000030809 - Older client unable to connect to RSA Data Protection Manager v3.5.2 or later versions

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000030809
Applies ToRSA Product Set: Key Manager
RSA Product/Service Type: Key Manager Appliance
RSA Version/Condition: 3.5.2 or later
IssueAn SSL connection error is reported by a pre-3.5.2 DPM or RKM client.
The actual event logged by the client will vary depending on the type of client (Java or C, token or key client, client version, etc).  For example, the event logged by a Java client may included the following information:
javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake 
CauseSSL was disabled in DPM v3.5.2 and only TLS protocols are allowed.  However SSL is used by default by older DPM/RKM clients.  If SSL is used by the DPM/RKM client then it will not be able to connect to DPM v3.5.2 and later.
The above is in addition to several other reasons that could prevent a secure connection from failing.  Common causes are:

* an underlying network connectivity problem

* DPM/RKM client or DPM server/appliance configuration errors 
* secure socket errors, including certificate errors, protocol errors, etc.  Secure socket errors are documented in the "Error Alerts" section of the RFC for the TLS protocol that is in use.
TLS 1.0:  RFC 2246
TLS 1.1:  RFC 4346
TLS 1.2:  RFC 5246
RFC's are available from the IETF (Internet Engineering Task Force) website.
ResolutionCheck the secure sockets protocol being used by DPM/RKM client.  If SSL is being used by the DPM/RKM client, it will need to be re-configured to use TLS in order to connect to DPM 3.5.2 or later.

The ability to specify the TLS version to use by a DPM client was added in
  • version 3.5.1 of the C/C# Key client using the configuration parameter tlsVersion
  • version of the C Token client using the configuration parameter server.tlsVersion
  • version of the Java Token client using the configuration parameter server.tls_version
Refer to the DPM client configuration guides for possible values for those parameters.
For older Java clients, the secure sockets protocol can be specified using the JVM parameter -Dhttps.protocols (Oracle JDK and JRE).
For the RSA Token Server (to force the embedded DPM Key client), the secure sockets protocol can be specified in the JAVA_OPTS environment variable, by editing catalina.sh file to add the following:
JAVA_OPTS="$JAVA_OPTS -Dhttps.protocols=TLSv1"

If after re-configuring the client to use TLS, the connection is still failing, investigate for other possible causes such as the common causes listed above.
NotesJDK 5 and 6 supports TLSv1

JDK 7, 8 and 9 supports TLSv1, TLSv1.1 and TLSv1.2