How to enable TLS 1.2

Support questions related to CloverETL Server

jusman
Posts: 8
Joined: Tue Apr 14, 2015 12:45 am

How to enable TLS 1.2

Postby jusman » Wed Jun 29, 2016 10:25 pm

Hi there,

We have a couple of graphs that use the WebServiceClient component to make SOAP calls to Salesforce. Everything has been working fine until recently, when they disabled TLS 1.0 on all the sandbox (test) instances.

On the server, how do we make sure that the WebServiceClient component uses TLS 1.2? I have tried following the instructions here https://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html, but having no luck.

We have Clover 4.0.4.13 running on top of Tomcat 7.0.65.

Thanks a bunch!
Jus

imriskal
Posts: 382
Joined: Wed Aug 15, 2012 8:18 am

Re: How to enable TLS 1.2

Postby imriskal » Fri Jul 08, 2016 9:12 am

Hi Jus,

The mentioned instructions would work only if you tried to connect to CloverETL Server using TLS. If you want to connect to a third party service from a CloverETL graph, you have to add -Dhttps.protocols=TLSv1.2 as a JVM property to 3 places:

1) For CloverETL Server, add the property to JAVA_OPTS of your application server. Then restart it.
2) For CloverETL Designer, add it as a new line to CloverETLDesigner.ini file (at the very end of the file) in the Designer installation directory and also to Window > Preferences > CloverETL > ETL Runtime > VM parameters and restart the Designer.

Hope this helps.
---
Lubos Imriska
CloverCARE Support
CloverETL | Rapid Data Integration

Visit us online at http://www.cloveretl.com
How to speed up communication with CloverCARE support

jusman
Posts: 8
Joined: Tue Apr 14, 2015 12:45 am

Re: How to enable TLS 1.2

Postby jusman » Wed Jul 13, 2016 6:33 pm

Hi Lubos, thanks so much for your reply! However, I tried both your suggestions and they didn't seem to work.

1) For the server, I have tried adding -Dhttps.protocols=TLSv1.2 to JAVA_OPTS, and restarted tomcat, and then verified using `ps` that the argument was passed to java. When I tried to run a graph with the WebServiceClient in it from the server GUI, it just kept spinning and spinning and never came back. This is what I found in the log:

Code: Select all

Jul 12, 2016 4:18:34 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["http-bio-8080"]
Jul 12, 2016 4:18:34 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["http-bio-8443"]
Jul 12, 2016 4:18:35 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["ajp-bio-8010"]
Jul 12, 2016 4:18:35 PM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 3391 ms
Jul 12, 2016 4:18:35 PM org.apache.catalina.core.StandardService startInternal
INFO: Starting service Catalina
Jul 12, 2016 4:18:35 PM org.apache.catalina.core.StandardEngine startInternal
INFO: Starting Servlet Engine: Apache Tomcat/7.0.65
Jul 12, 2016 4:18:35 PM org.apache.catalina.startup.HostConfig deployWAR
INFO: Deploying web application archive /var/lib/tomcat/webapps/clover.war
Jul 12, 2016 4:18:50 PM org.apache.catalina.startup.TldConfig execute
INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time.
Jul 12, 2016 4:18:50 PM org.apache.catalina.core.StandardContext addApplicationListener
INFO: The listener "com.sun.faces.config.ConfigureListener" is already configured for this context. The duplicate definition has been ignored.
Jul 12, 2016 4:18:54 PM com.sun.xml.ws.transport.http.servlet.WSServletDelegate <init>
INFO: WSSERVLET14: JAX-WS servlet initializing
Jul 12, 2016 4:18:54 PM org.apache.catalina.core.ApplicationContext log
INFO: No Spring WebApplicationInitializer types detected on classpath
16:18:54,394 INFO : === CloverETL 4.0.4.13 Starting ===
Jul 12, 2016 4:18:54 PM com.sun.faces.config.WebConfiguration processBooleanParameters
WARNING: JSF1025: [/clover] Context initialization parameter 'com.sun.faces.disableVersionTracking' is deprecated and will have no effect.
Jul 12, 2016 4:18:54 PM com.sun.faces.config.ConfigureListener contextInitialized
INFO: Initializing Mojarra (1.2_15-20100816-SNAPSHOT) for context '/clover'
Jul 12, 2016 4:18:57 PM com.sun.faces.spi.InjectionProviderFactory createInstance
INFO: JSF1048: PostConstruct/PreDestroy annotations present.  ManagedBeans methods marked with these annotations will have said annotations processed.
Jul 12, 2016 4:18:58 PM com.sun.xml.ws.transport.http.servlet.WSServletContextListener contextInitialized
INFO: WSSERVLET12: JAX-WS context listener initializing
Jul 12, 2016 4:18:58 PM com.sun.xml.ws.transport.http.servlet.WSServletContextListener contextInitialized
INFO: WSSERVLET12: JAX-WS context listener initializing
Jul 12, 2016 4:19:12 PM org.apache.catalina.util.SessionIdGeneratorBase createSecureRandom
INFO: Creation of SecureRandom instance for session ID generation using [SHA1PRNG] took [14,535] milliseconds.
Jul 12, 2016 4:19:13 PM org.apache.catalina.startup.HostConfig deployWAR
INFO: Deployment of web application archive /var/lib/tomcat/webapps/clover.war has finished in 37,291 ms
Jul 12, 2016 4:19:13 PM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deploying web application directory /var/lib/tomcat/webapps/manager
Jul 12, 2016 4:19:14 PM org.apache.catalina.startup.TldConfig execute
INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time.
Jul 12, 2016 4:19:14 PM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deployment of web application directory /var/lib/tomcat/webapps/manager has finished in 1,578 ms
Jul 12, 2016 4:19:14 PM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deploying web application directory /var/lib/tomcat/webapps/host-manager
Jul 12, 2016 4:19:16 PM org.apache.catalina.startup.TldConfig execute
INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time.
Jul 12, 2016 4:19:16 PM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deployment of web application directory /var/lib/tomcat/webapps/host-manager has finished in 1,345 ms
Jul 12, 2016 4:19:16 PM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["http-bio-8080"]
Jul 12, 2016 4:19:16 PM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["http-bio-8443"]
Jul 12, 2016 4:19:16 PM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["ajp-bio-8010"]
Jul 12, 2016 4:19:16 PM org.apache.catalina.startup.Catalina start
INFO: Server startup in 40632 ms
Jul 12, 2016 4:19:18 PM org.apache.catalina.core.ApplicationContext log
INFO: Initializing Spring root WebApplicationContext
16:19:47,665 INFO : === CloverETL Server 4.0.4.13 Started ===
16:19:47,678 INFO : Available memory:
 Heap memory (initial/used/max): 59 MB/85 MB/928 MB
 Non-heap memory (initial/used/max): 23 MB/75 MB/130 MB
Jul 12, 2016 4:20:22 PM com.sun.facelets.compiler.TagLibraryConfig loadImplicit
INFO: Added Library from: jar:file:/var/lib/tomcat/webapps/clover/WEB-INF/lib/jsf-facelets-1.1.15.B1.jar!/META-INF/jsf-core.taglib.xml
Jul 12, 2016 4:20:22 PM com.sun.facelets.compiler.TagLibraryConfig loadImplicit
INFO: Added Library from: jar:file:/var/lib/tomcat/webapps/clover/WEB-INF/lib/jsf-facelets-1.1.15.B1.jar!/META-INF/jsf-html.taglib.xml
