IBM Support

CDJAI connection exception connecting to Connect:Direct Windows after JDK upgrade

Troubleshooting


Problem

Connection works with this level of JDK : java version "1.6.0_25" Java(TM) SE Runtime Environment (build 1.6.0_25-b06) Java HotSpot(TM) Client VM (build 20.0-b11, mixed mode, sharing) Connect fails with this level of JDK: java version "1.6.0_29" Java(TM) SE Runtime Environment (build 1.6.0_29-b11) Java HotSpot(TM) Client VM (build 20.4-b02, mixed mode, sharing) CDJAI code the same and attaching to the same Connect:Direct server.

Symptom

Can no longer submit processes to the Connect:Direct node with the CDJAI client after upgrading the client JDK.

Cause

From Oracle JDK support.
counter measure to a SSL/TLS vulnerability (known as BEAST attack, see http://www.kb.cert.org/vuls/id/864643 and http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3389), which was included in the JVM 6u29 or newer. The counter measure splits packets and is consistent with the behavior you are seeing.
For testing purposes you can disable this counter measure, by using setting to false the java.lang.System property jsse.enableCBCProtection. You can use the command line java -Djsse.enableCBCProtection=false ...., or from the application with java.lang.System.setProperty("enableCBCProtection", "false");
If your application works with this property disabled, you have a few options for a permanent solution:
- upgrade both sides to TLS 1.1/1.2
- make the application tolerant to packet splitting,
- Switch to a stream based cypher, such as RC4

Environment

Windows

Diagnosing The Problem

Java trace on the client shows the buffer having additional information inserted in it.

Resolving The Problem

In the JDK application for CDJAI disable this counter measure, by using setting to false the java.lang.System property jsse.enableCBCProtection. You can use the command line java -Djsse.enableCBCProtection=false ...., or from the application with java.lang.System.setProperty("enableCBCProtection", "false");

Or use a RC4 cipher and not a AES cipher.

[{"Product":{"code":"SSRRVY","label":"IBM Sterling Connect:Direct for Microsoft Windows"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Not Applicable","Platform":[{"code":"PF033","label":"Windows"}],"Version":"4.5.1;4.6;4.5;4.4.1;4.4","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}}]

Document Information

Modified date:
24 July 2020

UID

swg21598709