Friday, 27 October 2017

FTP adapter failed to connect SFTP server using password in SOA 12.1.3 with Java7

Issue: FTP adapter failed to connect SFTP server using password in SOA 12.1.3 with Java7.

Description: BPEL composite is reading the file and write into another SFTP server folder path. We have created FTP adapter outbound connection and deployed the composites. When we try to test the SOA composite it is failed to connect to SFTP server using user id and password with SSH error.

FTP adapter Outbound connection details
Host: XX.XX.XX.XX
ListParserKey: UNIX
Password: XXXXXXX
Port: 22
ServerType: unix
username: XXXXXXXX
UseSftp: true
                Remaining fields are default

Error log:
BINDING.JCA-12563
Exception occurred when binding was invoked.
Exception occurred during invocation of JCA binding: "JCA Binding execute of Reference operation 'Put' failed due to: JCA Binding Component connection issue.
JCA Binding Component is unable to create an outbound JCA (CCI) connection.
HRIS_Conn_In_Out:HR_Out [ Put_ptt::Put(opaque) ] : The JCA Binding Component was unable to establish an outbound JCA CCI connection due to the following issue: Error in establishing a session with SSH Server..
Error in establishing a session with SSH Server..
Unable to establish a session with the server.
Please ensure hostname and port specified to login to the server are correct.

Please make sure that the JCA connection factory and any dependent connection factories have been configured with a sufficient limit for max connections. Please also make sure that the physical connection to the backend EIS is available and the backend itself is accepting connections.
".
The invoked JCA adapter raised a resource exception.
Please examine the above error message carefully to determine a resolution.

remoteFault xmlns="http://schemas.oracle.com/bpel/extension">
-<part name="summary">
<summary>
Exception occurred when binding was invoked.
Exception occurred during invocation of JCA binding: "JCA Binding execute of Reference operation 'Put' failed due to: JCA Binding Component connection issue.
JCA Binding Component is unable to create an outbound JCA (CCI) connection.
HRIS_Conn_In_Out:HR_Out [ Put_ptt::Put(opaque) ] : The JCA Binding Component was unable to establish an outbound JCA CCI connection due to the following issue: Error in establishing a session with SSH Server..
Error in establishing a session with SSH Server..
Unable to establish a session with the server.
Please ensure hostname and port specified to login to the server are correct.
Please make sure that the JCA connection factory and any dependent connection factories have been configured with a sufficient limit for max connections. Please also make sure that the physical connection to the backend EIS is available and the backend itself is accepting connections.
".
The invoked JCA adapter raised a resource exception.
Please examine the above error message carefully to determine a resolution.
</summary>
</part>
-<part name="detail">
<detail>
Failed to generate DH value [Unknown cause]
</detail>
</part>
-<part name="code">
<code>
null
</code>
</part>
</remoteFault>

We suspected the issue is still with com.maverick.ssh.components.jce.DiffieHellmanGroupExchangeSha1.performClientExchange(Unknown Source)

Below are the Chipher suits that  are connecting to our SFTP vendor
ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1 
aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,twofish-cbc,blowfish-cbc,3des-cbc,arcfour 
hmac-sha2-512,hmac-sha2-256,hmac-sha1,hmac-sha1-96 

Cipher suites with SHA384 and SHA256 are available only for TLS 1.2 or later. 

We have added the Java cryptography library to Java 7 but it did not resolved the issue

Solution:

The problem is the prime size. The maximum-acceptable size that Java accepts is 1024 bits. This is a known issue (see JDK-6521495).
The bug report that I linked to mentions a workaround using BouncyCastle's JCE implementation. Hopefully that should work for you.

Diffie-Hellman (DH) 2048Footnote 1 Keysize must either be a multiple of 64, ranging from 512 to 1024 (inclusively), or 2048.Footnote 1 
DSA 1024 Keysize must be a multiple of 64, ranging from 512 to 1024 (inclusively). 
Footnote 1Diffie-Hellman key pair generation supports key sizes up to 2048 bits since Java SE 7u91. Prior to Java SE 7u91, the default key size was 1024. 


Upon rigorous research; This issue is found as a limitation of cipher files with Java version below 1.7_131. 

JDK-8186290 : 
Release Note: Add support for the SHA224withDSA and SHA256withDSA signature algorithms and DSA keys with sizes up to 2048 bits 
 We have upgraded the Java version to 1.7.0_161 as it is the stable and final version with 1.7 version which is supported by SOA 12.1.3 version. 

-bash-4.1$ java -version 
java version "1.7.0_161" 
Java(TM) SE Runtime Environment (build 1.7.0_161-b13) 
Java HotSpot(TM) 64-Bit Server VM (build 24.161-b13, mixed mode) 

As per the certification, JDK 8 is not certified to work with SOA 12.1.3. The compatible version is from 1.7.0_99 - 1.7.0_101.  We upgraded the java to 1.7.0_161 and it worked.

Additional Resources:

  1. After Enabling SSL TLS1.2 Protocol, The SSL Handshake Fails With: Could Not Generate DH Keypair ( Doc ID 2050352.1 ) 

  1. WebLogic Server Fails To Establish SSL Handshake With HTTPS Endpoint That Uses Public Key Of 4096 Bits ( Doc ID 2299740.1 ) 

  1. SHA2 Support For FTP Adapter ( Doc ID 2253315.1 ) 

  1. OSB SFTP Transport or FTP Adapter do not support AES128-CTR, AES192-CTR or AES256-CTR ( Doc ID 2021603.1 ) 

  1. SOA 11g: SFTP Adapter returns error establishing an SSH session, 'BINDING.JCA-11445/11447' ( Doc ID 1486775.1 ) 

Understanding SSL Protocols and Configuring Cipher Suites for Oracle WebLogic Server ( Doc ID 1484562.1 ) 



Happy learning.! Keep Sharing.!


Ram.

1 comment: