Troubleshooting TLS issues in the Gateway Server and Continuous Optimization Agents

Secure communication between the Gateway Server and Continuous Optimization Agent by enabling TLS version 1.3. However, TLS might fail due to incorrect configurations. Review the relevant service daemon logfiles to troubleshoot communication issues.

Validate TLS status

Validate the TLS status by parsing the service daemon logfiles. For details about logfiles, see Working with Gateway Server and Agent logfiles.

ScenarioLogfile excerpt

When TLS is enabled in the Agent

SSL configured for: Server

When TLS is enabled in the Gateway Server

SSL configured for: Client

When the first TLS-enabled connection happens

TLS communication active

When TLS server is not configured

Configuring non-TLS sockets

Resolution for common issues

The following logfile excerpts can help you identify possible fixes to common issues related to TLS configuration.

SymptomCauseResolution

The Gateway Server and the Agent are upgraded, yet logfiles report "non-TLS sockets active".


client:

Fri Sep 22 14:16:30 2023 GeneralManager (8148:25024) Warning : SSL security set to NONE
Fri Sep 22 14:16:30 2023 GeneralManager (8148:25024) non-TLS sockets active


server:

Fri Sep 22 14:16:31 2023 Service Daemon (26328:7052) Warning : SSL security set to NONE
Fri Sep 22 14:16:31 2023 Service Daemon (26328:7052) Configuring non-TLS sockets

TLS is not yet enabled in these components.

The default out-of-the-box TLS configuration setting is SOCKCOMM_SSL_NONE.

In the silent install options files, make sure you add the SOCKCOMM_TLSv1_3 parameter to TLS configuration.

For details, see Configuring TLS in Gateway Server installation and Configuring TLS in Agent installation.

TLS is enabled in the Agent, yet the logfiles show a "Write failed" error.


client:

Fri Sep 22 12:57:43 2023 GeneralManager (26172:8288) Warning : SSL security set to NONE
Fri Sep 22 12:57:43 2023 GeneralManager (26172:8288) non-TLS sockets active
Fri Sep 22 12:57:53 2023 GeneralManager (26172:8288) peek timed out
Fri Sep 22 12:57:53 2023 GeneralManager (26172:8288) iread timed out
Fri Sep 22 12:57:53 2023 GeneralManager (26172:8288) GeneralManagerWrite got a bad read on ack, Error = No error
Fri Sep 22 12:57:53 2023 GeneralManager (26172:8288) OSVersionRequestor::encodeAndProcess : Write failed 

server:

Fri Sep 22 11:58:19 2023 Service Daemon (19244:23440) TLS context flags: [1, 1350]
Fri Sep 22 11:58:19 2023 Service Daemon (19244:23440) SSL configured for: Server
Fri Sep 22 12:44:37 2023 Service Daemon (19244:23440) TLS communication active
Fri Sep 22 12:57:43 2023 Service Daemon (19244:23440) SSL call accept failed: SSL_ERROR_SSL: error is 0 

TLS has not been enabled in the Gateway Server.

TLS should always be enabled in the following order:

  1. Gateway Server
  2. Agent (optional)


TLS is enabled in the Gateway Server, yet the logfiles show a "TLS unsuccessful - no fallback allowed" error.

client:

Fri Sep 22 13:08:38 2023 GeneralManager (25384:25692) TLS context flags: [0, 1350]
Fri Sep 22 13:08:38 2023 GeneralManager (7052:18328) SSL configured for: Client
Fri Sep 22 13:08:39 2023 GeneralManager (7052:18328) SSL call connect failed: SSL_ERROR_SSL: error is 0 
Fri Sep 22 13:08:39 2023 GeneralManager (7052:18328) timedOutConnect ERROR: TLS unsuccessful - no fallback allowed

server:

Fri Sep 22 13:06:49 2023 Service Daemon (13204:8944) Warning : SSL security set to NONE
Fri Sep 22 13:06:49 2023 Service Daemon (13204:8944) Configuring non-TLS sockets
Fri Sep 22 13:08:38 2023 Service Daemon (13204:15640) Error : Invalid Magic Number Encountered in Message Header
Fri Sep 22 13:08:38 2023 Service Daemon (13204:15640) Error : Invalid Message Format Encountered

TLS is not enabled in the Agent.

Also, TLS configuration has included the SOCKCOMM_SSL_NO_FALLBACK parameter.

Perform one of these steps:

  • Enable TLS in the Agent
  • Exclude the SOCKCOMM_SSL_NO_FALLBACK parameter from TLS configuration in the silent install options file or Agent.cfg

If you choose to not enable TLS in the Agent, the default TLS configuration allows fallback and thereby communication should not fail between the components. Make sure you do not disable fallback.

For details, see TLS configuration parameters.


Was this page helpful? Yes No Submitting... Thank you

Comments