KB Article #179541

Does SMTP server in API Gateway supports TLSv1.2?

Problem

A problem may arise getting API Manager/Gateway SMTP working against a Mailserver supporting only TLSv1.2.

The connection could not be established with an error in API Gateway trace as follows: 

org.apache.commons.mail.EmailException: Sending the email to the following server failed : <a href="http://gvas00903107.ch.net/" target="_blank">mail.company.com</a>:465 
at org.apache.commons.mail.Email.sendMimeMessage(Email.java:1242) 
at org.apache.commons.mail.Email.send(Email.java:1267) 
at com.vordel.circuit.smtp.SendEmail.sendHtmlEmail(SendEmail.java:212) 
at com.vordel.apiportal.email.smtp.TemplateEmail.send(TemplateEmail.java:92) 
at com.vordel.apiportal.email.smtp.TemplateEmail.trySend(TemplateEmail.java:40) 
at com.vordel.apiportal.actionqueue.QueueProcessor.emailAndAudit(QueueProcessor.java:191) 
at com.vordel.apiportal.actionqueue.QueueProcessor.addEntry(QueueProcessor.java:164) 
at com.vordel.apiportal.actionqueue.QueueProcessor.addEntryForImmediateAction(QueueProcessor.java:118) 
at com.vordel.apiportal.api.portal.controller.UserController.forgotUserPassword(UserController.java:650) 
at com.vordel.apiportal.api.portal.v1_2.APIUsers.forgotUserPassword(APIUsers.java:374) 
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) 
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) 
at java.lang.reflect.Method.invoke(Method.java:498) 
at org.glassfish.jersey.server.model.internal.ResourceMethodInvocationHandlerFactory$1.invoke(ResourceMethodInvocationHandlerFactory.java:81) 
at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher$1.run(AbstractJavaResourceMethodDispatcher.java:144) 
at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.invoke(AbstractJavaResourceMethodDispatcher.java:161) 
at org.glassfish.jersey.server.model.internal.JavaResourceMethodDispatcherProvider$ResponseOutInvoker.doDispatch(JavaResourceMethodDispatcherProvider.java:160) 
at org.glassfish.jersey.server.model.internal.AbstractJavaResourceMethodDispatcher.dispatch(AbstractJavaResourceMethodDispatcher.java:99) 
at org.glassfish.jersey.server.model.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:389) 
at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:347) 
at org.glassfish.jersey.server.model.ResourceMethodInvoker.apply(ResourceMethodInvoker.java:102) 
at org.glassfish.jersey.server.ServerRuntime$2.run(ServerRuntime.java:326) 
at org.glassfish.jersey.internal.Errors$1.call(Errors.java:271) 
at org.glassfish.jersey.internal.Errors$1.call(Errors.java:267) 
at org.glassfish.jersey.internal.Errors.process(Errors.java:315) 
at org.glassfish.jersey.internal.Errors.process(Errors.java:297) 
at org.glassfish.jersey.internal.Errors.process(Errors.java:267) 
at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:317) 
at org.glassfish.jersey.server.ServerRuntime.process(ServerRuntime.java:305) 
at org.glassfish.jersey.server.ApplicationHandler.handle(ApplicationHandler.java:1154) 
at org.glassfish.jersey.servlet.WebComponent.serviceImpl(WebComponent.java:473) 
at org.glassfish.jersey.servlet.WebComponent.service(WebComponent.java:427) 
at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:388) 
at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:341) 
at com.vordel.apiportal.api.PortalServletContainer.service(PortalServletContainer.java:40) 
at org.glassfish.jersey.servlet.ServletContainer.service(ServletContainer.java:228) 
Caused by: javax.mail.MessagingException: Could not connect to SMTP host: <a href="http://gvas00903107.ch.net/" target="_blank">mail.company.com</a>, port: 465, response: -1 
at com.sun.mail.smtp.SMTPTransport.openServer(SMTPTransport.java:1949) 
at com.sun.mail.smtp.SMTPTransport.protocolConnect(SMTPTransport.java:654) 
at javax.mail.Service.connect(Service.java:317) 
at javax.mail.Service.connect(Service.java:176) 
at javax.mail.Service.connect(Service.java:125) 
at javax.mail.Transport.send0(Transport.java:194) 
at javax.mail.Transport.send(Transport.java:124) 
at org.apache.commons.mail.Email.sendMimeMessage(Email.java:1232)

There is no specific option for the version in the SMTP external connection configuration


Resolution

Start the API Gateway instance with the following JVM configuration

<ConfigurationFragment>
<VMArg name="-Dmail.smtp.ssl.protocols=TLSv1.2" />
</ConfigurationFragment>

The SMTP server CA cert might be needed in a truststore file or adding to the default "apigateway/Linux.x86_64/jre/lib/security/cacerts"

Debugging for the TLS connection handshake can be seen in the terminal stdout by starting the instance in the foreground with the following debug settings

ConfigurationFragment>
<VMArg name="-Dmail.debug=true" />
<VMArg name="-Djavax.mail=DEBUG" />
<VMArg name="-Djavax.net.debug=all" />
<VMArg name="-Dmail.smtp.starttls.enable=true" />
<!-- <VMArg name="-Djavax.net.ssl.trustStore=trustStore" /> -->
<VMArg name="-Dmail.smtp.ssl.protocols=TLSv1.2" />
</ConfigurationFragment>

there is a boolean in entity store that can be switched on for extra TLS debug

Still need help?

If this information wasn't helpful to you, just drop us a line. We'll get back to you as soon as possible.