Authentication Manager 8.8 and later
Services other than the RSA Database Server (such as WebLogic Managed Servers: biztier, console, radius, etc.) may fail to start. The following errors may appear in the logs:
javax.net.ssl.SSLHandshakeException:sun.security.validator.ValidatorException:... does not permit use for SSL server
Additionally, Managed Servers may fail to connect to the Administration Server, with messages such as:
Could not register with the Administration ServerThe Administration Server could not be reached
This issue is caused by improper or inconsistent certificate extensions (usage attributes) in the TLS server certificate used by Authentication Manager.
Typical contributing factors include:
- The certificate does not clearly define its intended use as a TLS server certificate
- Required extensions (such as Extended Key Usage) are missing or incorrectly configured
- Legacy or non-standard extensions conflict with modern certificate validation rules
In Authentication Manager 8.8, the underlying TLS and certificate validation behavior has become stricter. As a result, certificates with ambiguous or improper usage definitions may be rejected during the TLS handshake process. When the TLS handshake fails, Managed Servers cannot communicate with the Administration Server, causing service startup failures.
Reissue the Server Certificate
Generate and deploy a new server certificate that meets modern requirements.
- Explicitly define certificate usage through appropriate extensions
- Avoid relying on legacy or non-standard extensions
- Do not use default OpenSSL configurations without modification
- Ensure required extensions are included at the time of certificate creation
Required configuration
Extended Key Usage:
TLS Web Server Authentication (serverAuth)
Key Usage:
Digital Signature, Key Encipherment
Subject Alternative Name (SAN):
Fully Qualified Domain Name (FQDN) of the server
This issue is not a software defect, but a result of certificate configuration. It may occur when upgrading from earlier versions where certificate validation was less strict. Adjusting java.security settings or relaxing TLS constraints does not resolve this issue in most cases.
Related Articles
RSA Authentication Manager Services Fail to Start Due to 'no pg_hba.conf entry for host' Error Number of Views RSA Authentication Manager 8.2 SP1 SDK SOAP connect fails due to ClassNotFoundException for RemoteAuthenticatorTestConnect… Number of Views Zoho Directory - SAML My Page SSO Configuration - RSA Ready Implementation Guide Number of Views RSA RADIUS server fails to start on an RSA Authentication Manager 8.x Instance Number of Views Send an RSA SecurID Authenticate Invitation to Users Number of Views
Trending Articles
RSA Authentication Manager 8.9 Release Notes (January 2026) RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA-2026-07: RSA Authentication Manager Security Update for Third-Party Component Vulnerabilities Downloading RSA Authentication Manager license files or RSA Software token seed records RSA MFA Agent 2.5 for Microsoft Windows Installation and Administration Guide
