EEM TLS Error "Exception[-800]: error starting TLS" in ipoz.log
search cancel

EEM TLS Error "Exception[-800]: error starting TLS" in ipoz.log

book

Article ID: 408454

calendar_today

Updated On:

Products

CA Service Desk Manager ServiceDesk Process Automation Manager CA Service Catalog CA IT Asset Manager CA IT Asset Manager Asset Portfolio Management

Issue/Introduction

Embedded Entitlement Manager (EEM) integrated applications, such as Service Desk Manager (SDM) and Process Automation (PAM), fail to authenticate or launch processes. The primary indicator of this issue is a recurrent TLS handshake failure recorded in the EEM server logs. Users often encounter EEM_NOTALLOWED errors during login attempts even when EEM services appear to be running normally.

Symptoms

  • Service Desk Manager (SDM) fails to launch Process Automation (PAM) processes.
  • End users receive EEM_NOTALLOWED error when logging into the PAM web UI.
  • The EiamAdmin user may still be able to log into the EEM UI directly.
  • EEM, SDM, and PAM services show a "Started" status in the Windows Services console.
  • The ipoz.log file (located in the EEM logs folder) contains the following error:
ERROR 2025-08-21 07:12:13,299 [0x000010f4] [eiam.server.ipoz.sponsorinterfacev1] Exception[-800]: error starting TLS

Environment

  • Products: CA Service Management (SDM), CA Process Automation (PAM), Embedded Entitlement Manager (EEM).
  • Releases: 12.6, 17.x.
  • OS: Windows Server 2019, 2022.
  • Components: iTechnology, DXserver.

Cause

The rootcert.cer file in the iTechnology directory is expired, missing, or invalid. This prevents the EEM server from establishing secure TLS connections with integrated components and its underlying LDAP datastore.

Resolution

  1. Navigate to the iTechnology folder. The default path is: C:\Program Files\CA\SC\iTechnology
  2. Locate the file named rootcert.cer.
  3. Double-click the file to view the certificate details. Check the Valid from and Valid to dates.  You will see a value like this:
  4. If the certificate is expired:
    • Rename the existing rootcert.cer to rootcert.cer.old.
    • Generate a new rootcert.cer file by following the steps in the official documentation: Generate the Certificates.
    • Alternatively, obtain a valid rootcert.cer from the security team and place it in the iTechnology folder.
  5. Restart the CA EEM and iGateway services.
  6. Note for Integrated Applications: Applications like PAM may require a manual re-import of the new EEM certificate to restore connectivity. For detailed steps, refer to EEM certificate renewed and users can't login to Process Automation

If the certificate is valid and the error persists, contact Broadcom Support for further analysis of the TLS protocol version settings in C:\Program Files\CA\SC\iTechnology\igateway.conf

Additional Information

 

 

Powered by Wolken Software