Jul 12, 2016 4:20:22 PM com.sun.facelets.compiler.TagLibraryConfig loadImplicit
INFO: Added Library from: jar:file:/var/lib/tomcat/webapps/clover/WEB-INF/lib/jsf-facelets-1.1.15.B1.jar!/META-INF/jsf-ui.taglib.xml
Jul 12, 2016 4:20:22 PM com.sun.facelets.compiler.TagLibraryConfig loadImplicit
INFO: Added Library from: jar:file:/var/lib/tomcat/webapps/clover/WEB-INF/lib/jsf-facelets-1.1.15.B1.jar!/META-INF/jstl-core.taglib.xml
Jul 12, 2016 4:20:22 PM com.sun.facelets.compiler.TagLibraryConfig loadImplicit
INFO: Added Library from: jar:file:/var/lib/tomcat/webapps/clover/WEB-INF/lib/jsf-facelets-1.1.15.B1.jar!/META-INF/jstl-fn.taglib.xml
Jul 12, 2016 4:20:22 PM com.sun.facelets.compiler.TagLibraryConfig loadImplicit
INFO: Added Library from: jar:file:/var/lib/tomcat/webapps/clover/WEB-INF/lib/jsf-impl-1.2_15.jar!/META-INF/mojarra_ext.taglib.xml
Jul 12, 2016 4:20:22 PM com.sun.facelets.compiler.TagLibraryConfig loadImplicit
INFO: Added Library from: jar:file:/var/lib/tomcat/webapps/clover/WEB-INF/lib/richfaces-ui-3.3.3.Final.jar!/META-INF/a4j.taglib.xml
Jul 12, 2016 4:20:22 PM com.sun.facelets.compiler.TagLibraryConfig loadImplicit
INFO: Added Library from: jar:file:/var/lib/tomcat/webapps/clover/WEB-INF/lib/richfaces-ui-3.3.3.Final.jar!/META-INF/rich.taglib.xml
Jul 12, 2016 4:20:22 PM com.sun.facelets.compiler.TagLibraryConfig loadImplicit
INFO: Added Library from: jar:file:/var/lib/tomcat/webapps/clover/WEB-INF/lib/richfaces-ui-3.3.3.Final.jar!/META-INF/jsp.taglib.xml
Jul 12, 2016 4:20:22 PM com.sun.facelets.compiler.TagLibraryConfig loadImplicit
INFO: Added Library from: jar:file:/var/lib/tomcat/webapps/clover/WEB-INF/lib/richfaces-ui-3.3.3.Final.jar!/META-INF/richfaces.taglib.xml
Jul 12, 2016 4:20:22 PM com.sun.facelets.compiler.TagLibraryConfig loadImplicit
INFO: Added Library from: jar:file:/var/lib/tomcat/webapps/clover/WEB-INF/lib/richfaces-ui-3.3.3.Final.jar!/META-INF/ajax4jsf.taglib.xml
Bad Base64 input character at 8: 46(decimal)
Exception in thread "http-bio-8080-exec-2" java.lang.OutOfMemoryError: PermGen space
    at sun.misc.Unsafe.defineClass(Native Method)
    at sun.reflect.ClassDefiner.defineClass(ClassDefiner.java:63)
    at sun.reflect.MethodAccessorGenerator$1.run(MethodAccessorGenerator.java:399)
    at sun.reflect.MethodAccessorGenerator$1.run(MethodAccessorGenerator.java:396)
    at java.security.AccessController.doPrivileged(Native Method)
    at sun.reflect.MethodAccessorGenerator.generate(MethodAccessorGenerator.java:395)
    at sun.reflect.MethodAccessorGenerator.generateMethod(MethodAccessorGenerator.java:77)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:46)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:606)
    at javax.el.BeanELResolver.getValue(BeanELResolver.java:99)
    at com.sun.faces.el.DemuxCompositeELResolver._getValue(DemuxCompositeELResolver.java:173)
    at com.sun.faces.el.DemuxCompositeELResolver.getValue(DemuxCompositeELResolver.java:200)
    at org.apache.el.parser.AstValue.getValue(AstValue.java:183)
    at org.apache.el.ValueExpressionImpl.getValue(ValueExpressionImpl.java:184)
    at com.sun.facelets.el.TagValueExpression.getValue(TagValueExpression.java:71)
    at javax.faces.component.UIOutput.getValue(UIOutput.java:184)
    at org.richfaces.renderkit.CalendarRendererBase.getInputValue(CalendarRendererBase.java:550)
    at org.richfaces.renderkit.html.CalendarRenderer.doEncodeEnd(CalendarRenderer.java:297)
    at org.richfaces.renderkit.html.CalendarRenderer.doEncodeEnd(CalendarRenderer.java:516)
    at org.ajax4jsf.renderkit.RendererBase.encodeEnd(RendererBase.java:134)
    at javax.faces.component.UIComponentBase.encodeEnd(UIComponentBase.java:864)
    at com.sun.faces.renderkit.html_basic.HtmlBasicRenderer.encodeRecursive(HtmlBasicRenderer.java:244)
    at com.sun.faces.renderkit.html_basic.GridRenderer.renderRow(GridRenderer.java:180)
    at com.sun.faces.renderkit.html_basic.GridRenderer.encodeChildren(GridRenderer.java:127)
    at javax.faces.component.UIComponentBase.encodeChildren(UIComponentBase.java:840)
    at javax.faces.component.UIComponent.encodeAll(UIComponent.java:930)
    at javax.faces.render.Renderer.encodeChildren(Renderer.java:148)
    at javax.faces.component.UIComponentBase.encodeChildren(UIComponentBase.java:840)
    at org.ajax4jsf.renderkit.RendererBase.renderChild(RendererBase.java:277)
    at org.ajax4jsf.renderkit.RendererBase.renderChildren(RendererBase.java:258)
    at org.richfaces.renderkit.html.SimpleToggleControlTemplate.doEncodeChildren(SimpleToggleControlTemplate.java:301)
Exception in thread "http-bio-8080-exec-8" java.lang.OutOfMemoryError: PermGen space
Exception in thread "quartzScheduler_QuartzSchedulerThread" java.lang.OutOfMemoryError: PermGen space
Exception in thread "http-bio-8080-exec-10" java.lang.OutOfMemoryError: PermGen space


