Bootstrap FreeKB - IBM WebSphere - Resolve "SSLHandshakeException No appropriate protocol is disabled or cipher suites are inappropriate"
IBM WebSphere - Resolve "SSLHandshakeException No appropriate protocol is disabled or cipher suites are inappropriate"

Updated:   |  IBM WebSphere articles

Let's say your HPEL or SystemOut log contains something like this.

AMQ9771: SSL handshake failed. [1=javax.net.ssl.SSLHandshakeException[No appropriate protocol (protocol is disabled or cipher suites are inappropriate)]

 

  1. In the WebSphere admin console, expand Security and select SSL certificate and key management.
  2. Select SSL configurations.
  3. Select one of the SSL configurations, such as CellDefaultSSLSettings.
  4. On the right side of the page, select Quality of protection (QoP) settings.

By default, client authentication will be set to None and the Protocol will be SSL_TLSv2. This error can occur if the protocol is set to a less secure protocol, such as SSL_TLS.

 

There will be a number of ciphers that can be used. Ciphers can be added or removed from the cell or node. This error may also occur if an old, weak cipher such as SSL_RSA_WITH_AES_128_CBC_SHA is being used. You can try to update the Selected ciphers to include recenty, strong ciphers such as SSL_RSA_WITH_AES_256_CBC_SHA256.

 

These settings should also be defined in the security.xml file (e.g. /opt/WebSphere/AppServer/profiles/your_profile/config/cells/your_cell/security.xml).

<repertoire xmi:id="SSLConfig_1" alias="CellDefaultSSLSettings" managementScope="ManagementScope_1">
  <setting xmi:id="SecureSocketLayer_1" clientAuthentication="false" securityLevel="HIGH" enabledCiphers="" jsseProvider="IBMJSSE2" sslProtocol="SSL_TLSv2" keyStore="KeyStore_1" trustStore="KeyStore_2" trustManager="TrustManager_2" keyManager="KeyManager_1">
    <properties xmi:id="Property_1444451469965" name="com.ibm.ssl.changed" value="3"/>
  </setting>
</repertoire>

 

You will probably also want to update com.ibm.ssl.protocol value in the ${WAS_INSTALL_ROOT}/profiles/your_profile/properties/ssl.client.props file to match the protocol.

com.ibm.ssl.protocol=SSL_TLSv2

 

 




Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee



Comments


Add a Comment


Please enter d16626 in the box below so that we can be sure you are a human.