• United States
IBM?
  • Site map
IBM?
  • Marketplace

  • Close
    Search
  • Sign in
    • Sign in
    • Register
  • IBM Navigation
IBM Developer Answers
  • Spaces
    • Blockchain
    • IBM Cloud platform
    • Internet of Things
    • Predictive Analytics
    • Watson
    • See all spaces
  • Tags
  • Users
  • Badges
  • FAQ
  • Help
Close

Name

Community

  • Learn
  • Develop
  • Connect

Discover IBM

  • ConnectMarketplace
  • Products
  • Services
  • Industries
  • Careers
  • Partners
  • Support
10.190.13.206

Refine your search by using the following advanced search options.

Criteria Usage
Questions with keyword1 or keyword2 keyword1 keyword2
Questions with a mandatory word, e.g. keyword2 keyword1 +keyword2
Questions excluding a word, e.g. keyword2 keyword1 -keyword2
Questions with keyword(s) and a specific tag keyword1 [tag1]
Questions with keyword(s) and either of two or more specific tags keyword1 [tag1] [tag2]
To search for all posts by a user or all posts with a specific tag, start typing and choose from the suggestion list. Do not use a plus or minus sign with a tag, e.g., +[tag1].
  • Ask a question

Why does SSL handshakes sometimes fail when there are multiple backends behind a load balancer?

06000093Y7 gravatar image
Question by ClarissaB  (1587) | Mar 22, 2017 at 12:17 PM datapowerssltlsfailuremultipleciphershandshakevip

Datapower is used to connect to a single VIP (or load balancer) which has multiple backend servers behind it. Each backend server supports different TLS version and/or ciphers. The Datapower SSL Client Profile is also configured to support the same TLS versions/ciphers of the various backends, however, intermittent SSL handshake failures occur.

Why does SSL handshakes sometimes fail when there are multiple backends behind a load balancer?

Chris Sloan
AugustDP

People who like this

  2
Comment
10 |3000 characters needed characters left characters exceeded
  • Viewable by all users
  • Viewable by moderators
  • Viewable by moderators and the original poster

1 reply

  • Sort: 
06000093Y7 gravatar image
Accepted answer

Answer by ClarissaB (1587) | Mar 22, 2017 at 12:34 PM

Intermittent SSL handshake failures can occur for this scenario if SSL caching is enabled.

This is because Datapower is not aware that it is connecting to a load balancer. Furthermore, it is not possible for it to know there are multiple backends behind the load balancer that might be using different TLS versions/ciphers. It simply connects to the configured IP and tries to resume the previous SSL session until the cache expires.

So if the request is routed to a different backend than the previous cached session, the connection will fail.

To avoid this, it is recommended to either:

a. Have all the backends support the same TLS versions/ciphers.
b. Turn off SSL caching

Note, SSL caching is not beneficial in this scenario anyway because Datapower will never actually resume a handshake if a different backend is selected each time.

Comment
Chris Sloan
DPAPIC
AugustDP

People who like this

  3   Share
10 |3000 characters needed characters left characters exceeded
  • Viewable by all users
  • Viewable by moderators
  • Viewable by moderators and the original poster

Follow this question

102 people are following this question.

Answers

Answers & comments

Related questions

How do I fix the SSL exception CWPKI0022E "Extended key usage does not permit use for TLS client authentication" in WebSphere Application Server? 2 Answers

Is it possible to log the negotiated SSL/TLS version from a connection on DataPower? 2 Answers

How can I determine if a SSL server is RFC 5746 compliant? 3 Answers

DataPower server certificate validation 2 Answers

In IBM WebSphere MQ, can you disable TLSv1.0 and TLSv1.1 SSL ciphers / protocols? 4 Answers

  • Contact
  • Privacy
  • IBM Developer Terms of use
  • Accessibility
  • Report Abuse
  • Cookie Preferences

Powered by AnswerHub

Authentication check. Please ignore.
  • Anonymous
  • Sign in
  • Create
  • Ask a question
  • Spaces
  • API Connect
  • Analytic Hybrid Cloud Core
  • Application Performance Management
  • Appsecdev
  • BPM
  • Blockchain
  • Business Transaction Intelligence
  • CAPI
  • CAPI SNAP
  • CICS
  • Cloud Analytics
  • Cloud Automation
  • Cloud Object Storage
  • Cloud marketplace
  • Collaboration
  • Content Services (ECM)
  • Continuous Testing
  • Courses
  • Customer Experience Analytics
  • DB2 LUW
  • DataPower
  • Decision Optimization
  • DevOps Services
  • Developers IBM MX
  • Digital Commerce
  • Digital Experience
  • Finance
  • Global Entrepreneur Program
  • Hadoop
  • Hybrid Cloud Core
  • IBM Cloud platform
  • IBM Design
  • IBM Forms Experience Builder
  • IBM Maximo Developer
  • IBM StoredIQ
  • IBM StoredIQ-Cartridges
  • IIDR
  • ITOA
  • InformationServer
  • Integration Bus
  • Internet of Things
  • Kenexa
  • Linux on Power
  • LinuxONE
  • MDM
  • Mainframe
  • Messaging
  • Node.js
  • ODM
  • Open
  • PowerAI
  • PowerVC
  • Predictive Analytics
  • Product Insights
  • PureData for Analytics
  • Push
  • QRadar App Development
  • Run Book Automation
  • Search Insights
  • Security Core
  • Storage
  • Storage Core
  • Streamsdev
  • Supply Chain Business Network
  • Supply Chain Insights
  • Swift
  • UBX Capture
  • Universal Behavior Exchange
  • UrbanCode
  • WASdev
  • WSRR
  • Watson
  • Watson Campaign Automation
  • Watson Content Hub
  • Watson Marketing Insights
  • dW Answers Help
  • dW Premium
  • developerWorks Sandbox
  • developerWorks Team
  • Watson Health
  • More
  • Tags
  • Questions
  • Users
  • Badges