Troubleshooting TLS issues in the Gateway Server and Continuous Optimization Agents
Validate TLS status
Validate the TLS status by parsing the service daemon logfiles. For details about logfiles, see Working with Gateway Server and Agent logfiles.
Scenario | Logfile excerpt |
|---|---|
When TLS is enabled in the Agent | SSL configured for: Server |
When TLS is enabled in the Gateway Server | SSL configured for: Client |
When the first TLS-enabled connection happens | TLS communication active |
When TLS server is not configured | Configuring non-TLS sockets |
Resolution for common issues
The following logfile excerpts can help you identify possible fixes to common issues related to TLS configuration.
Symptom | Cause | Resolution |
|---|---|---|
The Gateway Server and the Agent are upgraded, yet logfiles report "non-TLS sockets active". client: Fri Sep 22 14:16:30 2023 GeneralManager (8148:25024) Warning : SSL security set to NONE Fri Sep 22 14:16:30 2023 GeneralManager (8148:25024) non-TLS sockets active server: Fri Sep 22 14:16:31 2023 Service Daemon (26328:7052) Warning : SSL security set to NONE Fri Sep 22 14:16:31 2023 Service Daemon (26328:7052) Configuring non-TLS sockets | TLS is not yet enabled in these components. The default out-of-the-box TLS configuration setting is SOCKCOMM_SSL_NONE. | In the silent install options files, make sure you add the SOCKCOMM_TLSv1_3 parameter to TLS configuration. For details, see Configuring TLS in Gateway Server installation and Configuring TLS in Agent installation. |
TLS is enabled in the Agent, yet the logfiles show a "Write failed" error. client: Fri Sep 22 12:57:43 2023 GeneralManager (26172:8288) Warning : SSL security set to NONE Fri Sep 22 12:57:43 2023 GeneralManager (26172:8288) non-TLS sockets active Fri Sep 22 12:57:53 2023 GeneralManager (26172:8288) peek timed out Fri Sep 22 12:57:53 2023 GeneralManager (26172:8288) iread timed out Fri Sep 22 12:57:53 2023 GeneralManager (26172:8288) GeneralManagerWrite got a bad read on ack, Error = No error Fri Sep 22 12:57:53 2023 GeneralManager (26172:8288) OSVersionRequestor::encodeAndProcess : Write failed server: Fri Sep 22 11:58:19 2023 Service Daemon (19244:23440) TLS context flags: [1, 1350] Fri Sep 22 11:58:19 2023 Service Daemon (19244:23440) SSL configured for: Server Fri Sep 22 12:44:37 2023 Service Daemon (19244:23440) TLS communication active Fri Sep 22 12:57:43 2023 Service Daemon (19244:23440) SSL call accept failed: SSL_ERROR_SSL: error is 0 | TLS has not been enabled in the Gateway Server. | TLS should always be enabled in the following order:
|
TLS is enabled in the Gateway Server, yet the logfiles show a "TLS unsuccessful - no fallback allowed" error. client: Fri Sep 22 13:08:38 2023 GeneralManager (25384:25692) TLS context flags: [0, 1350] Fri Sep 22 13:08:38 2023 GeneralManager (7052:18328) SSL configured for: Client Fri Sep 22 13:08:39 2023 GeneralManager (7052:18328) SSL call connect failed: SSL_ERROR_SSL: error is 0 Fri Sep 22 13:08:39 2023 GeneralManager (7052:18328) timedOutConnect ERROR: TLS unsuccessful - no fallback allowed server: Fri Sep 22 13:06:49 2023 Service Daemon (13204:8944) Warning : SSL security set to NONE Fri Sep 22 13:06:49 2023 Service Daemon (13204:8944) Configuring non-TLS sockets Fri Sep 22 13:08:38 2023 Service Daemon (13204:15640) Error : Invalid Magic Number Encountered in Message Header Fri Sep 22 13:08:38 2023 Service Daemon (13204:15640) Error : Invalid Message Format Encountered | TLS is not enabled in the Agent. Also, TLS configuration has included the SOCKCOMM_SSL_NO_FALLBACK parameter. | Perform one of these steps:
If you choose to not enable TLS in the Agent, the default TLS configuration allows fallback and thereby communication should not fail between the components. Make sure you do not disable fallback. For details, see TLS configuration parameters. |