Description
As part of SailPoint’s ongoing commitment to strong security practices, the Java runtime used by the SailPoint Virtual Appliance (VA) has been upgraded to Java 17.0.18 . This upgrade aligns the platform with modern cryptographic standards defined by the Java ecosystem and broader industry security guidelines.
However, this change may impact connectivity with systems that still rely on Unsupported JVM TLS encryption algorithms. To ensure uninterrupted operation, we are providing temporary compatibility support , but customers will need to update their target systems within the next 30 days.
Why This Change Matters
Modern security standards are continuously evolving to protect against emerging threats and cryptographic weaknesses. One such example is the deprecation of SHA-1 based TLS handshake signature algorithms. SHA-1 has been considered cryptographically weak for several years, and industry standards bodies and software vendors are actively removing support for it.
Beginning with Java 17.0.18, the Java runtime disables SHA-1 handshake signature algorithms by default for TLS 1.2 and DTLS 1.2 connections. This includes algorithms such as:
- rsa_pkcs1_sha1
- ecdsa_sha1
- dsa_sha1
Disabling these algorithms strengthens the security posture of the platform and ensures SailPoint customers remain aligned with modern cryptographic standards.
What This Means for Customers
After the Java upgrades to Java 17.0.18 in VA, some customers may experience TLS/SSL handshake failures when the SailPoint Virtual Appliance connects to systems that still rely on SHA-1 handshake signatures. These failures may include:
- Failed Test Connection operations
- Aggregation failures
- Provisioning failures
- TLS errors during connector communication
A Typical error message may include:
Received fatal alert: handshake_failureSSLHandshakeExceptionThe driver could not establish a secure connection
In most cases, the issue originates from the target system or intermediary components such as load balancers, reverse proxies, or SSL inspection devices that still negotiate SHA-1 handshake signatures.
Compatibility Support
To help customers maintain business continuity while making the necessary updates, SailPoint has added updates to the recent virtual appliance releases. These releases introduce 30 days of compatibility support that allows legacy SHA-1 handshake signatures when required.
This temporary mitigation:
Restores connectivity for impacted integrations
Re-enables deprecated cryptography and should only be used as a short-term bridge
To maintain a strong security posture, this compatibility support will be removed after 30 days, valid until 10th April 2026
What Customers Need to Do in the Next 30 Days
Before April 10th, customers must update the TLS configuration of affected systems to support secure cryptographic signature algorithms.
Customers can remediate this by:
- Updating the TLS configuration on the target application or database server
- Ensuring the endpoint supports TLS 1.2 with SHA-256+ handshake signatures
- Applying vendor patches or platform upgrades if the system is outdated
- Reviewing TLS configuration on infrastructure components such as:
- Load balancers
- Reverse proxies
- SSL inspection appliances
These changes ensure compatibility with modern Java security configurations while improving the security posture of connected systems.
Timeline Details
Calendar
By RSVP’ing to this event you will be reminded of this release prior.
- A temporary compatibility support is added to the VA systems for the next 30 days, until April 10th
- Within 30 days, customers must upgrade affected systems to modern TLS handshake signature algorithms
- After 30 days i.e., April 10th, the temporary compatibility support will be removed
After the 30-day window, environments that have not updated their TLS configuration may experience connection failures again. For additional information, review the official Java release documentation:
Frequently Asked Questions
Is TLS 1.2 being deprecated?
No. TLS 1.2 remains fully supported. The change only affects SHA-1-based handshake signatures within TLS 1.2/DTLS 1.2 connections, as well as legacy cipher suites that do not preserve forward-secrecy. To ensure compatibility, update your systems to use modern ciphers.
Examples of Supported (Secure) Cipher Suites:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
Examples of Deprecated (Weak) Cipher Suites that will FAIL:
TLS_RSA_WITH_AES_256_GCM_SHA384TLS_RSA_WITH_AES_128_GCM_SHA256TLS_RSA_WITH_AES_256_CBC_SHA256TLS_RSA_WITH_AES_128_CBC_SHA256TLS_RSA_WITH_AES_256_CBC_SHATLS_RSA_WITH_AES_128_CBC_SHA
For more information please refer: Oracle Java SE Development Kit – Java 17.0.18 Release Notes
Why can’t SailPoint keep the compatibility support permanently?
The compatibility support re-enables legacy cryptographic algorithms that are no longer considered secure. Maintaining this long-term would weaken platform security and conflict with modern industry standards.
What if we cannot update our system immediately?
If your target system relies on non-secure cryptographic algorithms (like SHA-1) and is not updated, every operation for that specific connector—including Test Connections, Aggregations, and Provisioning—will completely fail due to rejected network connections.
If you face issues in connecting ISC with the respective managed system after making the suggested updates, please contact the SailPoint support team.