CA SystemEDGE SRM AIM not Monitoring HTTPS sites with TLS Authentication.

Document ID : KB000031294
Last Modified Date : 07/08/2018
Show Technical Document Details
Introduction:

In all Versions of SystemEDGE SRM monitoring HTTPS sites are available.

With a number of SSL vulnerabilities like poodle, and HeartlBleed, people are moving off SSL authentication of SSLvX (like SSLv3) and moving to a more secure TLS authentication.

In the out of the box versions of SystemEDGE SRM, HTTPS sites will fail because SRM is currently using TLSv1/SSLv3 only as the highest Auth version. This is dependent on the JRE that is used to run the SRM AIM:

JRE 6 will allow TLSv1 and SSLv3

JRE 7/8 will allow TLSv1.2, TLSv1.1, TLSv1, SSLv3.

It is important to note that as the JRE version changes, the in use JRE may remove certain legacy ciphers/protocols and if it does then that will no longer be a supported site.
 

The following errors may be logged in the jcollector.log when encountering TLSv1.2 sites on an unpatched SRM AIM.

ERROR: jcollector.SATestException: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

OR

[LOG_FATAL][2018-06-12 12:58:57][Thread:Thread-857][Pass #5]: IOException thrown by the html page download: javax.net.ssl.SSLException: Unsupported record version Unknown-0.0 
[LOG_CRITICAL][2018-06-12 12:58:57][Thread:Thread-857][Pass #5]: [#12039] ERRSRC:https ERRCODE:58 INDEX:12039 NAME: TESTDESC:[test description] ERROR: jcollector.SATestException: javax.ne.ssl.SSLException: Unsupported record version Unknown-0.0
Instructions:
SRM AIM TLSv1.2 support requires SysEDGE/SRM 5.9.0 + additional binaries/fixes. Earlier versions of SysEDGE/SRM will not support TLSv1.2.
  1. Install or upgrade the CA_SystemEDGE_Core, CA_SystemEDGE_AdvancedEncryption & CA_SystemEDGE_SRM packages (in that order) so they are at the 5.9.0 level.

    Install materials can be downloaded from the Download Center.
  2. Stop the SystemEDGE agent after the install/upgrade of all packages have been completed.
  3. Backup the jcollector.jar and replace it with the new jar file.
    Default Locations:
    Windows: C:\Program Files\CA\SystemEDGE\plugins\svcrsp
    UNIX/Linux: /opt/CA/SystemEDGE/plugins/svcrsp
  4. If https site require stronger encryption, then extract the UnlimitedJCEPolicyJDK7.zip accordingly.

    Backup the local_policy.jar & US_export_policy.jar files and replace with them with Oracle's updated JCE files.
    Default Locations:
    Windows: C:\Program Files\CA\SystemEDGE\jre\lib\security
    UNIX/Linux: /opt/CA/SystemEDGE/jre/lib/security

    See  Oracle’s documentation for details.
    This step can be skipped if the JRE will be upgraded to JRE8 (see additional info / KB000074973 for details).
  5. Restart the SystemEDGE agent and validate the problem tests.
Additional Information:
It's possible that in addition to this fix, the JRE may need to be upgraded to JRE8 to support newer cipher suites. See KB000074973 for details on how to upgrade the JRE.
File Attachments:
SE59.SRM.TLS.zip