I think the difference is that api2.anaplan.com doesn't support TLSv1.1 whereas api.anaplan.com does. This may change in the future as TLSv1.1 support may be removed; api2 is set up for customers to test future configuration changes. This should not prevent your client from working with api.anaplan.com, one would usually expect the reverse. One possibility is a firewall detecting this protocol version and closing the connection. I recall IBM's Java runtime having some issues with TLSv1.2 but both these servers support that version. Perhaps the client doesn't deal well with the choice at the negotiation stage. What client are you using? And what is the error?

Hi,

Our client is using Java 1.6 and we can’t upgrade to 1.7.
However we updated to 1.6.191 Which supports TLSv1.x

The weird thing is that api2 works fine again but api raises a handshake exception

Hello,

 

It's possible to have multiple instances of Java installed, for use by other applications. You can install Java 8 (the most current, tested version to work with Anaplan Connect), and update the AnaplanClient file to point to the installation location so you're using the latest version of TLS to communicate with Anaplan.

 

If this isn't an acceptable solution to the client, you can use the OpenSSL tool to query our API server for the allowed cipher suites to ensure that you're using one that we accept. If there's a handshake error, this could be the cause. That said, I would strongly advise against using Java 6 wherever possible. There are a large number of security vulnerabilities in that version, and exposing it to the internet is very risky.

 

Thanks

JDK 6 will reach the end of extended support in December 2018. I'd suggest skipping Java 7 and moving straight to 8. JDK6u141 onwards adds TLS v1.1 and v1.2 to the client list of default-enabled protocols, so it should just work out of the box. If your tool (which I don't know anything about unless it's Anaplan Connect) is insisting on a specific TLS version when setting up a connection, that could be a problem. Another thing to look at is changes to the lib/security/java.security file from the defaults. If it is a TLS handshake problem, then specifying -Djavax.net.debug=ssl:handshake may provide more information. All of this assumes that your tool is using the JRE's built-in JSSE provider to implement TLS - I'd need more information to confirm this.