How to enable TLS 1.2

Hi there,

We have a couple of graphs that use the WebServiceClient component to make SOAP calls to Salesforce. Everything has been working fine until recently, when they disabled TLS 1.0 on all the sandbox (test) instances.

On the server, how do we make sure that the WebServiceClient component uses TLS 1.2? I have tried following the instructions here https://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html, but having no luck.

We have Clover 4.0.4.13 running on top of Tomcat 7.0.65.

Thanks a bunch!
Jus

Hi Jus,

The mentioned instructions would work only if you tried to connect to CloverETL Server using TLS. If you want to connect to a third party service from a CloverETL graph, you have to add -Dhttps.protocols=TLSv1.2 as a JVM property to 3 places:

  1. For CloverETL Server, add the property to JAVA_OPTS of your application server. Then restart it.
  2. For CloverETL Designer, add it as a new line to CloverETLDesigner.ini file (at the very end of the file) in the Designer installation directory and also to Window > Preferences > CloverETL > ETL Runtime > VM parameters and restart the Designer.

Hope this helps.

Hi Lubos, thanks so much for your reply! However, I tried both your suggestions and they didn’t seem to work.

  1. For the server, I have tried adding -Dhttps.protocols=TLSv1.2 to JAVA_OPTS, and restarted tomcat, and then verified using `ps` that the argument was passed to java. When I tried to run a graph with the WebServiceClient in it from the server GUI, it just kept spinning and spinning and never came back. This is what I found in the log:
Jul 12, 2016 4:18:34 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["http-bio-8080"]
Jul 12, 2016 4:18:34 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["http-bio-8443"]
Jul 12, 2016 4:18:35 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["ajp-bio-8010"]
Jul 12, 2016 4:18:35 PM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 3391 ms
Jul 12, 2016 4:18:35 PM org.apache.catalina.core.StandardService startInternal
INFO: Starting service Catalina
Jul 12, 2016 4:18:35 PM org.apache.catalina.core.StandardEngine startInternal
INFO: Starting Servlet Engine: Apache Tomcat/7.0.65
Jul 12, 2016 4:18:35 PM org.apache.catalina.startup.HostConfig deployWAR
INFO: Deploying web application archive /var/lib/tomcat/webapps/clover.war
Jul 12, 2016 4:18:50 PM org.apache.catalina.startup.TldConfig execute
INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time.
Jul 12, 2016 4:18:50 PM org.apache.catalina.core.StandardContext addApplicationListener
INFO: The listener "com.sun.faces.config.ConfigureListener" is already configured for this context. The duplicate definition has been ignored.
Jul 12, 2016 4:18:54 PM com.sun.xml.ws.transport.http.servlet.WSServletDelegate <init>
INFO: WSSERVLET14: JAX-WS servlet initializing
Jul 12, 2016 4:18:54 PM org.apache.catalina.core.ApplicationContext log
INFO: No Spring WebApplicationInitializer types detected on classpath
16:18:54,394 INFO : === CloverETL 4.0.4.13 Starting ===
Jul 12, 2016 4:18:54 PM com.sun.faces.config.WebConfiguration processBooleanParameters
WARNING: JSF1025: [/clover] Context initialization parameter 'com.sun.faces.disableVersionTracking' is deprecated and will have no effect.
Jul 12, 2016 4:18:54 PM com.sun.faces.config.ConfigureListener contextInitialized
INFO: Initializing Mojarra (1.2_15-20100816-SNAPSHOT) for context '/clover'
Jul 12, 2016 4:18:57 PM com.sun.faces.spi.InjectionProviderFactory createInstance
INFO: JSF1048: PostConstruct/PreDestroy annotations present.  ManagedBeans methods marked with these annotations will have said annotations processed.
Jul 12, 2016 4:18:58 PM com.sun.xml.ws.transport.http.servlet.WSServletContextListener contextInitialized
INFO: WSSERVLET12: JAX-WS context listener initializing
Jul 12, 2016 4:18:58 PM com.sun.xml.ws.transport.http.servlet.WSServletContextListener contextInitialized
INFO: WSSERVLET12: JAX-WS context listener initializing
Jul 12, 2016 4:19:12 PM org.apache.catalina.util.SessionIdGeneratorBase createSecureRandom
INFO: Creation of SecureRandom instance for session ID generation using [SHA1PRNG] took [14,535] milliseconds.
Jul 12, 2016 4:19:13 PM org.apache.catalina.startup.HostConfig deployWAR
INFO: Deployment of web application archive /var/lib/tomcat/webapps/clover.war has finished in 37,291 ms
Jul 12, 2016 4:19:13 PM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deploying web application directory /var/lib/tomcat/webapps/manager
Jul 12, 2016 4:19:14 PM org.apache.catalina.startup.TldConfig execute
INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time.
Jul 12, 2016 4:19:14 PM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deployment of web application directory /var/lib/tomcat/webapps/manager has finished in 1,578 ms
Jul 12, 2016 4:19:14 PM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deploying web application directory /var/lib/tomcat/webapps/host-manager
Jul 12, 2016 4:19:16 PM org.apache.catalina.startup.TldConfig execute
INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time.
Jul 12, 2016 4:19:16 PM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deployment of web application directory /var/lib/tomcat/webapps/host-manager has finished in 1,345 ms
Jul 12, 2016 4:19:16 PM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["http-bio-8080"]
Jul 12, 2016 4:19:16 PM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["http-bio-8443"]
Jul 12, 2016 4:19:16 PM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["ajp-bio-8010"]
Jul 12, 2016 4:19:16 PM org.apache.catalina.startup.Catalina start
INFO: Server startup in 40632 ms
Jul 12, 2016 4:19:18 PM org.apache.catalina.core.ApplicationContext log
INFO: Initializing Spring root WebApplicationContext
16:19:47,665 INFO : === CloverETL Server 4.0.4.13 Started ===
16:19:47,678 INFO : Available memory:
 Heap memory (initial/used/max): 59 MB/85 MB/928 MB
 Non-heap memory (initial/used/max): 23 MB/75 MB/130 MB
Jul 12, 2016 4:20:22 PM com.sun.facelets.compiler.TagLibraryConfig loadImplicit
INFO: Added Library from: jar:file:/var/lib/tomcat/webapps/clover/WEB-INF/lib/jsf-facelets-1.1.15.B1.jar!/META-INF/jsf-core.taglib.xml
Jul 12, 2016 4:20:22 PM com.sun.facelets.compiler.TagLibraryConfig loadImplicit
INFO: Added Library from: jar:file:/var/lib/tomcat/webapps/clover/WEB-INF/lib/jsf-facelets-1.1.15.B1.jar!/META-INF/jsf-html.taglib.xml
Jul 12, 2016 4:20:22 PM com.sun.facelets.compiler.TagLibraryConfig loadImplicit
INFO: Added Library from: jar:file:/var/lib/tomcat/webapps/clover/WEB-INF/lib/jsf-facelets-1.1.15.B1.jar!/META-INF/jsf-ui.taglib.xml
Jul 12, 2016 4:20:22 PM com.sun.facelets.compiler.TagLibraryConfig loadImplicit
INFO: Added Library from: jar:file:/var/lib/tomcat/webapps/clover/WEB-INF/lib/jsf-facelets-1.1.15.B1.jar!/META-INF/jstl-core.taglib.xml
Jul 12, 2016 4:20:22 PM com.sun.facelets.compiler.TagLibraryConfig loadImplicit
INFO: Added Library from: jar:file:/var/lib/tomcat/webapps/clover/WEB-INF/lib/jsf-facelets-1.1.15.B1.jar!/META-INF/jstl-fn.taglib.xml
Jul 12, 2016 4:20:22 PM com.sun.facelets.compiler.TagLibraryConfig loadImplicit
INFO: Added Library from: jar:file:/var/lib/tomcat/webapps/clover/WEB-INF/lib/jsf-impl-1.2_15.jar!/META-INF/mojarra_ext.taglib.xml
Jul 12, 2016 4:20:22 PM com.sun.facelets.compiler.TagLibraryConfig loadImplicit
INFO: Added Library from: jar:file:/var/lib/tomcat/webapps/clover/WEB-INF/lib/richfaces-ui-3.3.3.Final.jar!/META-INF/a4j.taglib.xml
Jul 12, 2016 4:20:22 PM com.sun.facelets.compiler.TagLibraryConfig loadImplicit
INFO: Added Library from: jar:file:/var/lib/tomcat/webapps/clover/WEB-INF/lib/richfaces-ui-3.3.3.Final.jar!/META-INF/rich.taglib.xml
Jul 12, 2016 4:20:22 PM com.sun.facelets.compiler.TagLibraryConfig loadImplicit
INFO: Added Library from: jar:file:/var/lib/tomcat/webapps/clover/WEB-INF/lib/richfaces-ui-3.3.3.Final.jar!/META-INF/jsp.taglib.xml
Jul 12, 2016 4:20:22 PM com.sun.facelets.compiler.TagLibraryConfig loadImplicit
INFO: Added Library from: jar:file:/var/lib/tomcat/webapps/clover/WEB-INF/lib/richfaces-ui-3.3.3.Final.jar!/META-INF/richfaces.taglib.xml
Jul 12, 2016 4:20:22 PM com.sun.facelets.compiler.TagLibraryConfig loadImplicit
INFO: Added Library from: jar:file:/var/lib/tomcat/webapps/clover/WEB-INF/lib/richfaces-ui-3.3.3.Final.jar!/META-INF/ajax4jsf.taglib.xml
Bad Base64 input character at 8: 46(decimal)
Exception in thread "http-bio-8080-exec-2" java.lang.OutOfMemoryError: PermGen space
    at sun.misc.Unsafe.defineClass(Native Method)
    at sun.reflect.ClassDefiner.defineClass(ClassDefiner.java:63)
    at sun.reflect.MethodAccessorGenerator$1.run(MethodAccessorGenerator.java:399)
    at sun.reflect.MethodAccessorGenerator$1.run(MethodAccessorGenerator.java:396)
    at java.security.AccessController.doPrivileged(Native Method)
    at sun.reflect.MethodAccessorGenerator.generate(MethodAccessorGenerator.java:395)
    at sun.reflect.MethodAccessorGenerator.generateMethod(MethodAccessorGenerator.java:77)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:46)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:606)
    at javax.el.BeanELResolver.getValue(BeanELResolver.java:99)
    at com.sun.faces.el.DemuxCompositeELResolver._getValue(DemuxCompositeELResolver.java:173)
    at com.sun.faces.el.DemuxCompositeELResolver.getValue(DemuxCompositeELResolver.java:200)
    at org.apache.el.parser.AstValue.getValue(AstValue.java:183)
    at org.apache.el.ValueExpressionImpl.getValue(ValueExpressionImpl.java:184)
    at com.sun.facelets.el.TagValueExpression.getValue(TagValueExpression.java:71)
    at javax.faces.component.UIOutput.getValue(UIOutput.java:184)
    at org.richfaces.renderkit.CalendarRendererBase.getInputValue(CalendarRendererBase.java:550)
    at org.richfaces.renderkit.html.CalendarRenderer.doEncodeEnd(CalendarRenderer.java:297)
    at org.richfaces.renderkit.html.CalendarRenderer.doEncodeEnd(CalendarRenderer.java:516)
    at org.ajax4jsf.renderkit.RendererBase.encodeEnd(RendererBase.java:134)
    at javax.faces.component.UIComponentBase.encodeEnd(UIComponentBase.java:864)
    at com.sun.faces.renderkit.html_basic.HtmlBasicRenderer.encodeRecursive(HtmlBasicRenderer.java:244)
    at com.sun.faces.renderkit.html_basic.GridRenderer.renderRow(GridRenderer.java:180)
    at com.sun.faces.renderkit.html_basic.GridRenderer.encodeChildren(GridRenderer.java:127)
    at javax.faces.component.UIComponentBase.encodeChildren(UIComponentBase.java:840)
    at javax.faces.component.UIComponent.encodeAll(UIComponent.java:930)
    at javax.faces.render.Renderer.encodeChildren(Renderer.java:148)
    at javax.faces.component.UIComponentBase.encodeChildren(UIComponentBase.java:840)
    at org.ajax4jsf.renderkit.RendererBase.renderChild(RendererBase.java:277)
    at org.ajax4jsf.renderkit.RendererBase.renderChildren(RendererBase.java:258)
    at org.richfaces.renderkit.html.SimpleToggleControlTemplate.doEncodeChildren(SimpleToggleControlTemplate.java:301)
Exception in thread "http-bio-8080-exec-8" java.lang.OutOfMemoryError: PermGen space
Exception in thread "quartzScheduler_QuartzSchedulerThread" java.lang.OutOfMemoryError: PermGen space
Exception in thread "http-bio-8080-exec-10" java.lang.OutOfMemoryError: PermGen space

