Bootstrap FreeKB - IBM WebSphere - Resolve "The client supported protocol versions are not accepted by server preferences"
IBM WebSphere - Resolve "The client supported protocol versions are not accepted by server preferences"
Updated:   |  IBM WebSphere articles

Let's say something like this is in the HPEL or SystemOut log or being returned by the serverStatus command.

SSLC0008E: Unable to initialize SSL connection.
Unauthorized access was denied or security settings have expired.
Exception is javax.net.ssl.SSLHandshakeException:
The client supported protocol versions [TLS--6.-6, TLSv1.3, TLSv1.2] are not accepted by server preferences [TLS10

 

This may cause you to get "This site can't be reached" or "unable to connect" when attempting to access the WebSphere admin console.

 

This can occur when the com.ibm.ssl.protocol value in the ${WAS_INSTALL_ROOT}/profiles/your_profile/properties/ssl.client.props file being used does not match the Quality of protection (QoP) setting in the WebSphere admin console. For example, let's say the com.ibm.ssl.protocol value in the ${WAS_INSTALL_ROOT}/profiles/your_profile/properties/ssl.client.props file is set to SSL_TLS.

com.ibm.ssl.protocol=SSL_TLS

 

  1. In the WebSphere admin console, expand Security and select SSL certificate and key management.
  2. Select SSL configurations.
  3. Select one of the SSL configurations, such as CellDefaultSSLSettings.
  4. On the right side of the page, select Quality of protection (QoP) settings.

Let's say Protocol is SSL_TLSv2. In this scenario, since the protocols do not match, this can be what causes the serverStatus command to return ADMU0509I.

 

If you are unable to access the deployment manager, the Quality of protection (QoP) settings are defined in the security.xml file, which should be located at ${WAS_INSTALL_ROOT}/profiles/your_profile/config/cells/your_cell/security.xml. There will often be three or more blocks in the security.xml file where the protocol is defined, one for the CellDefaultSSLSettings, one for the NodeDefaultSSLSettings, and one for the XDADefaultSSLSettings, and possibly more. Notice in this example that the SSL_TLS protocol is being used by the CellDefaultSSLSettings.

<repertoire xmi:id="SSLConfig_1" alias="CellDefaultSSLSettings" managementScope="ManagementScope_1">
 <setting 
  xmi:id="SecureSocketLayer_1"
  clientAuthentication="false"
  securityLevel="HIGH"
  enabledCiphers=""
  jsseProvider="IBMJSSE2"
  sslProtocol="SSL_TLS"
  keyStore="KeyStore_1"
  trustStore="KeyStore_2"
  trustManager="TrustManager_2"
  keyManager="KeyManager_1"> 
 </setting>
</repertoire>

 

Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee


Comments


Add a Comment


Please enter 81d872 in the box below so that we can be sure you are a human.