Problem

-- Outbound Web Services connections to a HTTPS server are failing

-- Error varies, e.g.: "Received fatal alert: handshake_failure", "SSL peer shut down incorrectly", or "Remote host closed connection during handshake"

-- Testing individual protocols via openssl reveals that the server only supports TLS 1.2, no TLS 1.0.:

openssl s_client -connect [host][port] -tls1 fails

openssl s_client -connect localhost:6619 -tls1_2 is successful

-- On AIX all TSIM 3.9.1 versions are affected on Windows/Linux only TSIM version is 3.9.1 SP6 and lower are affected

-- SSL debug (add "-Djavax.net.debug=ssl:handshake" to $ACTISEDI/param/startajas MEM_OPT parameter) or network trace shows client uses TLS 1.0

Resolution

** Java 1.7 (SP6 or lower) uses TLS 1.0 per default. Oracle Java uses TLS 1.2 as the default connection protocol starting with Java 1.8. From tests, it looks like IBM still uses TLS 1.0 as default protocol, even in Java 1.8.0.

Solution for TSIM 3.9.1 installations using Oracle Java is to upgrade to the latest service pack. Please remember SP8 is a prerequisite for all later SPs.

Solution for AIX installation is to add the following option to the param/startajas MEM_OPT parameter and restart the ajas:

-Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2

This will cause TSIM to use TLSv1.2 for outbound http connections initiated by the ajas. Same works as a workaround for Linux 3.9.1 SP6 and lower installations.