Troubleshooting
Problem
The HTTPS advisor communicates by using SSLv3. If unavailable on the backend machines, the advisor reports a load of -1.
Symptom
Incorrect behavior
Cause
The https advisor establishes a secure connection to the backend servers by using the lowest supported protocol instead of the highest. If the backend server supports only higher protocols than the advisor, the connection fails.
Resolving The Problem
APAR PI30574 resolves this issue but the issue can also be resolved with configuration changes.
1) Java™ version 6 (J9 VM 2.6) SR 8 FP2 and Java™ version 6 SR16 FP2 disabled SSLv3 by default and the advisor uses TLSv1 instead of SSLv3.
2) The TLS advisor can be used instead of the https advisor. If configured the advisorrequest or advisorrequest fields are not configured, use the TLS advisor.
3) Custom advisors are attached which are compiled versions of the corrected https advisor packaged as a custom advisor.
Download LLB_https.zip for Load Balancer for IPv4.
1) Java™ version 6 (J9 VM 2.6) SR 8 FP2 and Java™ version 6 SR16 FP2 disabled SSLv3 by default and the advisor uses TLSv1 instead of SSLv3.
2) The TLS advisor can be used instead of the https advisor. If configured the advisorrequest or advisorrequest fields are not configured, use the TLS advisor.
3) Custom advisors are attached which are compiled versions of the corrected https advisor packaged as a custom advisor.
Download LLB_https.zip for Load Balancer for IPv4.
Download ULB_https.zip for Load Balancer for IPv4 and IPv6.
Extract the files in the servers/lib/CustomAdvisors directory. Change permission on the class files if necessary. Stop and restart the executor and dsserver. Replace the https advisor with starting the httptls advisor. On the graphical interface, enter httptls for the advisor name. In the port field, replace port 0 with the actual port number.
These custom advisors were not tested on releases before v7.
Extract the files in the servers/lib/CustomAdvisors directory. Change permission on the class files if necessary. Stop and restart the executor and dsserver. Replace the https advisor with starting the httptls advisor. On the graphical interface, enter httptls for the advisor name. In the port field, replace port 0 with the actual port number.
These custom advisors were not tested on releases before v7.
[{"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Edge Component","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"8.5.5;8.0;7.0","Edition":"Network Deployment","Line of Business":{"code":"LOB45","label":"Automation"}}]
Was this topic helpful?
Document Information
Modified date:
07 February 2020
UID
swg21691795