  1. For the client, I added -Dhttps.protocols=TLSv1.2 to the end of the CloverETLDesigner.ini file. And also to Window > Preferences > CloverETL > ETL Runtime > VM parameters. And then I restarted the designer and ran the graph with the WebServiceClient. This is what I got when trying to reach Salesforce:
16:27:57,030 ERROR [WatchDog_1] Component [Ensure Session:ENSURE_SESSION] finished with status ERROR. (In0: 1 recs, Out0: 0 recs)
 Subgraph sandbox://MySandbox/graph/subgraph/EnsureSession.sgrf(#2) finished with final status ERROR.
  Component [Fail:FAIL] finished with status ERROR. (In0: 1 recs)
   TLS 1.0 has been disabled in this organization. Please use TLS 1.1 or higher when connecting to Salesforce using https.
16:27:57,030 ERROR [WatchDog_1] Error details:
org.jetel.exception.JetelRuntimeException: Component [Ensure Session:ENSURE_SESSION] finished with status ERROR. (In0: 1 recs, Out0: 0 recs)
	at org.jetel.graph.Node.createNodeException(Node.java:582)
	at org.jetel.graph.Node.run(Node.java:558)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
	at java.lang.Thread.run(Thread.java:744)
Caused by: org.jetel.exception.JetelRuntimeException
	at com.opensys.cloveretl.component.Subgraph.execute(Unknown Source)
	at org.jetel.graph.Node.run(Node.java:520)
	... 3 more
Caused by: org.jetel.exception.JetelRuntimeException: Subgraph sandbox://ERxSync/graph/subgraph/EnsureSession.sgrf(#2) finished with final status ERROR.
	at org.jetel.graph.runtime.IAuthorityProxy$RunStatus.getException(IAuthorityProxy.java:167)
	... 5 more
Caused by: org.jetel.exception.StackTraceWrapperException: Component [Fail:FAIL] finished with status ERROR. (In0: 1 recs)
 TLS 1.0 has been disabled in this organization. Please use TLS 1.1 or higher when connecting to Salesforce using https.
	... 6 more

Do you have any more ideas?

Thanks a bunch!
Jus

Jus,

I have found out that an upgrade to Java 8 (both CloverETL Designer and CloverETL Server) should help you as Java 8 uses TLSv1.2 as the default. However, you should know that we officially support Java 8 since version 4.1. We do not test your version 4.0 with Java 8.

Our developers are actively investigating whether there is any chance to make Java 7 work with TLSv1.2 in CloverETL. If there is a way, I will definitely post it here.

Just an update, our dev team found out that we have a small bug in WebServiceClient which ignores the https.protocols setting. It will be fixed in one of our next releases but at the moment, the only solution is to use Java 8 as mentioned before.

Thanks Lubos,

As a workaround for now, I have been using a JavaExecute component to switch the SSLContext. I put this component in a subgraph, at phase 0 before anything else, and called by all the graphs that need to go to Salesforce.

Jus


<Node enabled="enabled" guiName="Enable TLSv1.2" guiX="554" guiY="100" id="ENABLE_TLSV1_2" type="JAVA_EXECUTE">
<attr name="runnable"><![CDATA[import org.jetel.component.BasicJavaRunnable;
import org.jetel.exception.JetelRuntimeException;
import javax.net.ssl.SSLContext;

public class EnableTLSv1_2 extends BasicJavaRunnable {

	@Override
	public void run() {

		// write into information log
		getNode().getLog().info("Enabling TLSv1.2");

		try {
			SSLContext context = SSLContext.getInstance("TLSv1.2");
			context.init(null,null,null);
			SSLContext.setDefault(context);
		} catch (Exception e) {
			throw new JetelRuntimeException(e);
		}
	}
}
]]></attr>
</Node>
</Phase>
</Graph>

Hi Jus,

The mentioned instructions would work only if you tried to connect to CloverETL Server using TLS. If you want to connect to a third party service from a CloverETL graph, you have to add -Dhttps.protocols=TLSv1.2 as a JVM property to 3 places:

  1. For CloverETL Server, add the property to JAVA_OPTS of your application server. Then restart it.
  2. For CloverETL Designer, add it as a new line to CloverETLDesigner.ini file (at the very end of the file) in the Designer installation directory and also to Window > Preferences > CloverETL > ETL Runtime > VM parameters and restart the Designer.

Hope this helps.

“imriskal”

Hi,

Is this still this still the know fix for this issue? Do I also need to update the cloverServer.properties file?

Alos, im having trouble located the “CloverDesigner.ini” file. Can you point me in the right direction?

Im running 4.0 on JBOSS

Hi,

First of all, please note that the 4.0 version of CloverETL is in status “EOL - End of Life” and it is not supported anymore. Nevertheless, the steps described by Lubos should help to implement TLS1.2 to this old version (as it is stated earlier in the topic, be aware that it won’t work with WebServiceClient component in your version).

Let me specify some details:

  1. It is not necessary to update the cloverServer.properties as well. In the JBoss application server, the JAVA_OPTS mentioned above should be added to the run.conf (Unix) or run.conf.bat (Windows) file (or in newer versions of JBoss you should add it to standalone.conf or standalone.conf.bat file) located in <JBOSS_HOME>/bin. E.g. on a Windows machine, you should add a following line to the run.conf.bat file.
set "JAVA_OPTS=%JAVA_OPTS% -Dhttps.protocols=TLSv1.2
  1. The ini file that is supposed to be updated is located in the main folder of the Designer installation, the path usually looks like the following:
    C:\Program Files\CloverETL Designer\CloverETLDesigner.ini
    Add -Dhttps.protocols=TLSv1.2 at the end of the file, save and restart the Designer. Don’t forget to add it also to Window > Preferences > CloverETL > ETL Runtime > VM parameters and restart the Designer.

Anyway, our recommendation is to upgrade your CloverETL to a higher version so that it is safe to use JDK 1.8 (which should resolve this situation without any other change). The Java 8 it tested with CloverETL since version 4.1 and since version 4.2 the Designer is bundled with Java 8 right away.

Have a nice day, Eva