Symptom
- Trying to launch Java Report Panel in Infoview on the client machines with JRE 1.6.0_19 or higher generate WIJ 20002 error.
- Detail message of the error shows as follows:
https://www.awps.army.mil:443/AnalyticalReporting/Webi/cdzServlet
Stack trace: java.lang.RuntimeException: javax.net.ssl.SSLException:
HelloRequest followed by an unexpected handshake message at
com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source) at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source) at
com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source) at
com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source) at
com.sun.net.ssl.internal.ssl.ClientHandshaker.serverHelloRequest
(Unknown Source) at
com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown
Source) at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown
Source) at com.sun.net.ssl.internal.ssl.Handshaker.process_record
(Unknown Source) at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(Unknown
Source) at com.sun.net.ssl.internal.ssl.AppInputStream.read(Unknown
Source) at java.io.BufferedInputStream.fill(Unknown Source) at
java.io.BufferedInputStream.read1(Unknown Source) at
java.io.BufferedInputStream.read(Unknown Source) at
sun.net.www.http.HttpClient.parseHTTPHeader(Unknown Source) at
sun.net.www.http.HttpClient.parseHTTP(Unknown Source) at
sun.net.www.http.HttpClient.parseHTTP(Unknown Source) at
sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown
Source) at
sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream
(Unknown Source) at com.businessobjects.wp.cpi.CPIConnection.postRequest(Unknown Source) at com.businessobjects.wp.xml.XMLViaHttp.lo
adScript
(Unknown Source) at com.businessobjects.wp.xml.XMLViaHttp.initInstance
(Unknown Source) at com.businessobjects.wp.xml.XMLSession.load(Unknown
Source) at com.businessobjects.wp.xml.XMLSession.load(Unknown Source)
at com.businessobjects.wp.om.OMSessionLoader.load(Unknown Source) at
com.businessobjects.wp.tc.TCMain.initClient(Unknown Source) at
com.businessobjects.wp.tc.thread.InitAppletRunner.run(Unknown Source)
at java.lang.Thread.run(Unknown Source) at
com.businessobjects.wp.cpi.CPIConnection.postRequest(Unknown Source) at
com.businessobjects.wp.xml.XMLViaHttp.loadScript(Unknown Source) at
com.businessobjects.wp.xml.XMLViaHttp.initInstance(Unknown Source) at
com.businessobjects.wp.xml.XMLSession.load(Unknown Source) at
com.businessobjects.wp.xml.XMLSession.load(Unknown Source) at
com.businessobjects.wp.om.OMSessionLoader.load(Unknown Source) at
com.businessobjects.wp.tc.TCMain.initClient(Unknown Source) at
com.businessobjects.wp.tc.thread.InitAppletRunner.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Environment
- Business Objects Enterprise Release 3.1
- Client machines' JRE is 1.6.0_19 or higher.
- Using SSL connections and SmartCard authentication
Reproducing the Issue
- From the client machines running JRE 1.6.0_19 or higher, log in Infoview.
- Try to create a report with Java Report Panel.
- WIJ 20002 error is displayed.
- Modifying the exisiting reports generate the same error.
Cause
- This issue is not Business Objects Enterprise issue.
- It is Transport Layer Security (TLS) Renegotiation Issue specific to JRE 1.6.0_19 or higher using SSL communication with Smart Card authentication.
Resolution
1. Apply the Java SDK 1.6.0_22 as it has a new phase 2 fix for the SSLHandshakeException/handshake_failure
2. If clients do not send the proper RFC 5746 messages, initial connections will immediately be terminated by the server.
http://www.oracle.com/technetwork/java/javase/documentation/tlsreadme2-176330.html
Phase 2: The IETF issued RFC 5746 which addresses the renegotiation protocol flaw. A fix which implements RFC 5746 and supports secure renegotiation is included in the following releases:
JDK Family |
Vulnerable |
Phase 1 Fix |
Phase 2 Fix |
JDK and JRE 6 |
Update 18 and earlier |
Updates 19-21 |
Update 22 |
- sun.security.ssl.allowUnsafeRenegotiation - Introduced in Phase 1, this controls whether legacy (unsafe) renegotiations are permitted.
- sun.security.ssl.allowLegacyHelloMessages - Introduced in Phase 2, this allows the peer to handshake without requiring the proper RFC 5746 messages.
Keywords
KBA , BI-RA-WBI , Web Intelligence , Problem
Product
SAP BusinessObjects Xcelsius Enterprise 2008