Problem

• FIPS enabled environment
• New TLS exchange point/partner
• Connections fail with "bad_record_mac"

Resolution

** The error is caused by client/server negotiating a cipher suites that is not working well in FIPS enabled environments.

** Known to cause this kind of errors are ciphers with _GCM_ in the name (Galois/Counter Mode).

** GCM ciphers were added with Java 1.8. In Interchange 5.12.0 SP8+ and B2Bi 2.1SP6+ GCM ciphers are enabled, but not visible in the list of available cipher suites. But without overriding the list of available ciphers, they are still used.

The GCM ciphers need to be removed from affected exchange points

1. Go to the exchange point in question
2. Change to the "Advanced tab"
3. Select "Override SSL and TLS cipher suite"
4. Select all cipher suite not containing _GCM_ (they might not be listed, in which case all ciphers can be selected)
5. Attempt to trade again

Alternatively GCM algorithm can be removed completely on Java itself:

1. On the OS, go to: [installDir]/Axway/jre/lib/security
2. Make a backup of the "java.security" file
3. Edit the "java.security"
4. Find the line starting with: jdk.tls.disabledAlgorithms, e.g.:
   jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768
5. Add GCM to the list, e.g.:
   jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 768, GCM
6. Save file
   
7. Restart Interchange
   
   
   

** the cipher suite chosen during the TLS handshake can be seen in the te_console log after adding the following line in the conf/jvmArguments.xml and restarting Interchange:

<Property key="javax.net.debug">ssl:handshake:debug</Property>