Dgraph with AES256-SHA cipher reports startup failure in EAC Agent with "Cannot support TLS_RSA_WITH_AES_256_CBC_SHA with currently installed providers" exception message (Doc ID 1458906.1)

Last updated on MARCH 02, 2017

Applies to:

Oracle Endeca Guided Search / Endeca Experience Manager - Version 5.1.0 and later
Information in this document applies to any platform.

Symptoms

When a dgraph is configured to use the AES256-SHA encryption cipher, any attempt to start that dgraph via the Endeca Application Controller (EAC) framework, including the Deployment Template (DT) framework, reports a "Cannot support TLS_RSA_WITH_AES_256_CBC_SHA with currently installed providers" startup failure even though the dgraph process actually starts successfully.

The Deployment Template reports the dgraph component startup failure as a SEVERE EacComponentControlException, with messaging along these lines:

[05.16.12 12:19:35] SEVERE: Caught an exception while invoking method 'start' on object 'Dgraph1'. Releasing locks.

Caused by java.lang.reflect.InvocationTargetException
sun.reflect.NativeMethodAccessorImpl invoke0 - null
Caused by com.endeca.soleng.eac.toolkit.exception.EacComponentControlException
com.endeca.soleng.eac.toolkit.component.ServerComponent start - Server component 'Dgraph1' failed to start. Refer to component logs in /usr/local/endeca/Apps/MyApp/./logs/dgraphs/Dgraph1 on host MDEXHost1.

The EAC process log (process.0.log, located in $ENDECA_CONF/logs on UNIX and %ENDECA_CONF%\logs on Windows) reports a dgraph component startup failure with a SEVERE exception and a WARN-level message: 

SEVERE: 05-16-2012 14:08:52.067 [Central Server: 0.0.0.0] dgraph 'Dgraph1' has finished with status Failed - Cannot support TLS_RSA_WITH_AES_256_CBC_SHA with currently installed providers
Caused by:
java.lang.IllegalArgumentException: Cannot support TLS_RSA_WITH_AES_256_CBC_SHA with currently installed providers
at com.sun.net.ssl.internal.ssl.CipherSuiteList.<init>(CipherSuiteList.java:76)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.setEnabledCipherSuites(SSLSocketImpl.java:2035)
at com.endeca.esf.delegate.util.remote.EsfURLConnectionFactory$ManagerSSLSocketFactory.createSocket(EsfURLConnectionFactory.java:251)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:391)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1049)
at java.net.URLConnection.getContent(URLConnection.java:688)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getContent(HttpsURLConnectionImpl.java:406)
at com.endeca.esf.delegate.procctrl.ExecutableProcessHandle.tryRequest(ExecutableProcessHandle.java:66)
at com.endeca.esf.delegate.procctrl.ExecutableProcessHandle.isResponding(ExecutableProcessHandle.java:38)
at com.endeca.esf.delegate.task.ServerTask.shouldContinuePolling(ServerTask.java:189)
at com.endeca.esf.delegate.task.PollingTask.checkContinuePolling(PollingTask.java:61)
at com.endeca.esf.delegate.task.PollingTask.doTaskWork(PollingTask.java:34)
at com.endeca.esf.delegate.task.AbstractTask$1.run(AbstractTask.java:90)

WARNING: 05-16-2012 14:08:52.075 [Central Server: 0.0.0.0] Received exception while shutting down process 5861 cleanly.
Caused by:
java.lang.IllegalArgumentException: Cannot support TLS_RSA_WITH_AES_256_CBC_SHA with currently installed providers
at com.sun.net.ssl.internal.ssl.CipherSuiteList.<init>(CipherSuiteList.java:76)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.setEnabledCipherSuites(SSLSocketImpl.java:2035)
at com.endeca.esf.delegate.util.remote.EsfURLConnectionFactory$ManagerSSLSocketFactory.createSocket(EsfURLConnectionFactory.java:251)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:391)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1049)
at java.net.URLConnection.getContent(URLConnection.java:688)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getContent(HttpsURLConnectionImpl.java:406)
at com.endeca.esf.delegate.procctrl.ExecutableProcessHandle.tryRequest(ExecutableProcessHandle.java:66)
at com.endeca.esf.delegate.procctrl.ExecutableProcessHandle.tryCleanShutdown(ExecutableProcessHandle.java:79)
at com.endeca.esf.delegate.procctrl.ExecutableProcessHandle.stop(ExecutableProcessHandle.java:47)
at com.endeca.esf.delegate.task.ProcessHandlePollingTask.attemptStop(ProcessHandlePollingTask.java:109)
at com.endeca.esf.delegate.task.ProcessHandlePollingTask.cleanupProcessHandle(ProcessHandlePollingTask.java:122)
at com.endeca.esf.delegate.task.ServerTask.shouldContinuePolling(ServerTask.java:208)
at com.endeca.esf.delegate.task.PollingTask.checkContinuePolling(PollingTask.java:61)
at com.endeca.esf.delegate.task.PollingTask.doTaskWork(PollingTask.java:34)
at com.endeca.esf.delegate.task.AbstractTask$1.run(AbstractTask.java:90)

The dgraph's own error log shows no issues with startup, but reports these two WARN-level messages relating to SSL connection failure for each connection attempt made by the EAC Agent:

WARN    05/16/12 16:19:34.311 UTC (1337185174310)       DGRAPH  {dgraph}        Error during SSL_accept 5: error:00000000:lib(0):func(0):reason(0)      
WARN    05/16/12 16:19:34.311 UTC (1337185174311)       DGRAPH  {dgraph}        Aborting request: connection broken: client 127.0.0.1

Changes

This error occurs when the EAC and dgraph have both been configured with SSL certificates (or Java keystores, for the EAC) and the dgraph is set to use the AES256-SHA cipher listed in the Oracle Endeca Security Guide document. Other 256-bit ciphers may trigger the same issue, with a different string reported for the cipher in the EAC Agent exception messages shown above.

If you're using the Deployment Template framework and toolkit, the dgraph SSL cipher is configured via a <cipher> element in the <dgraph> element of the deployed application's config/script/AppConfig.xml file:

<dgraph id="Dgraph1" host-id="MDEXHost1" port="15000>
   [...]
   <cert-file>./config/lib/certs/eneCert.pem</cert-file>
   <ca-file>./config/lib/certs/eneCA.pem</ca-file>
   <cipher>AES256-SHA</cipher>
</dgraph>

If you're using the Endeca Application Controller directly, the dgraph SSL cipher is configured via a similar <cipher> element in the <dgraph> element of your provisioning XML document.

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms