HPE Community
IMC
1819812 Members
2916 Online
109607 Solutions
New Discussion

Login page SSL error after upgrade to iMC PLAT v7.3 (E0605)

 
SOLVED
Go to solution
denn93
Occasional Contributor

‎05-24-2018 08:35 AM

‎05-24-2018 08:35 AM

Login page SSL error after upgrade to iMC PLAT v7.3 (E0605)

Hello!

after upgrade to iMC PLAT v7.3 (E0605)  the imc is not working anymore. 

i only got this error:

This page can't be displayed

This page can't be displayed

Make sure the web address https://imc.ad.local:8443 is correct.

Look for the page with your search engine.

Refresh the page in a few minutes.

Make sure TLS and SSL protocols are enabled. Go to Tools > Internet Options > Advanced > Settings > Security

I i check in the Deployment agent Monitor everything is green and can not see any errors.  I did not get any errors when uppdating IMC to the latest version. 

Some have any ides? 

 

1 person had this problem.
0 Kudos
11 REPLIES 11
LindsayHill
Honored Contributor

‎05-24-2018 11:21 AM

‎05-24-2018 11:21 AM

Re: Login page SSL error after upgrade to iMC PLAT v7.3 (E0605)

Check to see if your server is listening on port 8443 (or port 443) using netstat.

__
@northlandboy
0 Kudos
denn93
Occasional Contributor

‎05-25-2018 04:50 AM

‎05-25-2018 04:50 AM

Re: Login page SSL error after upgrade to iMC PLAT v7.3 (E0605)

the server is litsning on the port.  but only gets the answer  ERR_SSL_VERSION_OR_CIPHER_MISMATCH .

if i use 8080 and http  i can reach imc and use the system.  

only get errors when trying on HTTPS.

0 Kudos
LindsayHill
Honored Contributor

‎05-26-2018 02:20 PM

‎05-26-2018 02:20 PM

Re: Login page SSL error after upgrade to iMC PLAT v7.3 (E0605)

You'll need to investigate your server & browser combination more closely, to figure out why they can't agree. You could start by trying another browser, and using "openssl s_client" to look at what ciphers & SSL versions the server is offering, and from there figure out why your browser doesn't like those.

__
@northlandboy
0 Kudos
CCTobias
Occasional Advisor

‎05-29-2018 08:42 AM

‎05-29-2018 08:42 AM

Re: Login page SSL error after upgrade to iMC PLAT v7.3 (E0605)

100% exactly the same behaviour here

0 Kudos
mschrein2
Frequent Advisor

‎05-31-2018 12:38 AM

‎05-31-2018 12:38 AM

Re: Login page SSL error after upgrade to iMC PLAT v7.3 (E0605)

the problem is with the $IMC/client/conf/server.xml file (this is the file which defines the http and https connectors), it is missing the ciphers for https

please open a case with hpe to get a working one

mschrein2
Frequent Advisor

‎05-31-2018 12:47 AM

‎05-31-2018 12:47 AM

Solution

Re: Login page SSL error after upgrade to iMC PLAT v7.3 (E0605)

this is how the server.xml file should look like:

 

<?xml version="1.0" encoding="utf-8" standalone="no"?><!-- Embedded iMC Web Ccontainer (Tomcat) --><Server port="8005" shutdown="SHUTDOWN">

    <!-- Listeners -->
    <Listener SSLEngine="on" className="org.apache.catalina.core.AprLifecycleListener"/>
    <Listener className="org.apache.catalina.core.JasperListener"/>
    <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener"/>
    <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"/>
    <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener"/>
    <Listener className="com.h3c.imc.traceLog.iMCTraceWebListener"/>      

    <!-- Service -->
    <Service name="Catalina">

        <!-- HTTP Connector  useURIValidationHack设成"false",可以减少它对一些url的不必要的检查从而减省开销。-->
        <Connector URIEncoding="UTF-8" acceptCount="100" compressableMimeType="text/html,text/xml,text/xhtml,text/css,text/javascript,text/plain" compression="on" compressionMinSize="2048" connectionTimeout="60000" disableUploadTimeout="true" enableLookups="false" maxHttpHeaderSize="8192" maxPostSize="5242880" maxSpareThreads="75" maxThreads="150" minSpareThreads="25" noCompressionUserAgents="gozilla, traviata" port="8080" protocol="org.apache.coyote.http11.Http11NioProtocol" redirectPort="8443" server="Server" useURIValidationHack="false"/>

        <!-- HTTPS Connector -->
        <Connector SSLEnabled="true" URIEncoding="UTF-8" acceptCount="100" ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA" clientAuth="false" compressableMimeType="text/html,text/xml,text/xhtml,text/css,text/javascript,text/plain" compression="on" compressionMinSize="2048" connectionTimeout="60000" disableUploadTimeout="true" enableLookups="false" keystoreFile="security/newks" keystorePass="iMCV500R001" maxHttpHeaderSize="8192" maxPostSize="5242880" maxSpareThreads="75" maxThreads="150" minSpareThreads="25" noCompressionUserAgents="gozilla, traviata" port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" secure="true" server="Server" sslProtocol="TLS"/>

