Network Management

 View Only

  • 1.  Access database error when upgrading to IMC E0710

    Posted Nov 09, 2023 09:05 AM
    Hello IMC fellows,
     
    I have upgraded my IMC instance from E0708 to E0710. The installation went fine without any errors.
    However when I try to deploy the components I'm getting the below DB connection failure:
     
    2023-11-07 16:46:32 [ERROR] [iMC-Database-Connect-Check] [com.h3c.imc.deploy.dma.monitor.DatabaseConnectMonitor::checkDatabase(239)] Access database error
    com.microsoft.sqlserver.jdbc.SQLServerException: The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: "DH ServerKeyExchange does not comply to algorithm constraints". ClientConnectionId:441e6835-52fa-4c6c-80a2-f832e274d1c1
    at com.microsoft.sqlserver.jdbc.SQLServerConnection.terminate(SQLServerConnection.java:3206) ~[deploy.jar:?]
    at com.microsoft.sqlserver.jdbc.TDSChannel.enableSSL(IOBuffer.java:1916) ~[deploy.jar:?]
    at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectHelper(SQLServerConnection.java:2760) ~[deploy.jar:?]
    at com.microsoft.sqlserver.jdbc.SQLServerConnection.login(SQLServerConnection.java:2418) ~[deploy.jar:?]
    at com.microsoft.sqlserver.jdbc.SQLServerConnection.connectInternal(SQLServerConnection.java:2265) ~[deploy.jar:?]
    at com.microsoft.sqlserver.jdbc.SQLServerConnection.connect(SQLServerConnection.java:1291) ~[deploy.jar:?]
    at com.microsoft.sqlserver.jdbc.SQLServerDriver.connect(SQLServerDriver.java:881) ~[deploy.jar:?]
    at java.sql.DriverManager.getConnection(DriverManager.java:677) ~[java.sql:?]
    at java.sql.DriverManager.getConnection(DriverManager.java:189) ~[java.sql:?]
    at com.h3c.imc.deploy.dma.monitor.DatabaseConnectMonitor.checkDatabase(DatabaseConnectMonitor.java:227) ~[deploy.jar:?]
    at com.h3c.imc.deploy.dma.monitor.DatabaseConnectMonitor.run(DatabaseConnectMonitor.java:90) ~[deploy.jar:?]
    Caused by: javax.net.ssl.SSLHandshakeException: DH ServerKeyExchange does not comply to algorithm constraints
    at sun.security.ssl.Alert.createSSLException(Alert.java:131) ~[?:?]
    at sun.security.ssl.Alert.createSSLException(Alert.java:117) ~[?:?]
    at sun.security.ssl.TransportContext.fatal(TransportContext.java:347) ~[?:?]
    at sun.security.ssl.TransportContext.fatal(TransportContext.java:303) ~[?:?]
    at sun.security.ssl.TransportContext.fatal(TransportContext.java:294) ~[?:?]
    at sun.security.ssl.DHServerKeyExchange$DHServerKeyExchangeConsumer.consume(DHServerKeyExchange.java:538) ~[?:?]
    at sun.security.ssl.ServerKeyExchange$ServerKeyExchangeConsumer.consume(ServerKeyExchange.java:122) ~[?:?]
    at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392) ~[?:?]
    at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443) ~[?:?]
    at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:421) ~[?:?]
    at sun.security.ssl.TransportContext.dispatch(TransportContext.java:183) ~[?:?]
    at sun.security.ssl.SSLTransport.decode(SSLTransport.java:172) ~[?:?]
    at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1507) ~[?:?]
    at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1417) ~[?:?]
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:456) ~[?:?]
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:427) ~[?:?]
    at com.microsoft.sqlserver.jdbc.TDSChannel.enableSSL(IOBuffer.java:1824) ~[deploy.jar:?]
    ... 9 more
     
    I have also add some log extracts showing errors.
     
    It looks like the java security constraint has been enforced from the previous version.
    Did someone face already in that issue?
    Any idea where to look at for relaxing these security contraints? on IMC side or DB side?
    FYI both are hosted on the same server, and I'm running MS-SQL 2016.
     
    Thanks for any inputs.
    Ray 

    Attachment(s)

    txt
    dbman_debug.txt   55 KB 1 version
    txt
    imcsysdm-log.txt   4 KB 1 version
    txt
    DMA-log DB connection failure.txt   4 KB 1 version


  • 2.  RE: Access database error when upgrading to IMC E0710

    Posted Dec 19, 2023 12:03 PM

    Is there a resolution or a known reason.   I am having the same issue but using the default SQL installation.


    Original Message


  • 3.  RE: Access database error when upgrading to IMC E0710

    Posted Dec 19, 2023 12:16 PM

    Hi,

     

    Nope, I did not received any reply or comment.

    It seems that nobody (except now you) is impacted with this issue.

     

    BR

    Ray

     




    Original Message


  • 4.  RE: Access database error when upgrading to IMC E0710

    Posted Dec 19, 2023 12:28 PM

    Mine was an error of not having a transition. 

    I thought that the database was imbedded (SQLExpress) and so I upgraded but the server is actually using SQL Server 2008 R2.

    I did find some discussions about the java.security causing the same type of error due to limiting the types of certs and connection types.  Several types of applications had the java.security file change 2048 bit changed back to 1024 which to me defeats an upgrade.
    Comparing the java.security file bteween E0706 and E0710, very different format and scripts.  Probably a completely wild goose chase or rabbit hole, but to me I believe my problem is a java security issue from an older SQL Server not able to handle new handshakes (just a guess).


    Original Message


  • 5.  RE: Access database error when upgrading to IMC E0710

    Posted Dec 19, 2023 12:40 PM

    I came to the same conclusion.

    So copied the JAVA security files and properties from E0706 to E0710, with the same result.

    I was wondering if the issue is in the host OS or the SQLServer (I run 2017), as the ciphers are usually in the OS, but I'm definitely not an expert in JAVA security.

    On which  OS are you installing?

     




    Original Message


  • 6.  RE: Access database error when upgrading to IMC E0710

    Posted Jan 22, 2024 05:55 AM
    Hi Folk's
     
    For those interested by this issue, I was finally able to work around by softening the DH constraint in the java security.
     
    In order to do it you must edit these 2 java properties files:
     
    - <IMC_Installation>\deploy\jdk\conf\security\java.properties
    - <IMC_Installation>\common\jre\conf\security\java.properties
     
    Both are the same but exist in 2 different locations.
    In these files, find the lines below:
     
    jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 2048, \
        EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
        include jdk.disabled.namedCurves
     
    and change the DL keySize from < 2004 to < 1024, as follow:
     
    jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
        EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
        include jdk.disabled.namedCurves
     
    The root cause of this issue is most likely due to the fact I have an old Windows OS and the "Windows Update" did not work since ages (fortunately it is a test system), so the new CYPHERs have not being updated with the latest security algorithms.
     
    Take care


    ------------------------------
    Ray
    ------------------------------

    Original Message


Related Content