10 Ответы Последний ответ: 01.04.2020 18:13, автор: Scott_D

    TLS 1.2 support


      We would like to update our communications to TLS 1.2.  We recently made the update, and saw errors within Documaker 12.4 connecting to SQL Server.  We are using the JNDI connection using the microsoft JDBC driver.


      It almost seems the java 1.7 version is not supporting TLS 1.2.  Our error was a NullPointerException:


      Transaction Error Report - System timestamp: mon mar 30 12:06:23 2020

      DM12041:  Error : FAP library error: Transaction:<>, area:<JDBC Error>

                code1:<-4205>, code2:<4294963091>

                message:<08001 -4205 [JDB]null

      Stack Trace:


      DM12041:  Error : FAP library error: Transaction:<>, area:<LBYInitializeLoaders()>

                code1:<0>, code2:<0>

                message:<Failed to initialize library <AMS>>.

      DM15066:  Error in RunGenData: Unable to LBYInitializeLoaders().   The system is configured to use Library Manager but the library could not be initialized.  Verify that the library is specified correctly in the INI file and is accessible.



      ==> Warning  count:    0

      ==> Error    count:    3


      The console had this:

      Mar 30, 2020 12:16:54 PM com.microsoft.sqlserver.jdbc.TDSChannel enableSSL

      INFO: java.security path: C:\dotnetsvc-applications\DOAM-TEST-AMSDocumaker\rp\jre\lib\security

      Security providers: [SUN version 1.7, SunRsaSign version 1.7, SunEC version 1.7, SunJSSE version 1.7, SunJCE version 1.7, SunJGSS version 1.7, SunSASL version 1.7, XMLDSig version 1.0, SunPCSC version 1.7, SunMSCAPI version 1.7]

      SSLContext provider info: Sun JSSE provider(PKCS12, SunX509 key/trust factories, SSLv3, TLSv1)

      SSLContext provider services:

      [SunJSSE: KeyFactory.RSA -> sun.security.rsa.RSAKeyFactory

        aliases: [1.2.840.113549.1.1, OID.1.2.840.113549.1.1]

      , SunJSSE: KeyPairGenerator.RSA -> sun.security.rsa.RSAKeyPairGenerator

        aliases: [1.2.840.113549.1.1, OID.1.2.840.113549.1.1]

      , SunJSSE: Signature.MD2withRSA -> sun.security.rsa.RSASignature$MD2withRSA

        aliases: [1.2.840.113549.1.1.2, OID.1.2.840.113549.1.1.2]

      , SunJSSE: Signature.MD5withRSA -> sun.security.rsa.RSASignature$MD5withRSA

        aliases: [1.2.840.113549.1.1.4, OID.1.2.840.113549.1.1.4]

      , SunJSSE: Signature.SHA1withRSA -> sun.security.rsa.RSASignature$SHA1withRSA

        aliases: [1.2.840.113549.1.1.5, OID.1.2.840.113549.1.1.5,, OID.]

      , SunJSSE: Signature.MD5andSHA1withRSA -> sun.security.ssl.RSASignature

      , SunJSSE: KeyManagerFactory.SunX509 -> sun.security.ssl.KeyManagerFactoryImpl$SunX509

      , SunJSSE: KeyManagerFactory.NewSunX509 -> sun.security.ssl.KeyManagerFactoryImpl$X509

        aliases: [PKIX]

      , SunJSSE: TrustManagerFactory.SunX509 -> sun.security.ssl.TrustManagerFactoryImpl$SimpleFactory

      , SunJSSE: TrustManagerFactory.PKIX -> sun.security.ssl.TrustManagerFactoryImpl$PKIXFactory

        aliases: [SunPKIX, X509, X.509]

      , SunJSSE: SSLContext.TLSv1 -> sun.security.ssl.SSLContextImpl$TLS10Context

        aliases: [TLS, SSL, SSLv3]

      , SunJSSE: SSLContext.TLSv1.1 -> sun.security.ssl.SSLContextImpl$TLS11Context

      , SunJSSE: SSLContext.TLSv1.2 -> sun.security.ssl.SSLContextImpl$TLS12Context

      , SunJSSE: SSLContext.Default -> sun.security.ssl.SSLContextImpl$DefaultSSLContext

      , SunJSSE: KeyStore.PKCS12 -> sun.security.pkcs12.PKCS12KeyStore


      java.ext.dirs: C:\dotnetsvc-applications\DOAM-TEST-AMSDocumaker\rp\jre\lib\ext;C:\WINDOWS\Sun\Java\lib\ext

      Error in main(): Unable to RunGenData(). See error file for more messages.


      Anyone else run into this, and have a work around?  Some searching made it look like we could update the HTTPS protocols in java, but not sure where I could provide that update.

        • 1. Re: TLS 1.2 support

          Hi Scott_D,


          I have seen hits that say that Java 8's default is TLS v1.2 but Java 7 supports it as of version 1.7.0_95 but in order to use it you have to set a system property jdk.tls.client.protocols to TLSv1.2 to force it enabled.   That property can be a list of comma-delimited string values as to what to support, e.g. "TLSv1.2,TLSv1.1"


          Try adding this to your JRE arguments:


          • 2. Re: TLS 1.2 support

            See https://www.java.com/en/configure_crypto.html section "How to change the protocol version on client side"

            • 3. Re: TLS 1.2 support

              How do I set that within Documaker/Gendaw32.exe?  Is there a place to pass Java Environment variables?  I know we can set things in the docserv.xml within docupresentment, but how do we do that in Gendaw32.exe?  We are using a JDBC COnnection using JNDI in GENDAW32.

              • 4. Re: TLS 1.2 support

                If ODEE, you can set it in the Assembler/Distributor/Presenter worker's "env.JVM_OPTIONS" value as a comma delimited additional startup argument and to the other pure-java worker's "JVMOptions" space delimited properties values via the Documaker Administartor web app.


                If ODSE, then the environment variable JVM_OPTIONS before execution of the gendata executable. 


                Note: Newer versions of Documaker use JRE 8. 

                • 5. Re: TLS 1.2 support

                  Hey Scott,


                  This post details the configuration of SQL Server clients using Microsoft JDBC for encrypted connections, specifically how to enable and control some of the client-side settings using connection string parameters. The post also references another post on how to configure client side connections -- which may necessitate setting JVM_OPTIONS variable that Steve mentions in the thread.



                  • 6. Re: TLS 1.2 support

                    Ok.  Thanks for the update.  I will play with that.  One further question for clarification.  We do execute GENDAW32.exe via IDS.  How do I set the JVM_OPTIONS in there?


                    Here is an example of our current .ini from from IDS (this file is referenced from the DAP.ini).


                    ;**************Begin Settings for running RP via IDS*********************

                    [ IDSServer ]

                       ExtrPath           = c:\AMS\IDS_SANDBOX

                       PrintPath          = c:\AMS\IDS_SANDBOX

                       JobLogPath         = c:\AMS\IDS_SANDBOX

                       JobTicketPath      = c:\AMS\IDS_SANDBOX

                       WaitForStart       = 60

                       SleepingTime       = 500

                       MaxWaitTime        = 120

                       GENSemaphoreName   = amssysgengen

                       RPDSemaphoreName   = amssysgenrp

                       PrintFileCacheTime = 180

                       TextFileCacheTime  = 180



                    [ RPDRunRP ]

                       Executable         = RP\DLL\gendaw32.exe

                       Directory          = mstrres\

                       UserINI       = .\fsiuser_sys_gen.ini

                       Baselocation       = c:\AMS\IDS_SANDBOX



                    [ Debug ]

                       RPDProcessJob      = No

                    • 7. Re: TLS 1.2 support

                      It is an environment variable so one option is to set it in what you use to startup IDS, such as the provided startup script (docserver.bat), or you can set it as a system level environment variable and then it will get inherited from the forked GenData process.  

                      • 8. Re: TLS 1.2 support

                        We are running Documaker 12.4.  The internal java version appears to be 1.7.0_13.  If I am reading correctly, the recommended setting was introduced in 1.7 u 95.


                        Trying with  -Djdk.tls.client.protocols="TLSv1.2" resulted in the same error.


                        I did not see that our company had a 32-bit version of  1.7.  I played with swapping in a version of java 8, and ended up with an error within documaker.


                        Any other suggestions?  Were later versions of Documaker using newer versions of Java?

                        • 9. Re: TLS 1.2 support

                          Hmm, what was the error when you went to java 8 32-bit? 

                          Seem to recall that there was not much that had to be done to Documaker to get it to work with Java 8 (32-bit) when it was upgraded but that was a while ago.


                          If you can't get java 7 at newer release the next option is to upgrade to a version of Documaker that has it as you are upgrading your SQL Server client side version and encryption.

                          • 10. Re: TLS 1.2 support

                            I think my mistake when updating to java 8 was I used a 64-bit version.  I tested again with a 32-bit version of Java and was successful against TLS 1.2.


                            Do we need to worry about updating from 1.7 to 1.8 for ODSE?  I assume it is as simple as copying the new JRE into the JRE folder within both IDS and RP?