Calling external web services with SSL fails

Calling external web services with SSL encryption from Service Manager fails. The sm.log file contains an exception like this:

JRTE E java.security.PrivilegedActionException: com.sun.xml.messaging.saaj.SOAPExceptionImpl: Message send failed
RTE E Error calling method: doSoapRequest  in class: com/hp/ov/sm/server/utility/SoapClient Exception (com.sun.xml.messaging.saaj.SOAPExceptionImpl: java.security.PrivilegedActionException: com.sun.xml.messaging.saaj.SOAPExceptionImpl: Message send failed)
RTE E SCException caught in soapRequest(): Error calling method: doSoapRequest  in class: com/hp/ov/sm/server/utility/SoapClient Exception (com.sun.xml.messaging.saaj.SOAPExceptionImpl: java.security.PrivilegedActionException: com.sun.xml.messaging.saaj.SOAPExceptionImpl: Message send failed)
RAD E Error calling method: doSoapRequest  in class: com/hp/ov/sm/server/utility/SoapClient Exception (com.sun.xml.messaging.saaj.SOAPExceptionImpl: java.security.PrivilegedActionException: com.sun.xml.messaging.saaj.SOAPExceptionImpl: Message send failed)

Additionally, a sm_<process identifier>_stdouterr.log was created. The relevant stack trace is:

Caused by: javax.net.ssl.SSLException: Received fatal alert: unexpected_message
        at com.ibm.jsse2.j.a(j.java:21)
        at com.ibm.jsse2.j.a(j.java:32)
        at com.ibm.jsse2.qc.b(qc.java:5)
        at com.ibm.jsse2.qc.a(qc.java:645)
        at com.ibm.jsse2.qc.h(qc.java:809)
        at com.ibm.jsse2.qc.a(qc.java:106)
        at com.ibm.jsse2.qc.startHandshake(qc.java:586)
        at com.ibm.net.ssl.www2.protocol.https.c.afterConnect(c.java:15)
        at com.ibm.net.ssl.www2.protocol.https.d.connect(d.java:39)
        at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1090 <http://www.protocol.http.httpurlconnection.getoutputstream(httpurlconnection.java:1090/> )
        at com.ibm.net.ssl.www2.protocol.https.b.getOutputStream(b.java:33)
        at com.sun.xml.messaging.saaj.client.p2p.HttpSOAPConnection.post(HttpSOAPConnection.java:323)

Cause:

The remote endpoint is not supporting Server Name Indication (SNI), which is activated by default as of JRE 1.7. The issue is related to the remote endpoint (in this case, the web services server), and whether it supports SNI extensions during the SSL handshake or not. When Service Manager uses JRE 1.8, it starts to use SNI extensions during the SSL handshake. If the remote endpoint does not, the web service will fail with the error message provided above.

Solution:

Activate SNI at the remote endpoint. This is the recommended solution.

Workaround:

If the remote endpoint does not support SNI extensions, and SNI cannot be activated, add the following JVMOption<n> parameter either to the sm.ini file, or to the start command of the servlet(s) in the sm.cfg file:

JVMOption2:-Djsse.enableSNIExtension=false

This will disable the SNI security feature in Java.