Software version: v7.0, v8.0, v8.5
Setting value
Application Server
1. In the Administration Console select Servers
2. Expand Server Type and select WebSphere application servers
3. Click on the name of your server
4. Expand Java and Process Management and select Process Definition.
5. Under the Additional Properties section, click Java Virtual Machine.
6. Scroll down and locate the textbox for Generic JVM arguments.
7. name --> "com.ibm.jsse2.disableSSLv3" , value--> "false"
JDBC Driver chagne to sqljdbc4.jar
Microsoft JDBC Driver 2.0 cannot connect to SQL Server 2008 from a FIPS-enabled IBM WebSphere application
SYMPTOMS
Consider the following scenario. You have an IBM WebSphere application that has Federal Information Processing Standards (FIPS) enabled. When you use Microsoft SQL Server JDBC Driver 2.0 to connect to SQL Server 2008 from the IBM WebSphere application, the connection fails. Additionally, you receive the following error message:
java.sql.SQLException: The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: SSLv3 protocol cannot be enabled in FIPS mode.DSRA0010E: SQL State = 08S01, Error Code = 0
at com.microsoft.sqlserver.jdbc.SQLServerConnection.terminate(Unknown Source)
at com.microsoft.sqlserver.jdbc.TDSChannel.throwSSLConnectionFailed(Unknown Source)
at com.microsoft.sqlserver.jdbc.TDSChannel.enableSSL(Unknown Source)
at com.microsoft.sqlserver.jdbc.SQLServerConnection.terminate(Unknown Source)
at com.microsoft.sqlserver.jdbc.TDSChannel.throwSSLConnectionFailed(Unknown Source)
at com.microsoft.sqlserver.jdbc.TDSChannel.enableSSL(Unknown Source)
Back to the topCAUSE
This issue occurs because the IBM WebSphere application requires the TLS protocol for SSL connections when the application has FIPS enabled. However, Microsoft SQL Server JDBC Driver 2.0 requests the SSLv3 protocol. Therefore, the connection fails.
Microsoft SQL Server JDBC Driver 2.0 calls the SSLContext.getInstance function. This function takes a string argument. The string argument determines which protocols the returned context should support. According to the Java Secure Socket Extension (JSSE) reference guide, the SSLContext.getInstance function returns an SSLContext instance that supports the specified protocol. However, the returned SSLContext instance may also support other protocols.
In more detail, when Microsoft SQL Server JDBC Driver 2.0 passes "SSLv3" as the string argument, the Sun JSSE provider returns an SSLContext instance that supports both the SSLv3 protocol and the TLS protocol. However, the IBMJSSE2 provider returns an SSLContext instance that only supports the SSLv3 protocol. When a WebSphere application has FIPS enabled, the IBM Java Runtime Environment (JRE) requires the TLS protocol for SSL connections. Therefore, the connection fails.
Microsoft SQL Server JDBC Driver 2.0 calls the SSLContext.getInstance function. This function takes a string argument. The string argument determines which protocols the returned context should support. According to the Java Secure Socket Extension (JSSE) reference guide, the SSLContext.getInstance function returns an SSLContext instance that supports the specified protocol. However, the returned SSLContext instance may also support other protocols.
In more detail, when Microsoft SQL Server JDBC Driver 2.0 passes "SSLv3" as the string argument, the Sun JSSE provider returns an SSLContext instance that supports both the SSLv3 protocol and the TLS protocol. However, the IBMJSSE2 provider returns an SSLContext instance that only supports the SSLv3 protocol. When a WebSphere application has FIPS enabled, the IBM Java Runtime Environment (JRE) requires the TLS protocol for SSL connections. Therefore, the connection fails.
Could not establish a secure connection to SQL Server by using SSL
Problem(Abstract)
After updating Websphere fixpack you get the following error:
[ERROR] [] [] BMXAA6421E - The system could not connect to the
JDBC source: jdbc:sqlserver://;serverName=localhostexample;
databaseName=MaxDB;portNumber=1433;integratedSecurity=false;The
driver could not establish a secure connection to SQL Server by using
Secure Sockets Layer (SSL) encryption. Error: "Only SSLv3 was enabled
while com.ibm.jsse2.disableSSLv3 is set to true".
[ERROR] [] [] BMXAA6421E - The system could not connect to the
JDBC source: jdbc:sqlserver://;serverName=localhostexample;
databaseName=MaxDB;portNumber=1433;integratedSecurity=false;The
driver could not establish a secure connection to SQL Server by using
Secure Sockets Layer (SSL) encryption. Error: "Only SSLv3 was enabled
while com.ibm.jsse2.disableSSLv3 is set to true".
