IBM Support

PK77482: JAX-WS HTTPS WEB SERVICE CALL FAILS WHEN CONNECTING THROUGH A FORWARD PROXY

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • The problem scenario is the following:
    
    web service client                 web service provider
    ------------------                 --------------------
    WAS JAX-WS                         target external
    web service   -->    forward  -->  web service
    client               proxy         endpoint
    
    
    When a JAX-WS web service client running in WebSphere
    Application Server v6.1 + Feature Pack for Web Services attempts
    to call a remote web service over HTTPS, the following exception
    is logged to SystemErr.log when the call is directed through an
    HTTP server configured as a forward proxy:
    
    [11/6/08 20:40:29:313 GMT] 0000005a SystemErr     R
    javax.net.ssl.SSLHandshakeException: Received fatal alert:
    handshake_failure
    [11/6/08 20:40:29:313 GMT] 0000005a SystemErr     R  at
    com.ibm.jsse2.n.a(n.java:39)
    [11/6/08 20:40:29:313 GMT] 0000005a SystemErr     R  at
    com.ibm.jsse2.n.a(n.java:14)
    [11/6/08 20:40:29:313 GMT] 0000005a SystemErr     R  at
    com.ibm.jsse2.qb.b(qb.java:153)
    [11/6/08 20:40:29:313 GMT] 0000005a SystemErr     R  at
    com.ibm.jsse2.qb.a(qb.java:394)
    [11/6/08 20:40:29:313 GMT] 0000005a SystemErr     R  at
    com.ibm.jsse2.qb.unwrap(qb.java:198)
    [11/6/08 20:40:29:313 GMT] 0000005a SystemErr     R  at
    com.ibm.ws.ssl.channel.impl.SSLUtils.handleHandshake(SSLUtils.ja
    va:795)
    [11/6/08 20:40:29:313 GMT] 0000005a SystemErr     R  at
    com.ibm.ws.ssl.channel.impl.SSLConnectionLink.readyOutbound(SSLC
    onnectionLink.java:789)
    [11/6/08 20:40:29:313 GMT] 0000005a SystemErr     R  at
    com.ibm.ws.ssl.channel.impl.SSLConnectionLink.connect(SSLConnect
    ionLink.java:983)
    
    
    A JSSE trace will show the following entries:
    
    [10/30/08 18:51:56:893 GMT] 00000038 SystemOut     O JSSE_NIO:
    ProtoSSLEngine, read record
    [10/30/08 18:51:56:893 GMT] 00000038 SystemOut     O [Raw read]:
    length = 5
    [10/30/08 18:51:56:893 GMT] 00000038 SystemOut     O 0000: 3c 21
    44 4f 43                                     ..DOC
    
    [10/30/08 18:51:56:893 GMT] 00000038 SystemOut     O JSSE_NIO:
    TP_http1 : 1, SEND TLSv1 ALERT:
    [10/30/08 18:51:56:893 GMT] 00000038 SystemOut     O fatal,
    description = unexpected_message
    [10/30/08 18:51:56:893 GMT] 00000038 SystemOut     O TP_http1 :
    1, WRITE: TLSv1 Alert, length = 2
    [10/30/08 18:51:56:893 GMT] 00000038 SystemOut     O [Raw
    write]: length = 7
    [10/30/08 18:51:56:893 GMT] 00000038 SystemOut     O 0000: 15 03
    01 00 02 02 0a                               .......
    
    [10/30/08 18:51:56:893 GMT] 00000038 SystemOut     O JSSE_NIO:
    unwrap() exception2:javax.net.ssl.SSLException: Unrecognized SSL
    message, plaintext connection?2008-10-30 18:51:56,910
    
    
    The error occurs because the JAX-WS web service client is
    attempting to perform an SSL handshake with the HTTP server
    forward proxy, instead of the actual target web service.
    
    When an HTTP server is configured as a forward proxy, HTTPS
    requests should be routed directly through the proxy and out to
    the actual target endpoint.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of WebSphere Application Server   *
    *                  Feature Pack for Web Services using a       *
    *                  forward proxy with HTTPS.                   *
    ****************************************************************
    * PROBLEM DESCRIPTION: If a JAX-WS web service client uses a   *
    *                      forward proxy with HTTPS, a             *
    *                      SSLHandshakeException occurs.           *
    ****************************************************************
    * RECOMMENDATION:  Install a Fix Pack which includes this APAR.*
    ****************************************************************
    When a JAX-WS web service client attempts to call a remote web
    service over HTTPS a SSLHandshakeException occurs when the
    call is directed through an HTTP server configured as a
    forward proxy.
    

Problem conclusion

  • Tunneling was not being used in the web services transport
    layer for proxies.
    
    A JVM property has to be set to true to enable this new
    behavior.  The JVM property is:
    com.ibm.ws.websvcs.transport.enableProxyTunnel
    
    This property is false by default.
    
    The fix for this APAR is currently targeted for inclusion in
    fixpack 6.1.0.25.  Please refer to the Recommended Updates
    page for delivery information:
    http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
    

Temporary fix

Comments

APAR Information

  • APAR number

    PK77482

  • Reported component name

    WEBSERVIC FEATU

  • Reported component ID

    5724J0850

  • Reported release

    610

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2008-12-15

  • Closed date

    2009-03-18

  • Last modified date

    2009-03-18

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WEBSERVIC FEATU

  • Fixed component ID

    5724J0850

Applicable component levels

  • R610 PSY

       UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.1","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
29 December 2021