Thanks for visiting the site !!! Visit below intrested Ads to support us if you like the site .Sharing is caring .keep distance and keep safe . Happy Learning ... 😀

SSLC0008E Exception is javax.net.ssl.SSLException: Received close_notify during handshake

The error you reported (SSLC0008E) is probably due to a protocol, or cipher problem, or to a bad certificate. When we get this kind of error we need to enable SSL Debug to know more details about the SSL Handshake Error . Some times we may need enable and share the ssl debug logs to the vendor for further investigation . We will see how we enable it in both the server and client side .

SSL trace specification:

*=info:SSL=all

Java Virtual Machine (JVM) Custom Property

javax.net.debug=all

Add javax.net.debug JVM PROPERTY

  1. In the administrative console, set the javax.net.debug system property using one of the following options, depending on where the SSL issue is occurring:
    • For tracing an Application server, select the following:Servers > Server Types > WebSphere Application Servers > server_name Expand Java and Process Management (under Server Infrastructure) >Process definition > Java Virtual Machine > Custom properties > New
    • For tracing a Deployment Manager, select the following:System Administration > Deployment manager > Expand Java and Process Management (under Server Infrastructure) >Process definition > Java Virtual Machine > Custom properties > New
    • For tracing a Nodeagent, select the following:System Administration > Node agents > (pick a nodeagent) > Expand Java and Process Management (under Server Infrastructure) >Process definition > Java Virtual Machine > Custom properties > New
  2. Enter the following:Name: javax.net.debug
    Value: all
  3. Click Apply, then Save your changes to the master configuration.

Enable SSL Tracing

  1. Expand Troubleshooting > Logs and trace > server_name
  2. Select Diagnostic Trace.
  3. Set the Maximum Number of Historical Files to 20.
  4. Click Apply
  5. Select Change log detail levels.
    • Set the trace specification to:*=info:SSL=all
  6. Click OK, then OK
  7. Select JVM Logs.
    • Under System.out, ensure that the Show application print statements box is checked under Installed Application Output.
  8. Click OK, then Save to the master configuration.

Once above settings are enabled then restart each server that we intend to reproduce the issue and re-produce the issue to gather more details .

Some SSL Cal’s use default java truststore even though Custom SSL is configured . So we may need to look at the the default java trust store in the below location

java.security<WAS_HOME>/java/jre/lib/security/java.security

IBM Vendor may need more config ,logs and other details . in this case we need to run Collector Tool, collector.sh or collector.bat, which is located in the <PROFILE_ROOT>/bin directory.

We can also do from client side to see the error by Modify your calling script or add the following to your Java command line:

-Djavax.net.debug=all
000000c4 SSLHandshakeE E   SSLC0008E: Unable to initialize SSL connection.  Unauthorized access was denied or security settings have expired.  
Exception is javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?  	at com.ibm.jsse2.b.a(b.java:22)  	at com.ibm.jsse2.nc.a(nc.java:350)  	at com.ibm.jsse2.nc.unwrap(nc.java:306)  	at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:3)  	at com.ibm.ws.ssl.channel.impl.SSLConnectionLink.readyInbound(SSLConnectionLink.java:536)  	at com.ibm.ws.ssl.channel.impl.SSLConnectionLink.ready(SSLConnectionLink.java:296)

If we get above error we need to verify the personal certificate expiry . For this log in to Websphere administration console.
Once logged in, proceed to “Security -> SSL certificate and key management”.

image 3874

From there, select “Key stores and certificates -> NodeDefaultKeyStore -> Personal certificates”.

image 3869

Once the configured certificates are displayed, you have to check the expiration of the certificate.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *