SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.

Java API 8.2 AM SSL Handshake Errors

I'm starting to work with the above API. I've been able to configure my environment with all the libs, etc and the code compiles. I'm trying to get the working with my environment (8.2). I've followed the API docs on setting this up but in the end this is the error message:



<Mar 2, 2017 1:52:50 PM PST> <Info> <Security> <BEA-090905> <Disabling the CryptoJ JCE Provider self-integrity check for better startup performance. To enable this check, specify> 
<Mar 2, 2017 1:52:50 PM PST> <Info> <Security> <BEA-090906> <Changing the default Random Number Generator in RSA CryptoJ from ECDRBG128 to FIPS186PRNG. To disable this change, specify>
<Mar 2, 2017 1:52:50 PM PST> <Info> <Security> <BEA-090908> <Using the default WebLogic SSL Hostname Verifier implementation.>
ERROR, .com,,,,Attempting downgraded connection protocol to EJB/2.1.
ERROR, .com,,,,Unable to connect to downgraded EJB/2.1 command server.t3s:// Destination xx.xx.xx.xx, 7002 unreachable; nested exception is: General SSLEngine problem; No available router to destination
<<Snipped - same message repeated 6 times>>
Unable to authenticate user : Failed to connect with command server
C:\Users\m91153\AppData\Local\NetBeans\Cache\8.1\executor-snippets\run.xml:53: Java returned: 2
BUILD FAILED (total time: 6 seconds)‍‍‍‍‍‍‍‍‍‍

My workstation can ping the RSA box no problem so I don't think router in the error message is referring to that. I've export the SSL cert from the system and imported into a keystore.


I've also attached a screenshot of the file too.


Thanks for reading.



4 Replies

Did you ever figure out the solution to this?



Did you get any solution. Please help me out

Employee (Retired) Employee (Retired)
Employee (Retired)

Mark Schoonover‌,

I've moved your question to the RSA SecurID Access" data-type="space space where it will be seen by the product's support engineers, other customers and partners.  Please bookmark this page and use it when you have product-specific questions.


Alternatively, from the RSA Customer Support" data-type="space page, click on Ask A Question on the blue navigation bar and choose Ask A Product Related Question.  From there, scroll to RSA SecurID Access" data-type="space and click Ask A Question.  That way your question will appear in the correct space.





Occasional Contributor Occasional Contributor
Occasional Contributor

The error you're seeing can be due to several reasons.

1- Maybe you're not using the correct root certificate for the AM, you must export it using this way:

Export the Server Root Certificate
Use the following procedure to export the server root certificate from the Authentication Manager server using Microsoft Internet Explorer.


Launch Internet Explorer, and go to the following URL: https://server_name:7002. The Error 404 page appears.
Right click anywhere on the Error 404 page and select Properties.
In the Properties dialog box, click Certificates.
In the Certificate dialog box, select the Certification Path tab.
Click the top item in the certificate path.
Click View Certificate.
In the Certificate dialog box, click the Details tab.
Click Copy to File.
On the Certificate Export Wizard page, click Next.
On the Export File Format page, select DER encoded binary X.509 (.CER), and click Next.
On the File to Export page, click Browse.
Browse to a location to store the root certificate, enter am_root.cer in the File name field, make sure that Save as type is DER Encoded Binary X.509(*.cer), and click Save.
On the File to Export page, click Next.
On the Completing the Certificate Export page, click Finish.
Click OK.

Then import it in a keystore file using this way:


Copy the root certificate, from the local machine to the client host.
On the client host, open a new command shell, and change directories to JAVA_HOME/jre/bin.
keytool -import -keystore SDK_HOME/lib/java/trust.jks -storepass cacerts_keystore_password -file am_root.cer -alias rsa_am_ca -trustcacerts


SDK_HOME is the installation directory for the Authentication Manager Software Development Kit
cacerts_keystore_password is the keystore password
and press ENTER.

The Java keytool confirms that the certificate is added to the keystore.

Then this key store you should point to it in the VM Arguments while running your code.

2- If your on AM 8.4 and above, your Code must connect to the AM using TLSv1.2, thus make sure that you use Java 1.8 and you must use the JARs from that specific version, do not use the .jar files from any older AM Version even if it's compatible with your code.

The following are Java system properties must be specified on the Java command line for correct client operation:

-Dlog4j.configuration=file:RSA Authentication Manager SDK/samples/admin/src/log4j.xml - The location of the log4j.xml configuration file. You can copy the log4j.xml file to any location as long as the property points to it. This property is required for applications that use logging. - The trust store for SSL EJB connections.

WebLogic requires the use of the TLSv1.2 protocol. Specify the following: