Known Issues

SSL/TLS/Kerberos connectivity problems

Limited cryptography

If you are running SpectX on JRE with version below 8u161 and observe any of the following exceptions below when connecting to data sources using secure protocols with strong encryption algorithms:

javax.net.ssl.SSLHandshakeException: Received fatal alert: insufficient_security
    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
    ...
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: insufficient_security
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    ...
javax.net.ssl.SSLException: java.lang.RuntimeException: Could not generate DH keypair
    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
    ...
Caused by: javax.net.ssl.SSLException: java.lang.RuntimeException: Could not generate DH keypair
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
    ...
Caused by: java.lang.RuntimeException: Could not generate DH keypair
    at sun.security.ssl.DHCrypt.<init>(DHCrypt.java:142)
    ...
Caused by: java.security.InvalidAlgorithmParameterException: DH key size must be multiple of 64, and can only range from 512 to 2048 (inclusive). The specific key size 4096 is not supported
    at com.sun.crypto.provider.DHKeyPairGenerator.initialize(DHKeyPairGenerator.java:128)
    ...
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
    ...
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    ...
org.ietf.jgss.GSSException: Failure unspecified at GSS-API level (Mechanism level: Encryption type AES256 CTS mode with HMAC SHA1-96 is not supported/enabled)
    at sun.security.jgss.krb5.Krb5Context.acceptSecContext(Unknown Source)
    ...
Caused by: KrbException: Encryption type AES256 CTS mode with HMAC SHA1-96 is not supported/enabled
    at sun.security.krb5.EncryptionKey.findKey(Unknown Source)
    ...

then most likely cause is that your JVM is not provisioned for Java unlimited cryptography.

To verify this is the case check from SpectX debug log for message:

"Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy is not enabled"

at startup.

To resolve the issue you need either:

Renewable tickets

If you are running SpectX on JRE with version above 8u241 and observe the following exception below for unsuccessful kerberos login attempts:

Caused by: sun.security.krb5.internal.KrbApErrException: Message stream modified (41)
    at sun.security.krb5.KrbKdcRep.check(KrbKdcRep.java:53)

then you can try one of the workarounds below:

  • remove the following line from your krb5.conf file:
renew_lifetime = 7d
-Dsun.security.krb5.disableReferrals=true

Native libraries unavailability

If you are running SpectX on a host where directory for temporary files (/tmp) is mounted with noexec option, you may encounter an issues with unavailability of native decompression libraries (Zlib/Bzip2). By default, SpectX process uses the system-provided temporary directory to extract required libraries to, but such security settings prevent it to launch the extracted libraries from the directory, which results in java.lang.UnsatisfiedLinkError with message “failed to map segment from shared object: Operation not permitted” which can be observed in error logs.

To resolve the issue, please provide another temporary directory to be used for storing and executing bundled native libraries, and specify its location with “jna.tmpdir” system property for SpectX in environment script as follows:

JAVA_OPTS="${JAVA_OPTS} -Djna.tmpdir=/path/to/tmp/dir"

Alternatively, you might specify full paths to required libraries at executable location in the script with the following properties:

  • com.spectx.zlib.path - path to zlib library/dll
  • com.spectx.bzip2.path - path to bzip2 library/dll

as follows:

JAVA_OPTS="${JAVA_OPTS} -Dcom.spectx.zlib.path=/path/to/zlib.so -Dcom.spectx.bzip2.path=/path/to/bzip2.so"

Antivirus Impact on Query Processing Speed

Some antivirus software can interfere with the SpectX process, causing queries to run dramatically slower. When you run a query in SpectX, a number of files are created on your computer. If your antivirus software has real-time scanning enabled, the antivirus can force the processes to halt each time a file is created while the antivirus scans that file.

If you’re using Windows Defender, SpectX automatically checks whether you have real-time scanning enabled, and whether the real-time scanning is configured to process directories where SpectX writes files.

SpectX Desktop offers you the possibility to exclude those directories from real-time scanning by taking action in the notification dialog that appears after starting SpectX in Windows. Click ‘Ignore’ to continue real-time scanning and not see the notification again.

With SpectX Server Edition you must perform the necessary configuration manually. You can do so either by executing respective Powershell command or by following these steps:

  1. Click the Start button
  2. Type “Windows Security”
  3. Click on “Virus and threat protection”
  4. Click on “Manage settings” under “Virus & threat protection settings”
  5. Scroll down if needed, and then click on “Add or remove exclusions”
  6. For every folder shown in the notification, press the + button, select “Folder” from the menu, and select the folder.

If you’re using a different anti-virus product, you still may be impacted by the problem, but there is no possibility to detect or correct this automatically. If you’re experiencing poor query performance, please follow the instructions of your anti-virus product to exclude the following SpectX directories from real-time scanning:

  • Processing data directory (sx.pu_data.dir, default: ${SPECTX_HOME}/pudata)
  • Cache directory (sx.pu_data.cache.dir, default: ${SPECTX_HOME}/pudata/cache)
  • Log directory (wgui.log.dir, default: ${SPECTX_HOME}/logs)

Caution

To ensure that your computer is safe from malicious software, you should not completely disable real-time scanning or your antivirus software.

Note

SpectX runs powershell.exe process to detect if Windows Defender is active and to exclude the directories from the real-time scanning by the antivirus. This may trigger suspicious activity detection by other antivirus tools. This behavior is by design. It’s safe to permit running PowerShell from the user interface dialog.