You cannot log into EEM after upgrading the Java version on the [app-server] to 1․8․0_481 or later․​​​​‌​‍

ERROR MESSAGE: "bad host for eEM" "Received fatal alert: handshake_failure"

SYMPTOMS:

• EEM login fails

• jaws․log shows: Authentication failed; user: "[username]" (password); context not available

• eem․sdk․log shows: javax․net․ssl․SSLHandshakeException

• AAI Version: 24․x

• EEM Version: 12․6․2 and earlier

• Java Version: 1․8․0_481 or later

Root Cause: Java 8u481 Security Hardening

The Java 8u481 release (January 20, 2026) introduced critical security blocks that strictly disable legacy communication methods. Here is exactly what changed:

• Disabled Algorithms (JDK-8245545): This fix added TLS_RSA_* to the jdk.tls.disabledAlgorithms list, effectively killing all static RSA key exchange ciphers used by older servers.

• Handshake Signatures (JDK-8340321): This update disabled the use of SHA-1 for digital signatures during the TLS handshake, causing failures even when the certificate itself uses SHA-256.

• Endpoint Identification (JDK-8341496): Java 8u481 enabled TLS Endpoint Identification by default. This triggers the "bad host for eEM" error if an IP address is used instead of the hostname matching the certificate.

EEM 12.6.2 and earlier use older security libraries that support different ciphers.

Resolution Options

Option 1: Upgrade EEM to the latest version (Recommended)

Option 2: Downgrade Java on the AAI server

As a workaround, you could downgrade the Java JDK 1.8 version on the AAI server to a release earlier than 1.8.0_481and reboot the AAI server. Because earlier versions of the JDK were less restrictive, this should allow the SSL handshake to occur.