When connecting WebView with "HTTPS", "This page can not be displaced" is appeared on the screen of the IE11 browser and can not be connected.

Document ID : KB000008843
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

The WebView terminal was using Windows 10.
IE11 on Windows10 can not connect to EM(10.0) with CA APM WebView at HTTPS.

example: https://host_name:8443/

00891807_01.bmp

Environment:
APM 10.0.0.12Windows10 (KB3163018) + Internet Explorer 11, or Edge.The same Windows update program as KB3163018 is also provided for OS other than Windows10, and the same problem occurs in the following environments.Windows8.1, Windows Server 2012 R2 (KB3161606) + Internet Explorer 11Windows7 SP1, Windows Server 2008 R2 SP1 (KB3161608) + Internet Explorer 11
Cause:

This is due to some recent attacks against TLS (e.g. "Logjam") which target the Diffie-Hellman key exchange algorithm when configured with an initial parameter(prime "p") smaller than 1024 bits.

What happens is that some of the latest browser updates lockout users when trying to connect to servers configured with weak Diffie-Hellman primes.  These  browsers have been updated to disallow such connections.  This is not a problem in APM, but is caused by an updated mechanism in the way browsers handle  encryption handshakes. 

 

Resolution:

For users of CA APM 10.0, do one of the following:

1. Set the “-DephemeralDHKeySize=1024” property. This requires Java 7u85 or above.
    Add the above setting to lax.nl.java.option.additional section in Introscope_WebView.lax
   If the EM is configured to run as a service on Windows, add the following to <EM HOME>/bin/WVService.conf.  
   In the below example, .4 is the last item in the wrapper.java.additional parameters.  
   Your setup may vary, so choose the highest number according to your WVService.conf file setup.

   wrapper.java.additional.4=-DephemeralDHKeySize=1024

 Note: CA APM 10.1 will be updated with a newer version of java 8 that will not be affected by this issue.


 2. Configure Jetty to use the ciphersuites below:
     Update the config/webview-jetty-config.xml file and replace the cipher suite configuration to:

    <Set name="cipherSuites">
       <Array type="java.lang.String">
           <Item>TLS_RSA_WITH_AES_128_CBC_SHA</Item>
           <Item>TLS_RSA_WITH_AES_128_CBC_SHA256</Item>
           <Item>TLS_EMPTY_RENEGOTIATION_INFO_SCSV</Item>
       </Array>
   </Set>

 Note: Don't forget to uncomment those lines by removing the leading <-- and trailing -->.

Additional Information:

reference:
Webview (HTTPS) error with Chrome/Firefox (Server has a weak ephemeral Diffie-Hellman public key)

Note:
The following warning is output to IntroscopeWebView.log and console, but it can be ignored as it is already connected.

---IntroscopeWebView.log----

11/02/17 04:21:10.007 PM JST [WARN] [org.mortbay.log] EXCEPTION
javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
       at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
       at org.mortbay.jetty.security.SslSocketConnector$SslConnection.run(SslSocketConnector.java:708)
       at org.mortbay.thread.BoundedThreadPool$PoolThread.run(BoundedThreadPool.java:451)
Caused by: java.io.EOFException: SSL peer shut down incorrectly
       at com.sun.net.ssl.internal.ssl.InputRecord.read(Unknown Source)
       ... 6 more