BlackBerry Administration Console is unavailable and the BAS-AS log shows "Error: The TDS protocol stream is not valid"

Article ID: KB19310

Type: Support Content

Last Modified: 08-07-2012

 

Product(s) Affected:

  • BlackBerry Enterprise Server 5
CollapseEnvironment
  • BlackBerry® Enterprise Server 5.0
  • DT 230816
  • DT 749314
CollapseOverview

The BlackBerry® Administration Service Application Server (BAS-AS) keeps restarting while the following appears on the BlackBerry Administration Console:

The page cannot be displayed

The BAS-AS log includes the following error:

The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: The TDS protocol stream is not valid

An example of this appears in the following log snips:

Caused by: org.jboss.util.NestedSQLException: Could not create connection; - nested throwable: (com.microsoft.sqlserver.jdbc.SQLServerException: The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: The TDS protocol stream is not valid..); - nested throwable: (org.jboss.resource.JBossResourceException: Could not create connection; - nested throwable: (com.microsoft.sqlserver.jdbc.SQLServerException: The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: The TDS protocol stream is not valid..))
at org.jboss.resource.adapter.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:96)
at org.hibernate.ejb.connection.InjectedDataSourceConnectionProvider.getConnection(InjectedDataSourceConnectionProvider.java:47)
at org.hibernate.jdbc.ConnectionManager.openConnection(ConnectionManager.java:423)
... 161 more
Caused by: org.jboss.resource.JBossResourceException: Could not create connection; - nested throwable: (com.microsoft.sqlserver.jdbc.SQLServerException: The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: The TDS protocol stream is not valid..)
at org.jboss.resource.adapter.jdbc.local.LocalManagedConnectionFactory.createManagedConnection(LocalManagedConnectionFactory.java:190)
at org.jboss.resource.connectionmanager.InternalManagedConnectionPool.createConnectionEventListener(InternalManagedConnectionPool.java:584)
at org.jboss.resource.connectionmanager.InternalManagedConnectionPool.getConnection(InternalManagedConnectionPool.java:262)
at org.jboss.resource.connectionmanager.JBossManagedConnectionPool$BasePool.getConnection(JBossManagedConnectionPool.java:538)
at org.jboss.resource.connectionmanager.BaseConnectionManager2.getManagedConnection(BaseConnectionManager2.java:348)
at org.jboss.resource.connectionmanager.TxConnectionManager.getManagedConnection(TxConnectionManager.java:330)
at org.jboss.resource.connectionmanager.BaseConnectionManager2.allocateConnection(BaseConnectionManager2.java:403)
at org.jboss.resource.connectionmanager.BaseConnectionManager2$ConnectionManagerProxy.allocateConnection(BaseConnectionManager2.java:850)
at org.jboss.resource.adapter.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:90)
... 163 more

CollapseCause

The Microsoft® SQL Server® instance that hosts the BlackBerry Configuration Database is using an SSL certificate that is larger than 4KB in size. Due to an issue in the database connectivity driver, the SSL handshake does not successfully complete due to the network frame for the handshake exceeding 1 frame, which is larger than 4KB in size.

During the login handshake between the Microsoft SQL Server and the BlackBerry Enterprise Service component with JDBC® 1.2, if the Microsoft SQL Server's login packet is split into more than one frame, JDBC 1.2 has a bug where it cannot understand the login request. The Microsoft SQL Server sends the login packet in 4KB size. Anything over that limit will be split into multiple frames.

Microsoft acknowledged this as their issue and provided a fix in JDBC 2.0.

JDBC 2.0 is not currently supported because JBoss® does not work well with JDBC 2.0.

CollapseResolution

Upgrade to BlackBerry Enterprise Server version 5.0 SP3

CollapseWorkaround

There are multiple workarounds for this issue:

  • Reduce the certificate size or issue a smaller certificate to the Microsoft SQL Server.
  • If possible, remove the certificate from the Microsoft SQL Server.
  • Host the BlackBerry Configuration Database on a Microsoft SQL Server instance that is local to the BlackBerry Administration Service, ensuring that it is not using an SSL certificate.
  • If SSL is a mandatory requirement, third-party certificates can be leveraged that are less than 4KB.

Disclaimer

By downloading, accessing or otherwise using the Knowledge Base documents you agree:

   (a) that the terms of use for the documents found at www.blackberry.com/legal/knowledgebase apply to your use or reference to these documents; and

   (b) not to copy, distribute, disclose or reproduce, in full or in part any of the documents without the express written consent of RIM.


Visit the BlackBerry Technical Solution Center at www.blackberry.com/btsc.