Problem
Java version 8 update 51 changed how SSL validation is handled. Because of this Ignition gateways prior to 7.7.5 with SSL enabled will be unable to launch clients or the designer. Attempting to do so will result in the following error:
Enabling the Java console will show the following stack:
In some cases you may be unable to navigate to the gateway webpage:
Solution
To resolve this you'll need to add some additional parameters to Ignition's configuration file.
1) Navigate to the data folder in Ignition's installation directory and locate the ignition.conf file:
2) Open the ignition.conf file in notepad or any other text editor
3) Locate the header "Wrapper Java Properties". Under this header you will see a section labeled "# Java Additional Parameters", and under that you'll see several additional parameters. You need to add a new parameter here.
The exact parameter you add depends on the version of Ignition you are using.
Gateways prior to 7.7.5
Copy the following information and paste it at the end of the parameters:
wrapper.java.additional.8=-Dciphers="TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256","TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256","TLS_RSA_WITH_AES_128_CBC_SHA256","TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256","TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256","TLS_DHE_RSA_WITH_AES_128_CBC_SHA256","TLS_DHE_DSS_WITH_AES_128_CBC_SHA256","TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA","TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","TLS_RSA_WITH_AES_128_CBC_SHA","TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA","TLS_ECDH_RSA_WITH_AES_128_CBC_SHA","TLS_DHE_RSA_WITH_AES_128_CBC_SHA","TLS_DHE_DSS_WITH_AES_128_CBC_SHA","TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","TLS_RSA_WITH_AES_128_GCM_SHA256","TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256","TLS_DHE_RSA_WITH_AES_128_GCM_SHA256","TLS_DHE_DSS_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA","TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA","SSL_RSA_WITH_3DES_EDE_CBC_SHA","TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA","TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA","SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA","SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA","TLS_ECDHE_ECDSA_WITH_RC4_128_SHA","TLS_ECDHE_RSA_WITH_RC4_128_SHA","SSL_RSA_WITH_RC4_128_SHA","TLS_ECDH_ECDSA_WITH_RC4_128_SHA","TLS_ECDH_RSA_WITH_RC4_128_SHA","SSL_RSA_WITH_RC4_128_MD5","TLS_EMPTY_RENEGOTIATION_INFO_SCSV","TLS_DH_anon_WITH_AES_128_GCM_SHA256","TLS_DH_anon_WITH_AES_128_CBC_SHA256","TLS_ECDH_anon_WITH_AES_128_CBC_SHA","TLS_DH_anon_WITH_AES_128_CBC_SHA","TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA","SSL_DH_anon_WITH_3DES_EDE_CBC_SHA","TLS_ECDH_anon_WITH_RC4_128_SHA","SSL_DH_anon_WITH_RC4_128_MD5","SSL_RSA_WITH_DES_CBC_SHA","SSL_DHE_RSA_WITH_DES_CBC_SHA","SSL_DHE_DSS_WITH_DES_CBC_SHA","SSL_DH_anon_WITH_DES_CBC_SHA","SSL_RSA_EXPORT_WITH_DES40_CBC_SHA","SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA","SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA","SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA","SSL_RSA_EXPORT_WITH_RC4_40_MD5","SSL_DH_anon_EXPORT_WITH_RC4_40_MD5","TLS_RSA_WITH_NULL_SHA256","TLS_ECDHE_ECDSA_WITH_NULL_SHA","TLS_ECDHE_RSA_WITH_NULL_SHA","SSL_RSA_WITH_NULL_SHA","TLS_ECDH_ECDSA_WITH_NULL_SHA","TLS_ECDH_RSA_WITH_NULL_SHA","TLS_ECDH_anon_WITH_NULL_SHA","SSL_RSA_WITH_NULL_MD5","TLS_KRB5_WITH_3DES_EDE_CBC_SHA","TLS_KRB5_WITH_3DES_EDE_CBC_MD5","TLS_KRB5_WITH_RC4_128_SHA","TLS_KRB5_WITH_RC4_128_MD5","TLS_KRB5_WITH_DES_CBC_SHA","TLS_KRB5_WITH_DES_CBC_MD5","TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA","TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5","TLS_KRB5_EXPORT_WITH_RC4_40_SHA","TLS_KRB5_EXPORT_WITH_RC4_40_MD5"
Save the file after you added the above parameter. The modified file should look like the following:
7.7.5 or greater gateways
If the version of Ignition you are using is 7.7.5 or greater then the parameter should look like the following:
wrapper.java.additional.8=-Dciphers=TLSv1.1,TLSv1
Save the file after you added the above parameter. The modified file should look like the following:
4) Regardless of version, you'll need to restart the Ignition service. You can do this by opening the Gateway Control Utility and clicking on the Restart link.
-In Windows, click the start button
-type in gcu into the search box.
-the Gateway Control Utility should appear in the list of results. Click on the Gateway Control Utility.
-Once the Gateway Control Utility launches, click on "Restart"
Once the gateway comes back up you should be able to launch clients again.
Comments
0 comments
Please sign in to leave a comment.