Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
APM Agent Overrides JVM SSL config
See original GitHub issueDescribe the bug Environment Websphere Liberty IBM Java 8 APM 1.15.1
APM agent is overriding the SSL config configured in Liberty server.xml for outbound ssl connections and loading Java trust store.
If i disable APM agent, my outbound connections work and can see from debug log they are using correct trust store, cipher, protocol and cert.
With APM Agent enabled I see the debug logs for Agent connecting to APM server over SSL using Strong cipher and default Java trusted certs.
I can get around the trusted certs issue using 1.16.1-Snapshot as per recent issue - Agent initialises Java truststore, and changing the apm server to HTTP to prevent the SSL config overriding Liberty containers config. But i would like to use HTTPS for sending JVM metrics to APM server.
Steps to reproduce the behavior:
Run Websphere liberty with outbound ssl connection and apm agent configured to apm server with https Test outbound connection
Expected behavior Expect agent to not interfere with the SSL config used by Liberty
Debug logs With apm agent over https to apm server
com.ibm.ws.threading.internal.ExecutorServiceImpl$RunnableWrapper.run(ExecutorServiceImpl.java:239)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1160)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
at java.lang.Thread.run(Thread.java:820)
Caused by: javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: PKIX path building failed: com.ibm.security.cert.IBMCertPathBuilderException: unable to find valid certification path to requested target
at com.ibm.jsse2.k.a(k.java:41)
at com.ibm.jsse2.av.a(av.java:147)
at com.ibm.jsse2.D.a(D.java:103)
at com.ibm.jsse2.D.a(D.java:432)
at com.ibm.jsse2.E.a(E.java:248)
at com.ibm.jsse2.E.a(E.java:620)
at com.ibm.jsse2.D.r(D.java:628)
at com
| May 27, 2020 @ 11:53:13.821 | Default Executor-thread-39, WRITE: TLSv1.2 Alert, length = 2
| May 27, 2020 @ 11:53:13.821 | [Raw write]: length = 7
| May 27, 2020 @ 11:53:13.821 | 0000: 15 03 03 00 02 02 2e .......
| May 27, 2020 @ 11:53:13.821 | Default Executor-thread-39, called closeSocket()
| May 27, 2020 @ 11:53:13.820 | fatal,
| May 27, 2020 @ 11:53:13.820 | description = certificate_unknown
| May 27, 2020 @ 11:53:13.819 | ***
| May 27, 2020 @ 11:53:13.819 | %% Invalidated: [Session-3, SSL_RSA_WITH_AES_256_GCM_SHA384]
| May 27, 2020 @ 11:53:13.819 | Default Executor-thread-39
| May 27, 2020 @ 11:53:13.819 | , SEND TLSv1.2 ALERT:
Issue Analytics
- State:
- Created 3 years ago
- Comments:20 (11 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
That also works fine - with no delay
Nice! Thanks for the feedback.