ibmvm_rest could not generate DH keypair

Document ID : KB000074719
Last Modified Date : 27/03/2018
Show Technical Document Details
Issue:
The ibmvm_rest probe encountered improved security of virtualHMC and cannot establish an encrypted connection.
The trouble is that java7 can't handle 2048bit public key along Diffie–Hellman key exchange.
Should we use JRE 8 as it supports TLS 1.1 and TLS 1.2?
The idea is to install java_jre 1.8 and put into robot.cfg NIM_JRE_HOME_1_8 = jre/jre8u102 and into controller.cfg I am successfully breaking requirements by running probe on UIM 8.47
The java 1.7 and higher is noted in requirements....
openssl client test output:
New, TLSv1/SSLv3,
Cipher is DHE-RSA-AES256-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : DHE-RSA-AES256-SHA256 
Environment:
UIM 8.47
ibmvm_rest1.07
JRE 1.7
Cause:
JRE 7 does not support TLS 1.1 and TLS 1.2 out of the box.
JRE 7 also may have some limitations on key length:  https://www.java.com/en/configure_crypto.html

 
Resolution:
Add this to the <startup> in the Raw Configure for the probe: 
-Dhttps.protocols=TLSv1.1,TLSv1.2 
For example:
<startup> 
options = -Xms32m -Xmx1024m -Duser.language=en -Duser.country=US -Dhttps.protocols=TLSv1.1,TLSv1.2 
</startup> 

If that does not help, consider upgrading UIM to the latest release and upgrading the robot.
As a workaround, you may try jre8.  Please use caution as this may not be supported for other probes or in every situation.
Steps: 
  1. Install java_jre 1.8 package on the probe's robot to /opt/nimsoft/jre/jre8
  2. Edit the Raw Configure for the controller on the robot.  Go to <controller><environment>.  Look for NIM_JRE_HOME_1_8.  If it does not exist, create it.   Set the value to "jre/jre8"
  3. Edit controller.cfg, locate <ibmvm_rest> and change command = <startup java> to command = <startup java 1.8> 
  4. Restart the probe
 
Additional Information:
Tech TIP: ibmvm_rest - (virtual) HMC with enhanced security: Could not generate DH keypair