Error: "The server selected protocol version TLS10 is not accepted by client preferences [TLS12]" (4310338)

After upgrading to Foglight Management Server (FMS) or Foglight Agent Manager (FglAM) version 6.1.0 or later, agent connections to monitored hosts may begin to fail due to SSL/TLS negotiation errors.

For example, SQL Server agents may report errors similar to:

com.microsoft.sqlserver.jdbc.SQLServerException: The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. 
Error: "The server selected protocol version TLS10 is not accepted by client preferences [TLS12]". 
ClientConnectionId: 65bdbe0a-ad9e-4dcb-b67b-07403a1ec21f

These failures may trigger repeated alarms such as:

• Usability Connection Availability

• Usability OS Connection Availability

Starting with newer versions of OpenJDK used by Foglight, support for TLS 1.0 and 1.1 is disabled by default for enhanced security. This change is enforced through the java.security file.

If the monitored system only supports TLS 1.0 or TLS 1.1, the connection fails because the Foglight JVM refuses to negotiate with older, insecure protocols.

Recommended Solution (Preferred):

Update the monitored host to support TLS 1.2 or higher.

This ensures secure and compliant communication with Foglight components. TLS 1.0 and 1.1 are deprecated and should be avoided in production environments.

Workaround (Not Recommended for Production):

If updating the monitored host is not immediately feasible, TLS 1.0 or 1.1 support can be temporarily re-enabled in the JVM used by the Foglight Agent Manager or FMS.

⚠️ Warning: This workaround weakens the security posture and is not advised for production use.

Steps to Re-enable TLS 1.0 or TLS 1.1:

1. Locate the java.security file:

   • For external FglAM:

     • JRE 8: {FglAM}\jre\{version}\jre\lib\security\

     • JRE 17: {FglAM}\jre\{version}\jre\conf\security\

   • For embedded FglAM (on FMS host):

     • JRE 8: {FMS}\jre\lib\security\

     • JRE 17: {FMS}\jre\conf\security\

2. Open the java.security file in a text editor.

3. Find the following line:

   jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, ...

4. Remove TLSv1 and/or TLSv1.1 from the list to allow those protocols.

5. Save the file.

6. Restart the Foglight Agent Manager (and FMS, if applicable).

If this issue affects SQL Performance Investigator (PI), apply the change on both FglAM and FMS components.

Additional Information

• Disabling TLS restrictions can resolve connectivity issues with legacy systems but significantly lowers communication security.

• See OpenJDK documentation for additional details on TLS support deprecation.