on 08-13-2015 6:07 PM
I am using Crystal 2008 to connect to Salesforce.com tables for some reports. Today I tried to run the reports and got an error message stating "javax.net.ssl.SSLHandshakeException failed".
The issue looks to be because Salesforce disabled SSL 3.0 Encryption. Does anyone know if Crystal 2008 can be switched from SSL 3.0 encryption to TLS 1.0 or TLS 1.1 encryption instead? I am trying to avoid the need to re-build this report and purchase Crystal 2013.
If this is not possible with CR 2008 does anyone know if a report built using CR 2008 will open in CR 2013 with no issues, or would it have to be rebuilt since CR 2013 connects to Salesforce using Simba ODBC drivers.
Any help is much appreciated.
Salesforce.com changed Security certificate from SHA-1 to SHA-256 hash
algorithms. For more details read:
Documented resolution in the following KBA:
2205572 - Failed to Open the conection. Crystal Reports and
salesforce.com certificate issue.
Resolution
Rename the old certificate "cacerts": at the following location for CR 2008:
C:\Program Files (x86)\Business Objects\javasdk\jre\lib\security
to "cacerts_old".
Create a new new "cacerts" file with the content copied from the link suggested by SFDC:
and copy the new file to the same location.
For Crystal Reports 2011, the location would be:
C:\Program Files (x86)\SAP BusinessObjects\SAP BusinessObjects Enterprise
XI 4.0\win32_x86\jre\lib\security
Vitaly
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Vitaly,
That is an interesting article since we run NA10 and the timing of the change for our instance being Aug 12th makes sense since Crystal stopped working yesterday.
I clicked on the link for the certificate and copied the code (including the Begin certificate and end certificate lines) and put it in a new CACERTS file located here: C:\Program Files (x86)\Business Objects\javasdk\jre\lib\security and then renamed the old file to CACERTS_OLD.
I now get an error stating Java.Net.SocketException: Unconnected Sockets not implemented.
Am I doing something wrong?
Hi Vitaly,
I think I have done everything right. I copied the content of the file into a new file called cacerts. It is NOT a text file. When I then try to log in I get the same error message Steve was getting. Java.Net.SocketException: Unconnected Sockets not implemented. The file is only 2KB in size. Is that an indicator that I have done something wrong since your example of file size above shows 54KB?
I have also tripled checked my password and security key to make sure those are correct while trying to log in. What am I missing or doing wrong?
Corinn
Here is what worked for me on a 64 bit Windows 7.
1. Make a copy of the cacerts file - from here: C:\Program Files (x86)\Business Objects\javasdk\jre\lib\security\.
2. Create a file in c: with Notepad named "VeriSign-Class 3-Public-Primary-Certification-Authority-G5.pem" by copying and pasting all the text found at this link: http://www.symantec.com/content/en/us/enterprise/verisign/roots/VeriSign-Class%203-Public-Primary-Ce...
3. Go to Start and run cmd.exe.
4. Enter these three commands one at a time. Copy the line from here, then do a right mouse click paste in the cmd window. Press Enter after each command
cd c:\
cd C:\Program Files (x86)\Business Objects\javasdk\jre\bin
If you are using 32 bit, you will need to change the Program Files folder name - remove the (x86) in the command below.
keytool -storepass changeit -import -keystore "C:\Program Files (x86)\Business Objects\javasdk\jre\lib\security\cacerts" -file "C:\VeriSign-Class 3-Public-Primary-Certification-Authority-G5.pem"
Answer 'yes' to the question.
Done.
I'm having the same issue using CRXI R2 does anyone have a solution that will work for this version ?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
CR XI R2 has been out of support for a number of years. There will be no changes / fixes, etc. to CR XI R2. Recommend updating to SAP Crystal Reports 2013. A 30 day eval is here:
SME Free Trials | SME Software | SAP
- Ludek
ive tried both methods and neither work.
Creating the new cacerts file or editing the registry key.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Steve
I am not sure that this is actually directly related to SSL. See KBA 1454151 - "Error: Nested Exemptiion javax.net.ssl SSLHandShakeException"
Re. SSL and TLS, see KBA 2092680 - SAP Crystal Reports, Salesforce.com and SSL vulnerability
- Ludek
Senior Support Engineer AGS Product Support, Global Support Center Canada
Follow me on Twitter
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Ludek,
Thanks for replying. It is related to Salesforce no longer supporting SSL 3.0, I did confirm that with SAP. If you have any knowledge regarding whether CR 2008 can be switched to TLS 1.0 or 1.1 that is what I am trying to figure out. I just don't even know if that is a possibility, otherwise I would need to buy CR 2013.
Then the question is whether it is a smooth transition from a CR 2008 Salesforce report to a CR 2013 Salesforce report without rebuilding the whole thing.
Hi Ludek,
Again thanks for responding so quickly. I did reference the KBA you mentioned however it is specific to CR 2011 not CR 2008.
If users have any concerns about security it is possible to disable the SSL 3.0 suing the following registry key for SAP Crystal Reports 2011 on 64 bit machine:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\SAP BusinessObjects\Suite XI 4.0\Crystal Reports
“JVMOptions” =”-Dhttps.protocols=TLSv1”
However my path is:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BusinessObjects
Suite 12.0\Crystal Reports
I tried to add a new string value into the Crystal Reports folder with the below but it does not seem to help.
Name= JVMOptions
Data= -Dhttps.protocols=TLSv1”
User | Count |
---|---|
93 | |
10 | |
10 | |
9 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.