|Applies To||RSA Product Set: Key Manager|
RSA Product/Service Type: Key Manager Appliance
RSA Version/Condition: 3.5.2 or later
|Issue||An SSL connection error is reported by a pre-3.5.2 DPM or RKM client.|
The actual event logged by the client will vary depending on the type of client (Java or C, token or key client, client version, etc). For example, the event logged by a Java client may included the following information:
javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
|Cause||SSL was disabled in DPM v3.5.2 and only TLS protocols are allowed. However SSL is used by default by older DPM/RKM clients. If SSL is used by the DPM/RKM client then it will not be able to connect to DPM v3.5.2 and later.|
The above is in addition to several other reasons that could prevent a secure connection from failing. Common causes are:
* an underlying network connectivity problem
* DPM/RKM client or DPM server/appliance configuration errors
* secure socket errors, including certificate errors, protocol errors, etc. Secure socket errors are documented in the "Error Alerts" section of the RFC for the TLS protocol that is in use.
TLS 1.0: RFC 2246
TLS 1.1: RFC 4346
TLS 1.2: RFC 5246
RFC's are available from the IETF (Internet Engineering Task Force) website.
|Resolution||Check the secure sockets protocol being used by DPM/RKM client. If SSL is being used by the DPM/RKM client, it will need to be re-configured to use TLS in order to connect to DPM 3.5.2 or later.|
The ability to specify the TLS version to use by a DPM client was added in
For older Java clients, the secure sockets protocol can be specified using the JVM parameter -Dhttps.protocols (Oracle JDK and JRE).
For the RSA Token Server (to force the embedded DPM Key client), the secure sockets protocol can be specified in the JAVA_OPTS environment variable, by editing catalina.sh file to add the following:
If after re-configuring the client to use TLS, the connection is still failing, investigate for other possible causes such as the common causes listed above.
|Notes||JDK 5 and 6 supports TLSv1|
JDK 7, 8 and 9 supports TLSv1, TLSv1.1 and TLSv1.2