The recent Java V.1.7.0_85 release has resulted in changes that affect Identity Providers ability to download the AAF Metadata and Attribute filter over HTTPS. After upgrading your Java to V1.7.0_85 you may see errors in your idp-process.log file similar to the one shown below. If this is the case your IdP is no longer loading AAF Metadata or its Attribute filters and will require a minor modification to the Java options at start up.

Error Message SSL peer failed hostname validation for name:


The solution is to modify the behaviour of the SSL verification your IdP performs when loading files. The behaviour changed as a result of the Java upgrade and needs to be changed back. This can be done in the Tomcat config file (, to set up the Java option in the Tomcat start up file, set this to:

     JAVA_OPTS="${JAVA_OPTS} -Djdk.tls.trustNameService=true”


 Once this is done, restart your IdP and the issue will then be resolved for both the Metadata and Attribute filter loading.


For a full summary of this issue can be found at: