Diagnosing CONNECT failures (9318) and (9407).


Article Number000093585
EnvironmentProduct: OpenEdge
OS: Windows
Other: Progress Application Server for OpenEdge (PAS for OpenEdge), SSL/TLS
Question/Problem Description
An application is being tested to run under a PAS for OpenEdge instance. When the following simple code is executed, two error windows pop up issuing the following errors:
Secure Socket Layer (SSL) failure. error code <err_number>:  <ssl_error_message> (9318)
Connection failure for host <host_name> port <port> transport <transport_name>. (9407)
The error code associated with the 9318 error is 10060.
hSocket:CONNECT('-H -S 9011 -ssl -nohostverify ').
    MESSAGE "Unable to connect" VIEW-AS ALERT-BOX.
    DELETE OBJECT hSocket.

Steps to Reproduce
Clarifying Information
Connections using http (not using TLS) successfully connect.
All certificates have been installed correctly.
The tomcat-keystore.p12 file has been updated with the new keys.
File has been updated with the correct alias and password.

catalina.<date>.log in the PAS instance's logs directory contains the following:

27-Dec-2018 09:24:28.906 SEVERE [main] org.apache.catalina.core.StandardService.initInternal Failed to initialize connector [Connector[HTTP/1.1-8811]]
 org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-8811]]
    at org.apache.catalina.util.LifecycleBase.init(
    at org.apache.catalina.core.StandardService.initInternal(
    at org.apache.catalina.util.LifecycleBase.init(
    at org.apache.catalina.core.StandardServer.initInternal(
    at org.apache.catalina.util.LifecycleBase.init(
    at org.apache.catalina.startup.Catalina.load(
    at org.apache.catalina.startup.Catalina.load(
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(
    at java.lang.reflect.Method.invoke(
    at org.apache.catalina.startup.Bootstrap.load(
    at org.apache.catalina.startup.Bootstrap.main(
Caused by: org.apache.catalina.LifecycleException: Protocol handler initialization failed
    at org.apache.catalina.connector.Connector.initInternal(
    at org.apache.catalina.util.LifecycleBase.init(
    ... 12 more
Caused by: java.lang.IllegalArgumentException: Alias name [demoSSLnew] does not identify a key entry
    at org.apache.coyote.AbstractProtocol.init(
    at org.apache.coyote.http11.AbstractHttp11Protocol.init(
    at org.apache.catalina.connector.Connector.initInternal(
    ... 13 more
Caused by: Alias name [demoSSLnew] does not identify a key entry
    ... 20 more

From the partial log file above, the most illustrative entry is the following:
Caused by: java.lang.IllegalArgumentException: Alias name [demoSSLnew] does not identify a key entry

The java keytool -list command provided the following information:

 C:\DLCWORK\oepas1\conf>c:\dlc\jdk\bin\keytool.exe -v -list -keystore tomcat-keys
Enter keystore password:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: 1
Creation date: Dec 27, 2018
Entry type: PrivateKeyEntry
Certificate chain length: 1
Owner:, OU=Technical Support, O=Progress Software
, ST=Massachusetts, C=US
Issuer:, OU=Technical Support, O=Progress Softwar
e, L=Bedford, ST=Massachusetts, C=US
Serial number: 1
Valid from: Thu Dec 27 08:37:06 EST 2018 until: Fri Dec 27 08:37:06 EST 2019
Certificate fingerprints:
         MD5:  3F:10:C6:16:19:92:B7:95:41:0F:85:4C:48:A9:67:05
         SHA1: 76:47:C4:11:50:EC:A6:F4:B6:B0:5E:D8:01:93:96:69:9D:0B:DC:8D
         SHA256: 7D:82:ED:26:66:2E:1E:0C:E0:DA:32:AC:54:2C:E5:0F:EC:22:F1:95:DD:
         Signature algorithm name: SHA256withRSA
         Version: 3


#1: ObjectId: Criticality=true
  PathLen: undefined

Notice above that the keystore entry contains an alias name of 1.

The area of the files that defines certificate and keystore information contained the following:

# JSSE keystore used by server.xml for its server key & certificates

# JSSE certificate store used by server.xml for validating client certificates 

A network trace of a connection attempt of HTTPS looked like the following:

Show the capture in wireshark of an unsuccessful connection attempt.

Notice that the client sent a Client Hello message. The PAS instance acknowledged the Client Hello message but did not 
continue with the full handshake exchange.

The following command was used to place the key in the keystore:
C:\DLCWORK\oepas1\conf>sslc pkcs12 -export -inkey c:\dlc\keys\requests\demoSSLne
w.pk1 -in c:\dlc\keys\demoSSLnew.pem -out tomcat-keystore.p12
Enter pass phrase for c:\dlc\keys\requests\demoSSLnew.pk1:
Enter Export Password:
Verifying - Enter Export Password:

Error MessageSecure Socket Layer (SSL) failure. error code <err_number>:  <ssl_error_message> (9318)
Connection failure for host <host_name> port <port> transport <transport_name>. (9407)
Defect/Enhancement Number
When the private key was inserted into the keystore (tomcat-keystore.pk1) using the sslc pkcs12 command, the -name option was left off. Due to this the sslc pkcs12 command used a default alias name of 1, instead of the intended alias name demoSSLnew. The PAS instance took the value of from and attempted to find an entry by that name (demoSSLnew). Since none existed, the PAS instance was unable to activate its SSL/TSL port. 
Ensure that when placing he private key into the keystore (using sslc pkcs12), that the -name option used and that the correct alias name is used as the value for the name attribute. That value is used by the PAS instance to find the private key in the keystore.

The sslc pkcs12 command should look like the following:

C:\DLCWORK\oepas1\conf>sslc pkcs12 -export -inkey c:\dlc\keys\requests\demoSSLne
w.pk1 -in c:\dlc\keys\demoSSLnew.pem -out tomcat-keystore.p12 -name demoSSLnew
Enter pass phrase for c:\dlc\keys\requests\demoSSLnew.pk1:
Enter Export Password:
Verifying - Enter Export Password:

Check catalina.<date>.log for errors. This type of error does not show up in <instance name>.agent.log.

Use pkiutil -v -list to get a list of certificates and their aliases.
Use c:\dlc\jdk\bin\keytool -v -list -keystore tomcat-keystore.p12 to view the aliases store in the tom keystore file.

A successful SSL/TLS handshake and connection, as viewed in a network analyzer such as Wireshark, should look like the following:

SHows a successful keyexchange in Wireshark

References to other documentation:

Administration Guide: Server Security: Configuring PAS for OpenEdge for SSL/TLS:

Installation and Configuration: Configuration: Managing OpenEdge Key and Certificate Stores: Managing key stores for OpenEdge
servers: Using pkiutil to manage an OpenEdge key store:

Installation and Configuration: Command and Utility Reference: Installing and managing keys and digital certificates: pkiutil:

Progress article(s):

000074259, How to configure and test a PASOE instance for secure communications?
000013338, How to create self-signed SSL certificates in OpenEdge
Last Modified Date12/28/2018 6:42 PM

Did this article resolve your question/issue?


Your feedback is appreciated.

Please tell us how we can make this article more useful. Please provide us a way to contact you, should we need clarification on the feedback provided or if you need further assistance.

Characters Remaining: 1025