IBM Support

CDJAI connection exception connecting to Connect:Direct Windows after JDK upgrade

Technote (troubleshooting)


Problem(Abstract)

Connection works with this level of JDK :
java version "1.6.0_25"
Java(TM) SE Runtime Environment (build 1.6.0_25-b06)
Java HotSpot(TM) Client VM (build 20.0-b11, mixed mode, sharing)
Connect fails with this level of JDK:
java version "1.6.0_29"
Java(TM) SE Runtime Environment (build 1.6.0_29-b11)
Java HotSpot(TM) Client VM (build 20.4-b02, mixed mode, sharing)
CDJAI code the same and attaching to the same Connect:Direct server.

Symptom

Can no longer submit processes to the Connect:Direct node with the CDJAI client after upgrading the client JDK.


Cause

From Oracle JDK support.

counter measure to a SSL/TLS vulnerability (known as BEAST attack, see http://www.kb.cert.org/vuls/id/864643 and http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3389), which was included in the JVM 6u29 or newer. The counter measure splits packets and is consistent with the behavior you are seeing.
For testing purposes you can disable this counter measure, by using setting to false the java.lang.System property jsse.enableCBCProtection. You can use the command line java -Djsse.enableCBCProtection=false ...., or from the application with java.lang.System.setProperty("enableCBCProtection", "false");
If your application works with this property disabled, you have a few options for a permanent solution:
- upgrade both sides to TLS 1.1/1.2
- make the application tolerant to packet splitting,
- Switch to a stream based cypher, such as RC4


Environment

Windows

Diagnosing the problem

Java trace on the client shows the buffer having additional information inserted in it.

Resolving the problem

In the JDK application for CDJAI disable this counter measure, by using setting to false the java.lang.System property jsse.enableCBCProtection. You can use the command line java -Djsse.enableCBCProtection=false ...., or from the application with java.lang.System.setProperty("enableCBCProtection", "false");

Or use a RC4 cipher and not a AES cipher.


Document information

More support for: Sterling Connect:Direct for Microsoft Windows

Software version: 4.4, 4.4.1, 4.5, 4.5.1, 4.6

Operating system(s): Windows

Reference #: 1598709

Modified date: 15 June 2012


Translate this page: