Pharos Blueprint - Tracker and EDI Web Service tests fail

Pharos Blueprint - Tracker and EDI Web Service tests fail with message "An unexpected error occurred on a receive" or the Secure Release Service test fails with "The client and server cannot communicate, because they do not possess a common algorithm

Affected Environments

• Pharos Blueprint Enterprise 5.0 (any service pack level)

• Pharos Blueprint Enterprise 5.1 (any service pack level)

• Pharos Blueprint Enterprise 5.2 R1 (any service pack level)

• Pharos Blueprint Enterprise 5.2 R2 (any service pack level)

• Microsoft Windows Server 2008 R2

• Microsoft Windows Server 2012

• Microsoft Windows Server 2012 R2

• Microsoft Windows Server 2016

Problem Statement

When installing Blueprint 5.x the initial Tracker and EDI web service tests fail with the message "The underlying connection was closed: an unexpected error occurred on a receive." There may also be a message about "unexpected error occurred on a send."

Cause

This error happens because SSL is enabled for the Tracker web service (where it is optional) and the EDI web service (where it is enabled by default and required). However, the server has not been enabled to support any cipher (TLS 1.0, 1.1, or 1.2; 1.2 is only compatible with Blueprint Enterprise 5.2 R1 Service Pack 3 or Blueprint Enterprise 5.2 R2). This is normally due to a Group Policy Object (GPO) setting or the default operating system image in the organization has disabled/removed the SChannel protocols in Windows Registry.

Resolution

The necessary ciphers can be enabled using Windows Registry.

1. Launch RegEdit.

2. Browse to

   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols. Within there, look for TLS 1.0 and TLS 1.1.

   

3. Expand each to expose the Client and Server subkeys. If these keys are not there, use the attached file "CreateTLS1.1.txt" as a basis for an import into the Microsoft Windows Registry.

4. When selected, the key will have a value, "Enabled". Change it to a Hexadecimal value of 1. Ensure that each subkey's "Enabled" value is set to 1 for TLS 1.0 and 1.1. If necessary, only TLS 1.1 needs to be enabled.

5. When completed, restart the server.

From this point, the SSL-enabled web services will pass their tests.

Reference

The following Microsoft article discusses cipher support in the various Windows operating systems and the Windows Registry settings that support them. TLS-SSL Settings | Microsoft Docs

Additionally, Pharos Blueprint Enterprise (and other Pharos Systems applications) are .NET version-dependent. This means that a specific .NET version support of an SChannel cipher must also be considered. Below follows a table listing the cipher support by operating system version. When the value is ON, this implies the default configuration unless affected by Group Policy.

Source: https://support.microsoft.com/en-us/help/3154519/support-for-tls-system-default-versions-included-in-the-net-framework. Note that systems utilizing .NET 3.5/2.0 will require the addition and enablement of the "SystemDefaultTlsVersions" Registry key after Service Pack 2 for this version of .NET has been applied.