Datapower is used to connect to a single VIP (or load balancer) which has multiple backend servers behind it. Each backend server supports different TLS version and/or ciphers. The Datapower SSL Client Profile is also configured to support the same TLS versions/ciphers of the various backends, however, intermittent SSL handshake failures occur.
Why does SSL handshakes sometimes fail when there are multiple backends behind a load balancer?
Answer by ClarissaB (1587) | Mar 22, 2017 at 12:34 PM
Intermittent SSL handshake failures can occur for this scenario if SSL caching is enabled.
This is because Datapower is not aware that it is connecting to a load balancer. Furthermore, it is not possible for it to know there are multiple backends behind the load balancer that might be using different TLS versions/ciphers. It simply connects to the configured IP and tries to resume the previous SSL session until the cache expires.
So if the request is routed to a different backend than the previous cached session, the connection will fail.
To avoid this, it is recommended to either:
a. Have all the backends support the same TLS versions/ciphers.
b. Turn off SSL caching
Note, SSL caching is not beneficial in this scenario anyway because Datapower will never actually resume a handshake if a different backend is selected each time.
Is it possible to log the negotiated SSL/TLS version from a connection on DataPower? 2 Answers
How can I determine if a SSL server is RFC 5746 compliant? 3 Answers
DataPower server certificate validation 2 Answers
In IBM WebSphere MQ, can you disable TLSv1.0 and TLSv1.1 SSL ciphers / protocols? 4 Answers