Symantec Identity Manager - JCS unable to connect to a DYN LDAP over SSL
search cancel

Symantec Identity Manager - JCS unable to connect to a DYN LDAP over SSL


Article ID: 201580


Updated On:


CA Identity Manager CA Identity Governance CA Identity Portal CA Identity Suite


A custom DYN LDAP endpoint type connector has been created.

When attempting to connect to the endpoint, the following error is observed in jcs_daily.log

2020-10-15 16:20:36,894 313011 [ApacheDS Worker-thread-14] ldap1_test1 ( ERROR  - eTDYNDirectoryName=test1,eTNamespaceName=ldap1,dc=im,dc=etasa: failed to connect to managed system
javax.naming.CommunicationException: simple bind failed: [Root exception is Remote host closed connection during handshake]
Caused by: Remote host closed connection during handshake
 at com.sun.jndi.ldap.Connection.writeRequest([:1.8.0_60]
 at com.sun.jndi.ldap.Connection.writeRequest([:1.8.0_60]
 at com.sun.jndi.ldap.LdapClient.ldapBind([:1.8.0_60]
 at com.sun.jndi.ldap.LdapClient.authenticate([:1.8.0_60]
 ... 71 more
Caused by: SSL peer shut down incorrectly
 ... 80 more


Release : 14.x

Component : IdentityMinder(Identity Manager)


Default security protocol used by the JCS rejected by the endpoint


Disable the security protocol not supported / reject by the endpoint.

1. Open the file, which is available at the following location:

2.  Add SSLv2Hello to the jdk.tls.disabledAlgorithm parameter:
    jdk.tls.disabledAlgorithms = SSLv3, SSLv2Hello, ECDH, ECDHE, RC4, DH keySize < 768

3. Restart the JCS service

Additional Information

Further information about TLS configuration can be found in

For additional SSL related troubleshooting, we can enable SSL related logging for the JCS service.

In Windows based deployment, this is done by editing the registry and adding

to the startup parameter via the registry key Options

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\ComputerAssociates\Identity Manager\Procrun 2.0\im_jcs\Parameters\Java

In Linux based deployment, this is done by adding to  ../bin/im_jcs

The jcs_service_stdout.log should include additional SSL related details which could be used for troubleshooting

Other Useful Links: