#26 SSL on ASEMON

[Hardeep]

Hi JPM
I have enabled SSL on my ASE server and in parallel enabled <usessl> in xml file and did the restart of ASEMON process still am getting below connection error message.</usessl>

Would you please suggest what else i need to do. Thanks

2019/06/04 19:57:21.947 ASEMGLDEV802E_AmStats - SSL is activated
2019/06/04 19:57:21.998 ASEMGLDEV802E_AseDbSpce - Start thread.
2019/06/04 19:57:21.999 ASEMGLDEV802E_AmStats - ERROR connectSRV (1). Srv=ASEMGLDEV802E : java.sql.SQLException: JZ006: Caught IOException: java.io.IOException: JZ0T3 use getCause() to see the error chain
2019/06/04 19:57:21.999 ASEMGLDEV802E_AmStats - ERROR connectSRV (2). Srv=ASEMGLDEV802E : java.sql.SQLException: JZ0T3: Read operation timed out.
2019/06/04 19:57:21.999 ASEMGLDEV802E_AmStats - ERROR connectSRV (2). Srv=ASEMGLDEV802E : java.sql.SQLException: JZ0TO: Read operation timed out.
2019/06/04 19:57:21.999 ASEMGLDEV802E_AmStats - Trying to reconnect to archive server every 10 s ...

Regards,
Hardeep

[Jean-Paul Martin]

Hi Hardeep
how did you configure ssl on your ASE server and client ?
Did you first try to open a connection with isql just to check that the server is properly configured ?

Did you use "keytool" on your client to integrate the public certificate in the truststore. Ex. :

keytool -import -keystore C:/sybase/jConnect-16_0/truststore -file YOURSERVERPUBLICKEY.txt -alias YOURSERVER -storepass yourpassword

Asemon will look for truststore file in its default location : $SYBASE/jConnect-16_0/truststore

You can find documentation and notes on SAP site for how to configure ssl on ASE and jConnect client

Best regards
Jpm

[Hardeep]

Hi Jpm,
Appreciate your swift reply.

Well, I have configured SSL on ASE using standard steps and then restarted the server with SSL port. It came up with ssltcp listener. Also I have updated $SYBASE/config/trsuted.txt file to make an SSL connecton,
Same trusted.txt file I have copied across all clients and worked but its failing for ASEMON.

I dont see any default "truststore" file under $SYBASE/jConnect-16_0/, I have generated truststore file using keytool, and still it gives same error for ASE connnection whereas repserver connects successfully. However, SSL is configured on both ASE & REP.

keytool -import -keystore /dba/sybase/ase/16.0.0.0.28334/jConnect-16_0/truststore -file HOSTNAME_key.pem -alias HOSTNAME.macbank

ASEMON logs

---

2019/06/05 15:59:08.607 main - Start Asemon_logger Version V2.7.21
2019/06/05 15:59:08.632 main - Current directory is : /dba/sybase/asemon/2.7.21
2019/06/05 15:59:08.636 main - Java version : 1.8.0_201
2019/06/05 15:59:08.637 main - Classpath is : /dba/sybase/asemon/asemon_logger/dist/Asemon_logger.jar:/dba/sybase/asemon/asemon_logger/lib/jdom.jar:/dba/sybase/asemon/asemon_logger/lib/xerces.jar:/dba/sybase/asemon/asemon_logger/lib/java-getopt-1.0.9.jar:/dba/sybase/asemon/asemon_logger/jConnect-7_0/classes/jconn4.jar:/dba/sybase/asemon/asemon_logger/jConnect-7_0/classes/jTDS3.jar
2019/06/05 15:59:08.637 main - Config file used : /dba/sybase/asemon/config/SYB_SERVER_1.xml
2019/06/05 15:59:08.904 main - Try to connect to srv : SYB_SERVER_1
2019/06/05 15:59:08.963 main - Srv found in interfaces or SQL.INI file. Host=XXXXXXXXXXX Port=20002
2019/06/05 15:59:08.964 main - Using password from passwords file for 'SYB_SERVER_1.perfmon_dba'
2019/06/05 15:59:08.971 main - SSL is activated
2019/06/05 15:59:09.159 main - ERROR connectSRV (1). Srv=SYB_SERVER_1 : java.sql.SQLException: JZ006: Caught IOException: java.io.IOException: JZ0T3 use getCause() to see the error chain
2019/06/05 15:59:09.159 main - ERROR connectSRV (2). Srv=SYB_SERVER_1 : java.sql.SQLException: JZ0T3: Read operation timed out.
2019/06/05 15:59:09.159 main - ERROR connectSRV (2). Srv=SYB_SERVER_1 : java.sql.SQLException: JZ0TO: Read operation timed out.
2019/06/05 15:59:09.160 main - Try to connect to srv : REPMGLDEV802E
2019/06/05 15:59:09.186 main - Srv found in interfaces or SQL.INI file. Host=XXXXXXXXXXX Port=27002
2019/06/05 15:59:09.186 main - Using password from passwords file for 'REPMGLDEV802E.perfmon_dba'
2019/06/05 15:59:09.186 main - SSL is activated
2019/06/05 15:59:09.475 main - connectMonitoredRS - connected to : REPMGLDEV802E Version : 1600
2019/06/05 15:59:09.476 main - WARNING connectMonitoredRS : stats_sampling = OFF. Not all statistics will be captured.
2019/06/05 15:59:09.477 main - You should execute "configure replication server set stats_sampling to 'ON'" on RS
2019/06/05 15:59:09.552 main - Time difference (ms) between RS and asemon_logger (positive when RS is in advance) : -4
2019/06/05 15:59:09.552 main - Try to connect to srv : SYB_SERVER_1
2019/06/05 15:59:09.562 main - Srv found in interfaces or SQL.INI file. Host=XXXXXXXXXXX Port=20002
2019/06/05 15:59:09.586 main - Using password from passwords file for 'SYB_SERVER_1.perfmon_dba'
2019/06/05 15:59:09.587 main - SSL is activated
2019/06/05 15:59:09.675 main - ERROR connectSRV (1). Srv=SYB_SERVER_1 : java.sql.SQLException: JZ006: Caught IOException: java.io.IOException: JZ0T3 use getCause() to see the error chain
2019/06/05 15:59:09.675 main - ERROR connectSRV (2). Srv=SYB_SERVER_1 : java.sql.SQLException: JZ0T3: Read operation timed out.
2019/06/05 15:59:09.675 main - ERROR connectSRV (2). Srv=SYB_SERVER_1 : java.sql.SQLException: JZ0TO: Read operation timed out.
2019/06/05 15:59:09.699 REPMGLDEV802E_AmStats - Start thread.
2019/06/05 15:59:09.700 REPMGLDEV802E_AmStats - Try to connect to srv : SYB_SERVER_1
2019/06/05 15:59:09.729 REPMGLDEV802E_DISKSPCE - Start thread.
2019/06/05 15:59:09.733 REPMGLDEV802E_AmStats - Srv found in interfaces or SQL.INI file. Host=XXXXXXXXXXX Port=20002
2019/06/05 15:59:09.733 REPMGLDEV802E_AmStats - Using password from passwords file for 'SYB_SERVER_1.perfmon_dba'
2019/06/05 15:59:09.733 REPMGLDEV802E_AmStats - SSL is activated
2019/06/05 15:59:09.774 REPMGLDEV802E_RSConfig - Start thread.
2019/06/05 15:59:09.785 REPMGLDEV802E_AmStats - ERROR connectSRV (1). Srv=SYB_SERVER_1 : java.sql.SQLException: JZ006: Caught IOException: java.io.IOException: JZ0T3 use getCause() to see the error chain
2019/06/05 15:59:09.785 REPMGLDEV802E_AmStats - ERROR connectSRV (2). Srv=SYB_SERVER_1 : java.sql.SQLException: JZ0T3: Read operation timed out.
2019/06/05 15:59:09.785 REPMGLDEV802E_AmStats - ERROR connectSRV (2). Srv=SYB_SERVER_1 : java.sql.SQLException: JZ0TO: Read operation timed out.
2019/06/05 15:59:09.786 REPMGLDEV802E_AmStats - Trying to reconnect to archive server every 10 s ...

Regards,
Hardeep

[Jean-Paul Martin]

Hi Hardeep,
what is the version of SYB_SERVER_1 : 16SP03 or lower ?
SAP changed the ssl libraries in 16SP03 and I never tested asemon with the new libraries

By the way, you are using an old asemon (V2.7) with JRE 1.8 : never tested that (2.7 is not compiled with this level of Java)
And your asemon is using jConnect 7.0 located in : /dba/sybase/asemon/asemon_logger/jConnect-7_0
In that case I think asemon tries to look for file "truststore" in /dba/sybase/asemon/asemon_logger/jConnect-7_0
Best regards
Jpm

[Hardeep]

Hi Jpm,
Thanks again on prompt reply.

I am using ASE 16.0/SP03-PL06 version and ASEMon version is 2.7.21.

I have copied the truststore file to asemon's jConnect folder(see below) and stop/start the asemon, but dodnt help. When i start the ASEMON JAVA_HOME is /usr/lib/jvm/jre.

$ pwd
/dba/sybase/asemon/2.7.21/jConnect-7_0
$ ls -l truststore
-rw-r--r--. 1 sybase_ias dba 1962 Jun 5 19:55 truststore
$

I am bit surprise why its working with RepServer where SSL enabled as well,

Do you think i should try with aselogger v3.0 ?

Regards
Hardeep

[Jean-Paul Martin]

I am afraid there may be incompatibilties between this version of asemon and the new ssl libraries of ASE V16SP03.
I have to do tests with this version

What is the version of RS : 16SP03 also ?
If lower this could explain why it can connect.

May be you can try tu use a more rencent version of jConnect with your asemon
Change the JCONNECT_HOME in the asemon_logger.sh script to point to a jConnect V16 directory

Best regards
Jpm

[Hardeep]

Thanks Jpm
Repserevr version is 16.0/EBF 26769 SP03

Regards
Hardeep

[Hardeep]

Thanks Jpm,
I have chnaged JCONNECT_HOME to ASE jConnect dirctory and it worked. :-)
export JCONNECT_HOME=/dba/sybase/ase/16.0/jConnect-16_0

Regards
Hardeep

[Hardeep]

I would like to summarise my steps to start ASEMON with SSL

1. Add <usessl>YES </usessl> to ASEMON XML file

2. Genererate truststore file using keytool
   e.g keytool -import -keystore /dba/sybase/ase/16.0.0.0.28334/jConnect-16_0/truststore -file HOSTNAME_key.pem -alias HOSTNAME.macbank

3. Change JCONNECT_HOME in the asemon_logger.sh script to point to jConnect V16 directory
   export JCONNECT_HOME=/dba/sybase/ase/16.0/jConnect-16_0

4. Restart ASEMON process

Regards
Hardeep

[Jean-Paul Martin]

Ok good, thanks you for feedback
But I still don't understand why it could connect to RS V16SP03 with ssl and old jConnect
May be SAP didn't implement new ssl algo in RS16SP03. I have to check that
Best regards
Jpm

[Anonymous]

Hi JPM
I have a similar problem, asemon_logger doesn't want to connect to ASE via SSL.
I think I've tried everything.
I've already imported and copied the CA certificates everywhere.
I'm out of ideas, can you think of anything?

---

--log
2026/02/12 12:04:37.276 main - Java version used = 21.0.8
2026/02/12 12:04:37.306 main - Start Asemon_logger V3.2.5
2026/02/12 12:04:37.306 main - Current directory is : /home/sybase/svc/asemon_logger
2026/02/12 12:04:37.306 main - Java version : 21.0.8
2026/02/12 12:04:37.307 main - Classpath is : /home/sybase/svc/asemon_logger/dist/asemonlogger.jar:/home/sybase/svc/asemon_logger/lib/jdom.jar:/home/sybase/svc/asemon_logger/lib/xerces.jar:/home/sybase/svc/asemon_logger/lib/java-getopt-1.0.9.jar:/opt/sybase_161SP00/jConnect-16_1/classes/jconn42.jar:/opt/sybase_161SP00/jConnect-16_1/classes/jTDS4.jar
2026/02/12 12:04:37.307 main - Config file used : conf/config_akkk1.xml
2026/02/12 12:04:37.356 main - after passfilemgr..
2026/02/12 12:04:37.359 main - before loadconfig...
2026/02/12 12:04:37.360 main - after new Config()...
2026/02/12 12:04:37.433 main - textsize for retreiving text (XML documents) for 'AKKK1': 65536
2026/02/12 12:04:37.434 main - after load config...
2026/02/12 12:04:37.434 main - Active traceflag : 13 = skipReorgUpdstatsArchTables
2026/02/12 12:04:37.436 main - after new cnxmgr...
2026/02/12 12:04:37.438 main - Try to connect to srv : ASEMON
2026/02/12 12:04:37.440 main - Srv found in interfaces or SQL.INI file. Host=asemon1.private.cz Port=5000
2026/02/12 12:04:37.440 main - Using password from passwords file for 'ASEMON.asemon'
2026/02/12 12:04:37.539 main - Connected to archive server : ASEMON Database : asemon_archiv ASE Version : 16.1.00.00
2026/02/12 12:04:37.541 main - Check/create sp_sysmon procs in archive database
2026/02/12 12:04:37.611 main - Try to connect to srv : AKKK1
2026/02/12 12:04:37.612 main - Srv found in interfaces or SQL.INI file. Host=akkk1.cz Port=4999
2026/02/12 12:04:37.613 main - Using password from passwords file for 'AKKK1.asemon'
2026/02/12 12:04:37.620 main - ERROR connectSRV (1). Srv=AKKK1 State= JZ00L Err= 0 Msg=JZ00L: Login failed. Examine the SQLWarnings chained to this exception for the reason(s).
2026/02/12 12:04:37.620 main - ERROR connectSRV (2). Srv=AKKK1 State= JZ006 Err= 0 Msg=JZ006: Caught IOException: com.sybase.jdbc42.jdbc.SybConnectionDeadException: JZ0C0: Connection is already closed.

---

--config_akkk1.xml
<monitoredsrv>
<srv>
<name>AKKK1</name>
<user> asemon </user>
<usekerberos> NO </usekerberos>
<charset> cp1250 </charset>
<packet_size> </packet_size>
<srvdescriptor> ASEV15 </srvdescriptor>
<textsize> 65536 </textsize>
<purgearchive daystokeep="666" deletesleep="666" startdelay="6666666" batchsize="666">
<usessl> YES </usessl>
</purgearchive></srv></monitoredsrv>

--
AKKK1 ASE Version : 16.0.04.07

---

--interfaces
AKKK1
query tcp ether akkk1.cz 4999 ssl="CN='akkk1.private.cz'"

query tcp ether akkk1.cz 5000

---

--Test to port 4999
isql -SAKKK1 -Uasemon -Jcp1250
Password:
1> select "NameServer: "+ @@servername +" // Cipher: "+ @@ssl_ciphersuite
2> go

---

NameServer: AKKK1 // Cipher: TLS_ECDHE_RSA_WITH_AES256_GCM_SHA384

Best regards,
PetrK

[Jean-Paul Martin]

Hi PetrK
I have no idea also
What did you change ? Did it works before with same ASE version (V16.0.04.7) without SSL ?

Did you tried the lastest jConnect (V16.1 SP00 PL01 HF1 ) ?

Best regards
JP

[Anonymous]

Hi JPM

This is my first attempt with SSL on asemon_logger.
Without SSL it works normally (port 5000).
Hmmm, and it works (NoSSL - on port 5000) even if in config_akkk1.xml "<usessl> YES </usessl>" ...??

Above in the Ticket there is a note in the log from "Hardeep" "SSL is activated".
He never wrote it to me. I'm going to be a little crazy.... As if SSL was not activated, and therefore it did not load the CA certificates...?? I don't know.

The second possibility is that I have the wrong certificate store.
From the ticket above: keytool -import -keystore /dba/sybase/ase/16.0.0.0.28334/jConnect-16_0/truststore -file HOSTNAME_key.pem -alias HOSTNAME.macbank

What certificates should be in the "truststore"?
There should be CA certificates that are signed by CN='akkk1.private.cz'" on AKKK1.... is that right?
Is it important to have alias=HOSTNAME? In my case alias=AKKK1?

I have /opt/sybase_161SP00/jConnect-16_1/truststore
How does asemon_logger know what the truststore password is? I chose a password typical for Java "cha....t"

Best regards,
PetrK

[Jean-Paul Martin]

Yes your certificate must be in the keystore (added with "keytool -import ... )
Import the public certificate into the keystore with the alias 'akkk1.private.cz' since it seems you generated the certificate with this alias

Before starting asemon_logger define these two variables :

export SSLTRUSTSTORE=/dba/sybase/ase/16.0.0.0.28334/jConnect-16_0/truststore
export SSLTRUSTSTOREPWD=paswword_of_your_trustore

Didn't test this recently, but it worked in the past

Best regards
JP

[Jean-Paul Martin]

By the way, I think the CN must be the name of the ASE server, AKKK1 in your case (without private.cz)
Did my tests this way in the past
Best regards
JP

[Anonymous]

Thanks a lot for the tips, I tried and it didn't help.

Still:
ERROR connectSRV (1). Srv=AKKK1 State= JZ00L Err= 0 Msg=JZ00L: Login failed. Examine SQLWarnings concatenated to this exception for reason(s).

Yes, the certificate for ASE should be a server certificate, i.e. AKKK1 (without private.cz),
But our CA doesn't know how to do server certificates, it only knows url certificates.

I tried them and they work everywhere (isql, InteractiveSQL, ASEISQL, DBeaver...). (SSL_TRUST_ALL_CERTS should be enabled for java, but it doesn't necessarily have to)
But it's true that all clients need a CA certificate to verify it.

So I understand that asemon needs the public part of the certificate (the CA isn't enough for it). Should I take it? (that could be the problem... oops)

When enabling SSL on ASE, I've seen the error "Login failed..." before
I tried turning various SSL settings on and off in DBeaver,
... and "Login failed...." only shouted at me when "ENABLE_SSL=false" was set.

When I tried to take the certificates from him, he wrote a different error.

On AKKK1 he writes to me:
ssl_server_handshake: vsn 547 kpid 1021248174 enp_sslFailed to accept sslerr 0x20000422 status 2
ssl_server_handshake: vsn 547 kpid 1021248174 FAILED sslerr 0x20000422

And I can't think of one last problematic thing. Our ASE can only use the TLS_ECDHE_RSA_WITH_AES256_GCM_SHA384 cipher suite (jconn42 can work with that).
Is there a default cipher suite set somewhere in the asemon libraries? I'm running out of ideas.

I'm open to all ideas.
Best regards,
PetrK

[Jean-Paul Martin]

Hi PetrK

the only code in asemon_logger managing SSL is this

    if (useSSL) {
        if (verbose) Asemon_logger.printmess ("SSL is activated");
        props.put("ENABLE_SSL","TRUE");
    }

So asemon set the connection property "ENABLE_SSL" and does nothing else
Do you get the message "SSL is activated" in the outpout messages when starting asemon_logger ?
(verbose is set to true for first connection)

For jConnect SSL connection configuration you should refer to SAP jConnect documentation or SAP support site

I have no idea also on my side

Best regards
Jean Paul

[Jean-Paul Martin]

There is a technical note on SAP support site describing actions to do for using SSL with V16

Note is :
2430055 - How to setup 3rd party/CA signed SSL with ASE and SDK - SAP ASE

[Anonymous]

Message "SSL is activated" in the outpout missing.

[Jean-Paul Martin]

So it seems you have a config problem in the asemon_config file
Can you show me your section :

~~~
<monitoredsrv>
<srv>
<name> enter_monitored_server_name_here </name>
<user> enter_monitored_user_name_here </user>
<usekerberos> enter_YES_or_NO </usekerberos>
<charset> enter_monitored_server_charset_here_or_leave_empty </charset>
<packet_size> </packet_size>
<srvdescriptor> enter_monitored_server_descriptor_name_here_ex_ASEV125 </srvdescriptor>
<purgearchive daystokeep="90" deletesleep="100">
<textsize> 65536 </textsize>
</purgearchive></srv>
</monitoredsrv>
~~~

[Jean-Paul Martin]

you should have :

<useSSL> YES </useSSL>

in this section

(the SampleConfig.xml doesn't mention this)

[Anonymous]

OOOooooohohoooo

It works.

In the <monitoredsrv> section I had :
<usessl> YES </usessl></monitoredsrv>

(this is what several sources say, even here in the ticket it's all in lowercase)
So java didn't do "Enable SSL".

---

The correct thing is:
<usessl> YES </usessl>

2026/02/17 09:24:40.447 main - Try to connect to srv : AKKK1
2026/02/17 09:24:40.448 main - Srv found in interfaces or SQL.INI file. Host=akkk1.cz Port=4999
2026/02/17 09:24:40.448 main - Using password from passwords file for 'AKKK1.asemon'
2026/02/17 09:24:40.449 main - SSL is activated
2026/02/17 09:24:40.765 main - connectMonitoredASE - connected to : AKKK1 Version : 16.0.04.07 bootcount : 69

In any case, thank you very much for the great help.

Forever thanks
Best regards,
PetrK

[Jean-Paul Martin]

Ok good,
I changed the sampleConfig.xml file to include this SSL option
Best regards
JP