KB4480961 and BigFix Compliance

We have Compliance installed on Windows Server 2016 with a local database on SQL Server 2016. I installed KB4480961-January 2019 Security Update and the Compliance service would not start, and in the tema.log I found errors such as:

I SRVE0292I: Servlet Message - [tema]:.An exception happened during JRuby-Rack startup
Java::ComMicrosoftSqlserverJdbc::SQLServerException: The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: “SQL Server did not return a response. The connection has been closed. ClientConnectionId:0d369640-880a-42a1-b603-16ead257b2e2”.

I was wondering if anyone else has run into this problem? SQL has the force encryption setting turned on, I tried turning it off but there was no change. I turned force encryption back on and uninstalled KB4480961 for Compliance to start working again.

1 Like

I tried installing a few of the older patches that were missing from this Compliance server, and ran across one from November that also caused it to stop working. I doubt that there are multiple patches that would affect Compliance, so I will have to look into this server more to see why it will not take some of the Windows patches.

1 Like

To update this thread, it turns out it is not an isolated problem with our installation. This instance of Compliance is on Server 2016 and we now have an installation of Compliance v1.10 on Server 2012 R2 with the same error message about the Ruby version. That server had running Compliance version 1.9 until today and when it was upgraded this error occurred.

I have opened a case with IBM to see how we should proceed. In my server from a month ago Compliance started working when I removed the KB4480961.

Jeff, were you able to get this working? I’m getting a similar issue when trying to setup my compliance server.

For the issue we had with someone who had Compliance v.1.10 on Server 2012 R2, they restored the Compliance server and its database from backups done just before they started the upgrade. They ran the upgrade fixlet a second time and it worked, so I am not sure what happened there and we closed the case with IBM.

On our installation on Server 2016 that I started the thread for, it was related to TLS settings. In Compliance in the Server Settings it was set to use TLS 1.2, and I found that if I unchecked that then Compliance would work.

Looking at the server I found that TLS 1.0 and 1.1 were disabled but TLS 1.2 was not working correctly even though it was enabled in SQL. Once we got the TLS 1.2 settings working Compliance continued to work with the setting checked.

Ah ok. I’m getting this error upon the initial database setup that you do through a web browser, so I guess this won’t help since I can’t change it through the web gui right?

In the SQL Server is the setting for forced encryption enabled? If so, you might try disabling that and see if your Compliance installation works, and it would narrow down if it is an encryption setting causing yours to fail.

Previously it was set to No and that wouldn’t work so I tried switching it to Yes to see if that would do anything. I also noticed just now that there are no JDKs installed. Are those necessary for this? I only ask because I’ve been reading a lot of re: this issue and a lot of people have been troubleshooting that as well. (JDBC driver troubleshooting etc etc)

I thought IBM Java would be installed with Compliance, but maybe someone else can provide information about that.

I scoured through some logs and see that it was installed. Silly question, but does this typically have an entry in add/remove programs like other Java installs? I ask because I don’t have it currently. I think I’m just going to try reinstalling and see what happens.

We don’t have any java entries in Programs and Features on our Compliance server. Many of the java files included in Compliance are in this folder on our server:
D:\Program Files\IBM\SCA\jre\bin

Awesome, thanks for giving me a sanity check. I ran through the setup again and verified everything installed.

Last question, because it’s not something I’ve seen explicitly stated in the setup docs: is an SSL cert necessary? I’m setting this up on a brand new server, so it’s pretty “fresh”. I ask because during the setup, it will open IE to create and configure the application database but won’t let me bypass unless I have an ssl cert (I used firefox to get past this before).

I don’t think it is required, but we just used the self-signed certificate that it installed.