HTTPS SPM (SRM AIM) TEST Generates Error Code 58

Document ID : KB000074973
Last Modified Date : 03/04/2018
Show Technical Document Details
Issue:
We are getting the error code 58 for all the HTTPS URLS which can be accessed through proxy. The urls are reachable in a browser.
  • You can view the contents of the SystemEDGE\data\port#\plugins\svcrsp\jcollector.log to view the errors the tests are creating:
LOG_CRITICAL][2018-03-28 13:53:14][Thread:Thread-314][Pass #130]: [#602578827] ERRSRC:https ERRCODE:58 INDEX:602578827 NAME: TESTDESC:PORTAL_UIDAI ERROR: jcollector.SATestException: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure 
[LOG_FATAL][2018-03-28 13:53:14][Thread:Thread-316][Pass #130]: SSLHandshakeException thrown by the html page download: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure 

 
Resolution:
  1. Update to SystemEDGE 5.9 with the latest SRM AIM Binaries which support TLS 1.2 (Please refer to KB000036979).
  2. SystemEDGE 5.9 ships with Java7 as the embedded version.
  3. Validate Java7 supports the cipher the web page is using:
  • This can be accomplished by connecting to the website using the openssl utility which is commonly found on Unix based operating systems such as Red Hat (RHEL).
  • If you do no have access to a Unix based operating system refer to the following web page to download an openssl utility for Windows: https://www.openssl.org/community/binaries.html
  • Run the following command against the HTTPS site causing the ERRCODE:58 error:

openssl s_client -connect <website.com>:443

         4. Locate the following output which will list the Cipher being used:

SSL handshake has read 3393 bytes and written 415 bytes

---

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

No ALPN negotiated

SSL-Session:

    Protocol  : TLSv1.2

    Cipher    : ECDHE-RSA-AES256-GCM-SHA384

    Session-ID: 1DD3FFEC8292344B9C2E81C0DD00E09369AA855AA2DF6A0A254199F0B3A572F5

    Session-ID-ctx: 

    Master-Key: 86F8F905004EE31194278B82854DD098DD33FCB46F050773FC0B7F892EC0E44D98D27E49A2E19DA7D87C22A5549B3E73

    Key-Arg   : None

    Krb5 Principal: None

    PSK identity: None

    PSK identity hint: None

    Start Time: 1522251405

    Timeout   : 300 (sec)

    Verify return code: 0 (ok)

      5. Check with Oracle documentation to see if Java7 (which is embedded with SystemEDGE 5.9 SRM AIM) Supports the cipher:
  • Refer to the "Cipher Suites" Section:
Java7
https://docs.oracle.com/javase/7/docs/technotes/guides/security/SunProviders.html

Java8
https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html

      6. If you determine you need to update to Java8 download the private instance from Oracle:

http://www.oracle.com/technetwork/java/javase/downloads/jre8-downloads-2133155.html

       7. The steps to update the SystemEDGE SRM AIM Embedded Java is as follows:
  1. Stop CA SystemEDGE.
  2. Navigate to CA\SystemEDGE folder and make a backup copy of the jre folder.
  3. Replace the contents of the jre folder with the contents of the private Java8 instance referenced above.
  4. Start CA SystemEDGE.


 
Additional Information:
Troubleshooting SRM AIM HTTP/HTTPS Connection Problems
https://comm.support.ca.com/kb/troubleshooting-srm-aim-httphttps-connection-problems/kb000036979

CA SystemEDGE SRM AIM not Monitoring HTTPS sites with TLS Authentication
https://comm.support.ca.com/kb/ca-systemedge-srm-aim-not-monitoring-https-sites-with-tls-authentication/kb000031294