2) For the client, I added -Dhttps.protocols=TLSv1.2 to the end of the CloverETLDesigner.ini file. And also to Window > Preferences > CloverETL > ETL Runtime > VM parameters. And then I restarted the designer and ran the graph with the WebServiceClient. This is what I got when trying to reach Salesforce:

Code: Select all

16:27:57,030 ERROR [WatchDog_1] Component [Ensure Session:ENSURE_SESSION] finished with status ERROR. (In0: 1 recs, Out0: 0 recs)
 Subgraph sandbox://MySandbox/graph/subgraph/EnsureSession.sgrf(#2) finished with final status ERROR.
  Component [Fail:FAIL] finished with status ERROR. (In0: 1 recs)
   TLS 1.0 has been disabled in this organization. Please use TLS 1.1 or higher when connecting to Salesforce using https.
16:27:57,030 ERROR [WatchDog_1] Error details:
org.jetel.exception.JetelRuntimeException: Component [Ensure Session:ENSURE_SESSION] finished with status ERROR. (In0: 1 recs, Out0: 0 recs)
   at org.jetel.graph.Node.createNodeException(Node.java:582)
   at org.jetel.graph.Node.run(Node.java:558)
   at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
   at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
   at java.lang.Thread.run(Thread.java:744)
Caused by: org.jetel.exception.JetelRuntimeException
   at com.opensys.cloveretl.component.Subgraph.execute(Unknown Source)
   at org.jetel.graph.Node.run(Node.java:520)
   ... 3 more
Caused by: org.jetel.exception.JetelRuntimeException: Subgraph sandbox://ERxSync/graph/subgraph/EnsureSession.sgrf(#2) finished with final status ERROR.
   at org.jetel.graph.runtime.IAuthorityProxy$RunStatus.getException(IAuthorityProxy.java:167)
   ... 5 more
Caused by: org.jetel.exception.StackTraceWrapperException: Component [Fail:FAIL] finished with status ERROR. (In0: 1 recs)
 TLS 1.0 has been disabled in this organization. Please use TLS 1.1 or higher when connecting to Salesforce using https.
   ... 6 more


Do you have any more ideas?

Thanks a bunch!
Jus

imriskal
Posts: 382
Joined: Wed Aug 15, 2012 8:18 am

Re: How to enable TLS 1.2

Postby imriskal » Thu Jul 14, 2016 3:26 pm

Jus,

I have found out that an upgrade to Java 8 (both CloverETL Designer and CloverETL Server) should help you as Java 8 uses TLSv1.2 as the default. However, you should know that we officially support Java 8 since version 4.1. We do not test your version 4.0 with Java 8.

Our developers are actively investigating whether there is any chance to make Java 7 work with TLSv1.2 in CloverETL. If there is a way, I will definitely post it here.
---
Lubos Imriska
CloverCARE Support
CloverETL | Rapid Data Integration

Visit us online at http://www.cloveretl.com
How to speed up communication with CloverCARE support

imriskal
Posts: 382
Joined: Wed Aug 15, 2012 8:18 am

Re: How to enable TLS 1.2

Postby imriskal » Tue Aug 23, 2016 10:22 am

Just an update, our dev team found out that we have a small bug in WebServiceClient which ignores the https.protocols setting. It will be fixed in one of our next releases but at the moment, the only solution is to use Java 8 as mentioned before.
---
Lubos Imriska
CloverCARE Support
CloverETL | Rapid Data Integration

Visit us online at http://www.cloveretl.com
How to speed up communication with CloverCARE support

jusman
Posts: 8
Joined: Tue Apr 14, 2015 12:45 am

Re: How to enable TLS 1.2

Postby jusman » Tue Aug 30, 2016 7:04 pm

Thanks Lubos,

As a workaround for now, I have been using a JavaExecute component to switch the SSLContext. I put this component in a subgraph, at phase 0 before anything else, and called by all the graphs that need to go to Salesforce.

Jus

Code: Select all

<Node enabled="enabled" guiName="Enable TLSv1.2" guiX="554" guiY="100" id="ENABLE_TLSV1_2" type="JAVA_EXECUTE">
<attr name="runnable"><![CDATA[import org.jetel.component.BasicJavaRunnable;
import org.jetel.exception.JetelRuntimeException;
import javax.net.ssl.SSLContext;

public class EnableTLSv1_2 extends BasicJavaRunnable {

   @Override
   public void run() {

      // write into information log
      getNode().getLog().info("Enabling TLSv1.2");

      try {
         SSLContext context = SSLContext.getInstance("TLSv1.2");
         context.init(null,null,null);
         SSLContext.setDefault(context);
      } catch (Exception e) {
         throw new JetelRuntimeException(e);
      }
   }
}
]]></attr>
</Node>
</Phase>
</Graph>