This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA® Access Manager Knowledge Base

Find answers to your questions and identify resolutions for known issues with knowledge base articles written by RSA Access Manager experts.

RSA Access Manager API cannot connect to 6.2 SP4 Servers due to SSLException illegal_parameter error

Article Number

000034820

Applies To

RSA Product Set: Access Manager
RSA Product/Service Type: Access Manager Server, Access Manager Runtime API, Access Manager Administrative API
RSA Version/Condition: 6.2 SP4 Server / 6.2 SP3 and earlier Runtime API / 6.2 SP3 and earlier Administrative API

Issue

After upgrading Access Manager Servers to version 6.2 SP4, clients using an older Runtime API or Administrative API (6.2 SP3 or earlier) fail to connect to the Server and log an exception similar to the following:
  
sirrus.api.client.TransportException: Cannot connect to the Entitlements Server at <host name> port 5601: javax.net.ssl.SSLException: Received fatal alert: illegal_parameter
        at sirrus.api.client.impl.ServerProxy.createSocket(ServerProxy.java:234)
        at sirrus.api.client.impl.ServerProxy.connect(ServerProxy.java:135)
        at sirrus.api.client.APIServerProxy.connect(APIServerProxy.java:234)

When connecting to the Entitlements Server, the eserver.log file may provide additional information:
  
sequence_number=3,date=2017-02-10 10:38:55:723 EST,messageID=-2,internal_error,description='No shared ciphers for protocol',details='javax.net.ssl.SSLException: No shared ciphers for protocol'

Cause

In Access Manager 6.2 SP4, all cipher suites with names containing the keywords in the list below, have been disabled and are no longer supported:
  
EXPORT
DES
3DES
DES40
NULL
RC4

Any clients using the Runtime API or Administrative API, with cipher suites that only match these patterns, will cause the exception.

Resolution

Client applications should be recompiled with the Access Manager 6.2 SP4 Runtime API and Administrative API libraries.
  • API libraries and their documentation are available in the sdk subfolder of the Access Manager v6.2 SP4 package.
  • See the RSA Access Manager Server 6.2.4 Downloads page to obtain the 6.2 SP4 package for available platforms. A current Access Manager support contract and RSA Link login are required.

Workaround

This Workaround is not recommended by RSA, and should be used with caution, because it enables cipher suites that have known security vulnerabilities. 
This Workaround is provided only for situations where there is a compelling reason that the Resolution documented above cannot be used.  In that scenario, we recommend compensating controls be introduced as well to mitigate the risk.

Setting the parameter cleartrust.net.ssl.excluded_cipher_suites in the Access Manager Server configuration files (aserver.conf, eserver.conf, dispatcher.conf, iserver.conf, keyserver.conf, lserver.conf, and selfservice.conf), allows you to override the default list of excluded cipher suites for RSA Access Manager Server.  The Server can, therefore, be made backward compatible with the 6.2 SP3 and earlier Runtime API and Administrative API by setting this parameter in the configuration files.

The default setting used by Access Manager Server 6.2 SP4 if the parameter is not specified in the Server configuration files is: 
cleartrust.net.ssl.excluded_cipher_suites=_EXPORT_,_DES_,_3DES_,_DES40_,_NULL_,_RC4_

That setting prevents all those weak ciphers from being used.

To allow a specific cipher, you should add this parameter to the Server configuration files, with the required cipher omitted from the list.  For example, if 3DES is needed, the parameter should be specified with 3DES omitted, as follows:
cleartrust.net.ssl.excluded_cipher_suites=_EXPORT_,_DES_,_DES40_,_NULL_,_RC4_

If you are unsure of which cipher you need to use, you can remove all ciphers from the exclusion list by setting the parameter to: 
cleartrust.net.ssl.excluded_cipher_suites=none

For a cipher suite to be available to use, it must also be supported by the underlying JDK on the client platform and on the RSA Access Manager Server.

Notes

  • RSA does not support mixed API and Server versions.   Access Manager Server v6.2 SP4 is only qualified with 6.2 SP4 APIs.
  • More information about allowed cipher suites and the cleartrust.net.ssl.excluded_cipher_suites parameter is in the RSA Access Manager 6.2 SP4 Security Configuration Guide, sections "SSLv3 Vulnerabilities & POODLE Protection" on page 14 and "Freak and LogJam Vulnerability Protection" on page 16.
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2020-12-12 12:10 PM
Updated by:
Administrator Administrator

Related Content

© 2023 RSA Security LLC or its affiliates. All rights reserved.