Symptom
[ERROR] [] [] BMXAA6421E - The system could not connect to the
JDBC source: jdbc:sqlserver://;serverName=localhostexample;
databaseName=MaxDB;portNumber=1433;integratedSecurity=false;The
driver could not establish a secure connection to SQL Server by using
Secure Sockets Layer (SSL) encryption. Error: "Only SSLv3 was enabled
while com.ibm.jsse2.disableSSLv3 is set to true".
JDBC source: jdbc:sqlserver://;serverName=localhostexample;
databaseName=MaxDB;portNumber=1433;integratedSecurity=false;The
driver could not establish a secure connection to SQL Server by using
Secure Sockets Layer (SSL) encryption. Error: "Only SSLv3 was enabled
while com.ibm.jsse2.disableSSLv3 is set to true".
Resolving the problem
Install the Websphere hotfix to disable SSLv3 as per this link http://www-01.ibm.com/support/docview.wss?uid=swg21687173
Download the Sql JDBC driver hotfix from this link http://support.microsoft.com/kb/982512
Copy the sqljdbc4.jar into Maximo admin workstation (folder: .\maximo\applications\maximo\lib)
Modify Xml file (\maximo\deployment\buildmaximoear.xml) for building the EAR in order to use the correct driver for jre 1.6 (change sqljdbc.jar to sqljdbc4.jar)
Rebuild Maximo EAR, deploy and restart the Maximo application server
Security Bulletin: Vulnerability in SSLv3 affects IBM WebSphere Application Server (CVE-2014-3566)
Security Bulletin
Summary
SSLv3 contains a vulnerability that has been referred to as the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack. SSLv3 is enabled by default in IBM WebSphere Application Server. These fixes will disable SSLv3 completely.
Vulnerability Details
CVE ID: CVE-2014-3566
DESCRIPTION: IBM WebSphere Application could allow a remote attacker to obtain sensitive information, caused by a design error when using the SSLv3 protocol. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt SSL sessions and access the plaintext of encrypted connections.
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97013 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
DESCRIPTION: IBM WebSphere Application could allow a remote attacker to obtain sensitive information, caused by a design error when using the SSLv3 protocol. A remote user with the ability to conduct a man-in-the-middle attack could exploit this vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) attack to decrypt SSL sessions and access the plaintext of encrypted connections.
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97013 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
Affected Products and Versions
This vulnerability affects all versions and releases of IBM WebSphere Application Server, IBM WebSphere Application Server Full Profile, IBM WebSphere Application Server Liberty Profile and IBM WebSphere Application Server Hypervisor Edition.
Remediation/Fixes
Please note that these fixes will remove SSLv3 completely.
If you have SSL hard coded in your application code, such as SSLContext.getInstance("SSL") then you should install the interim fixes listed below since the current implementation defaults that context to SSLv3. The interim fix is an enhancement in the IBM JDK.
The following table lists some common standard protocol label names for Java 5 and above:
| Protocol | Prior to this fix | After this fix |
| SSL | SSL v3.0 | see chart below |
| SSLv3 | SSL v3.0 | Connection will fail |
| TLS | TLS v1.0 (defined in RFC 2246) | TLS v1.0 (defined in RFC 2246) |
| TLSv1 | TLS v1.0 (defined in RFC 2246) | TLS v1.0 (defined in RFC 2246) |
| TLSv1.1 | TLS v1.1 (defined in RFC 4346) | TLS v1.1 (defined in RFC 4346) (not available for version 6.1) |
| TLSv1.2 | TLS v1.2 (defined in RFC 5246) | TLS v1.2 (defined in RFC 5246) (not available for version 6.1) |
| SSL_TLS | Enables all SSL V3.0 and TLS 1.0 protocols | TLS 1.0 |
| SSL_TLSv2 | Enables all SSL V3.0 and TLS 1.0, 1.1 and 1.2 protocols | TLS 1.0, 1.1 and 1.2 protocols (not available for version 6.1 and for version 7.0 only available with fix pack 7.0.0.23 or later.) |
The IBM® SDK Java™ Technology Edition that is shipped with IBM WebSphere Application Server will be updated per the chart below, so that SSL Protocol alias label of "SSL" would mean the TLS levels marked.
