Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Java bridge not running - jbridge.log has SSL Exception Received fatal alert: bad_record_mac

mcronkrite
Splunk Employee
Splunk Employee
‎02-12-2015 09:16 AM

Splunk 6.1 and Splunk DB Connect 1.1.6 - Added java home path manually via config file, but java bridge wouldn't start, checked the jbridge.log and found this error message repeated regularly. 

ERROR Java process returned error code 1! Error: Initializing Splunk context... Environment: SplunkEnvironment{SPLUNK_HOME=/splunk/splunk,SPLUNK_DB=/splunk/splunk/var/lib/splunk} Configuring Log4j... Exception in thread "main" com.splunk.config.SplunkConfigurationException: IO Error while reading configuration from Splunkd: javax.net.ssl.SSLException: Received fatal alert: bad_record_mac at com.splunk.config.rest.RESTAdapter.request(RESTAdapter.java:199) at com.splunk.config.rest.RESTAdapter.readConfig(RESTAdapter.java:207) at com.splunk.config.cache.CachedConfigurationAdapter.readConfig(CachedConfigurationAdapter.java:32) at com.splunk.config.cache.CachedConfigurationAdapter.readStanza(CachedConfigurationAdapter.java:40) at com.splunk.env.SplunkContext.getConfigStanza(SplunkContext.java:313) at com.splunk.env.SplunkContext.initialize(SplunkContext.java:128) at com.splunk.bridge.JavaBridgeServer.main(JavaBridgeServer.java:34) Caused by: javax.net.ssl.SSLException: Received fatal alert: bad_record_mac at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:190) at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:136) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1774) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:954) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1138) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1165) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1149) at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166) at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:133) at com.splunk.rest.Splunkd.request(Splunkd.java:216) at com.splunk.rest.Splunkd.request(Splunkd.java:102) at com.splunk.config.rest.RESTAdapter.request(RESTAdapter.java:197)
Reply
1 Solution
Solved! Jump to solution
Solution

mcronkrite
Splunk Employee
Splunk Employee
‎02-12-2015 09:21 AM

I found a fix for this bad_record_mac error that prevented java bridge from starting. .
The clue was SSL error, turns out my Splunk Cert was TLS.
Found this link jira wiki which says that Java has a bug.

Problem "When trying to establish a connection to a server with HTTPS-based URL, Client reports the following problem: Received fatal alert: bad_record_mac
Check if the server allows only SSL v3 as the protocol for HTTPS connection.
The problem is caused by issues with Sun Java security package (#4815023),
which makes the client try TLS even if it's not supported on the server. This results in aborted connection.

The wiki page suggests changing the java options to force sslv3.
Splunk DB Connect app by default, the java options say:

-Xmx256m -Dfile.encoding=UTF-8 -server -Duser.language=en -Duser.region=

Changed the java options to force SSLv3 (merged both options together):

-Xmx256m -Duse.metal=true -Dhttps.protocols=SSLv3 -Dforce.http.jre.executor=true -Dfile.encoding=UTF-8 -server -Duser.language=en -Duser.region=

WORKS NOW, no restart needed.

View solution in original post

Reply
Solved! Jump to solution
Solution

mcronkrite
Splunk Employee
Splunk Employee
‎02-12-2015 09:21 AM

I found a fix for this bad_record_mac error that prevented java bridge from starting. .
The clue was SSL error, turns out my Splunk Cert was TLS.
Found this link jira wiki which says that Java has a bug.

Problem "When trying to establish a connection to a server with HTTPS-based URL, Client reports the following problem: Received fatal alert: bad_record_mac
Check if the server allows only SSL v3 as the protocol for HTTPS connection.
The problem is caused by issues with Sun Java security package (#4815023),
which makes the client try TLS even if it's not supported on the server. This results in aborted connection.

The wiki page suggests changing the java options to force sslv3.
Splunk DB Connect app by default, the java options say:

-Xmx256m -Dfile.encoding=UTF-8 -server -Duser.language=en -Duser.region=

Changed the java options to force SSLv3 (merged both options together):

-Xmx256m -Duse.metal=true -Dhttps.protocols=SSLv3 -Dforce.http.jre.executor=true -Dfile.encoding=UTF-8 -server -Duser.language=en -Duser.region=

WORKS NOW, no restart needed.

Reply
Solved! Jump to solution

Muryoutaisuu
Communicator
‎03-26-2015 12:56 AM

You are my hero 🙂

Reply
Get Updates on the Splunk Community!

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...

Combine multiline logs into a single event with SOCK - a step-by-step guide for newbies Olga Malita The ...