000012337 - How to troubleshoot SSL handshake failures with JAVA debugging option.

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000012337
Applies ToRSA Access Manager 6.0
Java Runtime Environment 1.5
IssueHow to troubleshoot SSL handshake failures with JAVA debugging option.

Example of SSL error exception:

Thread-16, READ: TLSv1 Alert, length = 2 Thread-16, RECV TLSv1 ALERT:  fatal, certificate_unknown Thread-16, called closeSocket() Thread-16, Exception while waiting for close
javax.net.ssl.SSLHandshakeException: Received fatal alert:
certificate_unknown
Thread-16, handling exception: javax.net.ssl.SSLHandshakeException:
Received fatal alert: certificate_unknown MuxWorker-9, handling exception: javax.net.ssl.SSLHandshakeException:
Received fatal alert: certificate_unknown

CauseTrusted certificate is incorrect.
Resolution

Add the following line to the java startup command for the RSA Access Manager servers:

 -Djavax.net.debug=all

If you are using a runtimeAPI or adminAPI program you can set the system property in your code with the following line:

System.setProperty("javax.net.ssl.debug", "all");

This will enable debug mode for the JSSE showing all the SSL certificates and handshake information:


Ensure that the correct LDAP SSL Server certificate is trusted in the JKS or PKS keystore for Mutual SSL Authentication.
Notes

See the Sun Java documentation for JSSE debugging: 

http://java.sun.com/j2se/1.5.0/docs/guide/security/jsse/JSSERefGuide.html#Debughttp://java.sun.com/j2se/1.5.0/docs/guide/security/jsse/JSSERefGuide.html#Debug

Legacy Article IDa44958

Attachments

    Outcomes