IBM Support

HTTPS advisor fails when SSLv3 is disabled on backend servers

Technote (troubleshooting)


Problem(Abstract)

The HTTPS advisor attempts to communicate using SSLv3 when it is disabled on the backend machines, the advisor will report a load of -1.

Symptom

Incorrect behavior


Cause

The https advisor attempts to setup a secure connection to the backend servers using the lowest supported protocol instead of the highest. If the backend server only supports protocols higher than the advisor, the connection will not be established.

Resolving the problem

APAR PI30574 has been taken to resolve this issue in the product but there are a couple ways to resolve the issue without applying the fixpack.

1) Java version 6 (J9 VM 2.6) SR 8 FP2 or Java version 6 SR16 FP2 have SSLv3 disabled by default and the advisor will use TLSv1 instead of SSLv3.

2) The TLS advisor can be used instead of the https advisor. This is a good solution if you are not using the advisorrequest or advisorrequest fields.

3) Custom advisors are attached which are compiled versions of the corrected https advisor packaged as a custom advisor.

The LLB_https.zip is for the Load Balancer for ipv4; the ULB_https.zip is for the Load Balancer for ipv4 and ipv6 and the CBR_https.zip is for the Content Based Routing component under the Load Balancer for ipv4 and ipv6 version 8.5.5 (prior versions of the Content Based Routing component were shipped with the Load Balancer for ipv4 and LLB_https.zip should be used for those versions).

Unzip the file in the servers/lib/CustomAdvisors directory. Change permission on the class files if necessary. Stop and restart the executor and dsserver. Replace starting the https advisor with starting the httptls advisor. If using the GUI, note that the port is changed to port 0 when you enter httptls so you will want to modify the port number before selecting enter.

These custom advisors may work on earlier versions of the Load Balancer but they have not been tested on releases prior to v7; the code is operating system independent so it may be installed on any supported level of the operating system. These custom advisors will be supported until corrected https advisors have been released in a fixpack for versions 7.0, 8.0 and 8.5.5.

Document information

More support for: WebSphere Application Server
Edge Component

Software version: 7.0, 8.0, 8.5.5

Operating system(s): AIX, HP-UX, Linux, Solaris, Windows

Software edition: Network Deployment

Reference #: 1691795

Modified date: 29 October 2015