Java Version
|
TLS 1.0
|
TLS 1.1
|
TLS 1.2
|
Java 7 Server
|
x
|
x
|
x
|
Java 7 Client
|
x
|  | |
Java 6
|
x
| | |
Java 5
|
x
| | |
-Dcom.ibm.jsse2.disableSSLv3=false
For IBM WebSphere Application Server and IBM WebSphere Application Server Hypervisor Edition :
If using Installation Manager 1.7.3.1 or older, please refer to the reference section and upgrade to Installation Manager 1.8 or newer.
Download and apply the interim fix APARs below, for your appropriate release:
For V8.5.0.0 through 8.5.5.3 Full Profile and Liberty Profile IM install:
- Apply Interim Fix PI28435: Will upgrade you to IBM Java SDK Version 7R1 Service Refresh 1 Fix Pack 1 (optional) + APAR IV66110 for change to disable SSLv3 by default
- Apply Interim Fix PI28436: Will upgrade you to IBM Java SDK Version 7 Service Refresh 7 Fix Pack 1 (optional) + APAR IV66110 for change to disable SSLv3 by default
- Apply Interim Fix PI28437: Will upgrade you to IBM Java SDK Version 6R1 Service Refresh 8 Fix Pack 1 (required) + APAR IV66110 for change to disable SSLv3 by default
- Apply IBM Java SDK shipped with the WebSphere Application Server Fix pack 8.5.5.4 or later.
For 8.0.0.0 through 8.0.0.9:
- Apply Interim Fix PI28438: Will upgrade you to IBM Java SDK Version 6R1 Service Refresh 8 Fix Pack 1 + APAR IV66110 for change to disable SSLv3 by default
- Apply IBM Java SDK shipped with WebSphere Application Server Fix pack 10 (8.0.0.10) or later.
For V7.0.0.0 through 7.0.0.35:
- Apply Interim Fix PI28439: Will upgrade you to IBM Java SDK Version 6 Service Refresh 16 Fix Pack 1 + APAR IV66110 for change to disable SSLv3 by default
- Apply IBM Java SDK shipped with WebSphere Application Server Fix pack 37 (7.0.0.37) or later.
For V6.1.0.0 through 6.1.0.47:
- Apply Interim Fix PI28796 : Will upgrade you to IBM Java SDK Version 5.0 Service Refresh 16 Fix Pack 7 + APAR IV66111 for change to disable SSLv3 by default.
For IBM WebSphere Application Server Liberty Profile not using IM install
Please refer to the vendor that supplies you SDK. For users of the IBM SDK, Java Technology Edition please refer to this security bulletin: IBM SDK, Java Technology Edition fixes to mitigate against the POODLE security vulnerability
For IBM WebSphere Application Server for i5/OS operating systems:
The IBM Developer Kit for Java is prerequisite software for WebSphere Application Server for IBM i. Please refer to Java on IBM i for updates on when these fixes will be available.
Workarounds and Mitigations
None. Please apply Interim Fix or Fix Packs.
IBM recommends that you review your entire environment to identify other areas that enable SSLv3 protocol and take appropriate mitigation (such as disabling SSLv3) and remediation actions.
IBM recommends that you review your entire environment to identify other areas that enable SSLv3 protocol and take appropriate mitigation (such as disabling SSLv3) and remediation actions.
Get Notified about Future Security Bulletins
Important note
IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.
References
Complete CVSS Guide
On-line Calculator V2
On-line Calculator V2
Related information
Change History
15 October 2014: original document published
20 October 2014: fix quote in wrong location for wsadmin command
22 October 2014: clarified SSL_TLS versus TLS
31 October 2014: added ifixes for remediation
6 November 2014: added link to version 6.1 ifix
20 November 2014: bolded note about when to restart the server
2 December 2014: added link in reference section
2 February 2015: updated APAR number typo
5 March 2015: updated Mitigation section
30 March 2015: added link to Setting JVM properties
30 March 2015: added links for Liberty profile
6 May 2015: updated protocol table, added Warnings
20 October 2014: fix quote in wrong location for wsadmin command
22 October 2014: clarified SSL_TLS versus TLS
31 October 2014: added ifixes for remediation
6 November 2014: added link to version 6.1 ifix
20 November 2014: bolded note about when to restart the server
2 December 2014: added link in reference section
2 February 2015: updated APAR number typo
5 March 2015: updated Mitigation section
30 March 2015: added link to Setting JVM properties
30 March 2015: added links for Liberty profile
6 May 2015: updated protocol table, added Warnings
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
댓글 없음:
댓글 쓰기