APM Agent Overrides JVM SSL config
See original GitHub issueDescribe the bug Environment Websphere Liberty IBM Java 8 APM 1.15.1
APM agent is overriding the SSL config configured in Liberty server.xml for outbound ssl connections and loading Java trust store.
If i disable APM agent, my outbound connections work and can see from debug log they are using correct trust store, cipher, protocol and cert.
With APM Agent enabled I see the debug logs for Agent connecting to APM server over SSL using Strong cipher and default Java trusted certs.
I can get around the trusted certs issue using 1.16.1-Snapshot as per recent issue - Agent initialises Java truststore, and changing the apm server to HTTP to prevent the SSL config overriding Liberty containers config. But i would like to use HTTPS for sending JVM metrics to APM server.
Steps to reproduce the behavior:
Run Websphere liberty with outbound ssl connection and apm agent configured to apm server with https Test outbound connection
Expected behavior Expect agent to not interfere with the SSL config used by Liberty
Debug logs With apm agent over https to apm server
com.ibm.ws.threading.internal.ExecutorServiceImpl$RunnableWrapper.run(ExecutorServiceImpl.java:239)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1160)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
at java.lang.Thread.run(Thread.java:820)
Caused by: javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: PKIX path building failed: com.ibm.security.cert.IBMCertPathBuilderException: unable to find valid certification path to requested target
at com.ibm.jsse2.k.a(k.java:41)
at com.ibm.jsse2.av.a(av.java:147)
at com.ibm.jsse2.D.a(D.java:103)
at com.ibm.jsse2.D.a(D.java:432)
at com.ibm.jsse2.E.a(E.java:248)
at com.ibm.jsse2.E.a(E.java:620)
at com.ibm.jsse2.D.r(D.java:628)
at com
| May 27, 2020 @ 11:53:13.821 | Default Executor-thread-39, WRITE: TLSv1.2 Alert, length = 2
| May 27, 2020 @ 11:53:13.821 | [Raw write]: length = 7
| May 27, 2020 @ 11:53:13.821 | 0000: 15 03 03 00 02 02 2e .......
| May 27, 2020 @ 11:53:13.821 | Default Executor-thread-39, called closeSocket()
| May 27, 2020 @ 11:53:13.820 | fatal,
| May 27, 2020 @ 11:53:13.820 | description = certificate_unknown
| May 27, 2020 @ 11:53:13.819 | ***
| May 27, 2020 @ 11:53:13.819 | %% Invalidated: [Session-3, SSL_RSA_WITH_AES_256_GCM_SHA384]
| May 27, 2020 @ 11:53:13.819 | Default Executor-thread-39
| May 27, 2020 @ 11:53:13.819 | , SEND TLSv1.2 ALERT:
Issue Analytics
- State:
- Created 3 years ago
- Comments:20 (11 by maintainers)
Top GitHub Comments
That also works fine - with no delay
Nice! Thanks for the feedback.