        <!-- AJP Connectors, disabled in default configuration  keystoreFile="security/server.crt"
            keystorePass="1" -->
        <!-- <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /> -->
        <!-- <Connector port="8019" protocol="AJP/1.3" scheme="https" secure="true"
            /> -->

        <!-- Engine: imcEngine -->
        <Engine defaultHost="imcHost" name="imcEngine">

            <!-- Host: imcHost -->
            <Host appBase="web/apps" autoDeploy="false" name="imcHost" server="Server" startStopThreads="10" unpackWARs="true" workDir="web/work">

                <!-- No host access log in default configuration   startStopThreads="4"  hostConfigClass="com.h3c.imc.orderHostConfig.ContextDeployOrderHostConfig"-->
                <!-- <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
                    prefix="localhost_access_log." suffix=".txt" pattern="%h %l %u %t &quot;%r&quot;
                    %s %b" /> -->

            </Host>
        </Engine>
    </Service>
</Server>

denn93
Occasional Contributor

‎05-31-2018 01:06 AM

‎05-31-2018 01:06 AM

Re: Login page SSL error after upgrade to iMC PLAT v7.3 (E0605)

I installed a new imc server to solve the problem.  

on the old server i add the:

<Connector SSLEnabled="true" URIEncoding="UTF-8" acceptCount="100" ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA" clientAuth="false" compressableMimeType="text/html,text/xml,text/xhtml,text/css,text/javascript,text/plain" compression="on" compressionMinSize="2048" connectionTimeout="60000" disableUploadTimeout="true" enableLookups="false" keystoreFile="security/newks" keystorePass="iMCV500R001" maxHttpHeaderSize="8192" maxPostSize="5242880" maxSpareThreads="75" maxThreads="150" minSpareThreads="25" noCompressionUserAgents="gozilla, traviata" port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" secure="true" server="Server" sslProtocol="TLS"/>

server.xml and now it works.  

On the new server the ciphers is in the server.xml .  So looks like this problem coming up when updating  to the (E0605). 

 

0 Kudos
EMachabert
New Member

‎05-31-2018 04:45 AM - edited ‎05-31-2018 04:48 AM

‎05-31-2018 04:45 AM - edited ‎05-31-2018 04:48 AM

Re: Login page SSL error after upgrade to iMC PLAT v7.3 (E0605)

Adding the CIPHER suite does the trick.

I would add that while you are editing this file you could enhance the security by disabling Poodle attack vector by adding this parameter: 

sslEnabledProtocols="TLSv1.1,TLSv1.2"

 

see CVE-2014-3566 https://support.hpe.com/hpsc/doc/public/display?docId=mmr_kc-0123277

spgsitsupport
Regular Advisor

‎02-20-2019 05:20 AM

‎02-20-2019 05:20 AM

Re: Login page SSL error after upgrade to iMC PLAT v7.3 (E0605)

Done the line as per above to:

C:\Program Files\iMC\client\conf\server.xml

		<Connector SSLEnabled="true" URIEncoding="UTF-8" acceptCount="100" ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA" clientAuth="false" compressableMimeType="text/html,text/xml,text/xhtml,text/css,text/javascript,text/plain" compression="on" compressionMinSize="2048" connectionTimeout="60000" disableUploadTimeout="true" enableLookups="false" keystoreFile="security/newks" keystorePass="iMCV500R001" maxHttpHeaderSize="8192" maxPostSize="5242880" maxSpareThreads="75" maxThreads="150" minSpareThreads="25" noCompressionUserAgents="gozilla, traviata" port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" secure="true" server="Server" sslProtocol="TLS"/>


C:\Program Files\iMC\client\security\newks is correct file with CORRECT certificate (which was working fine before upgrade)

But Chrome only gives me now: ERR_SSL_VERSION_OR_CIPHER_MISMATCH

0 Kudos
spgsitsupport
Regular Advisor

‎03-30-2021 05:10 AM

‎03-30-2021 05:10 AM

Re: Login page SSL error after upgrade to iMC PLAT v7.3 (E0605)

Anybody?

 

I still only get:

 

This site can’t provide a secure connectionhpimc.spgs.org uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Unsupported protocol
The client and server don't support a common SSL protocol version or cipher suite.
0 Kudos
spgsitsupport
Regular Advisor

‎04-09-2021 06:40 AM - edited ‎04-09-2021 07:33 AM

‎04-09-2021 06:40 AM - edited ‎04-09-2021 07:33 AM

Re: Login page SSL error after upgrade to iMC PLAT v7.3 (E0605)

Had to add cipher

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

because I am using ECDSA_P256 certificate

Way better list of ciphers is here:

https://www.jamf.com/jamf-nation/articles/384/configuring-supported-ciphers-for-tomcat-https-connections

ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA"
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.