack 16
8.5.5.21: WebSphere Application Server V8.5.5.21

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • The LDAP server should respond with a server hello specifying
the highest SSL protocol it can use to communicate (TLSv1) but
instead responds with an alert.  We should provide a way to
specify a particular SSL protocol to use for Client Hello.
Custom property required

Local fix

  • n/a

Problem summary

  • ****************************************************************
* USERS AFFECTED:  IBM WebSphere Edge Load Balancer users      *
****************************************************************
* PROBLEM DESCRIPTION: When using the ldaps or https           *
*                      advisor, the user may want to control   *
*                      the SSL protocol level                  *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
The https and ldaps advisors will attempt communication using
TLSv1.2. If a server can not communicate using this protocol
level, they should respond in the Server Hello with the
highest level protocol they can use and the SSL session will
be established using the lowest common protocol.

Problem conclusion

  • There may be occasions with the server does not recognize the
higher level protocols and requires a lower level protocol to
be used. LB has added custom properties which can be specified
to force a particular SSL protocol level.

The custom properties are :
lb.https.protocol
lb.ldaps.protocol

Valid values are currently:
SSL
SSLv3
TLS
TLSv1
TLSv1.1
TLSv1.2
SSL_TLS
SSL_TLSv2
The meaning of these protocols are defined in the
IBMJSSE2 provider and may be expanded in the future.
http://www-01.ibm.com/support/knowledgecenter/SSYKE2_7.0.0/com.i
bm.java.security.component.71.doc/security-component/jsse2Docs/p
rotocols.html?lang=en

To enable the custom property, set the appropriate property in
the dsserver, cbrserver or ssserver script prior to starting
the server.

This example forces the ldaps advisor to use TLSv1
instead of TLSv1.2 (based on LB for ipv4 on AIX) :
 /opt/ibm/edge/lb/java/jre/bin/java
-Dlb.ldaps.protocol="TLSv1" -Djava.net.pref
erIPv4Stack=true -Djava.net.preferIPv6Stack=false -cp
$LB_CLASSPATH $LB_INSTALL_
PATH $LB_CLIENT_KEYS $LB_SERVER_KEYS
-Djava.protocol.handler.pkgs=com.ibm.net.ss
l.internal.www.protocol
com.ibm.internet.nd.server.SRV_KNDConfigServer $LB_RMIPO
RT $LB_LOGDIR $LB_SAVEDIR $LB_BINDIR $LB_CONFIGFILE
$LB_RMISERVERPORT &

Fix levels:
  Load Balancer for ipv4
      7.0.0.36
      8.0.0.11
      8.5.5.7
  Load Balancer for ipv4 and ipv6
      7.0.0.40
      8.0.0.11
      8.5.5.7

Temporary fix

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    PI42048
    • 

  • Reported component name
    WEBS LOAD BALAN
    • 

  • Reported component ID
    5724H8811
    • 

  • Reported release
    700
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt
    • 

  • Submitted date
    2015-05-29
    • 

  • Closed date
    2015-06-02
    • 

  • Last modified date
    2015-06-02
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    WEBS LOAD BALAN
    • 

  • Fixed component ID
    5724H8811
    • 



Applicable component levels


    

  • R700  PSY
       UP
    • 

  • R800  PSY
       UP
    • 

  • R850  PSY
       UP
    • 








      
              
                            

              

              [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.0","Line of Business":{"code":"LOB45","label":"Automation"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            27 April 2022
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback