Title	AFX Server and Remote Collection Agents fail to start after updating Java to version 1.8u241 (1.8.0_241) / 1.7u251 (1.7.0_251) or later in RSA Identity Governance & Lifecycle

URL Name	AFX-Server-and-Remote-Collection-Agents-fail-to-start-after-updating-Java-to-version-1-8u241-1-8-0-241-1-7u251-1-7-0-251-or-later-in-RSA-Identity-Governance-Lifecycle

Summary	AFX Server and Remote Collection Agents fail to start after updating Java to version 1.8u241 (1.8.0_241) / 1.7u251 (1.7.0_251) or later in RSA Identity Governance & Lifecycle

Validation Status	Work in Progress

Age	1,532.75

Translate To

Applies To

RSA Product Set: RSA Identity Governance & Lifecycle
RSA Version/Condition: 7.0.x, 7.1.x, 7.2.0

Issue

Access Fulfillment Express (AFX) Server and Remote Collection Agents fail to startup after updating Java JDK to version 1.8u242 (1.8.0.241) / 1.7u251 (1.7.0_251) or later. An error similar to the following can be seen in the startup log files for both AFX ($AVEKSA_HOME/AFX/esb/logs/esb.AFX-INIT.log) and Remote Collection Agents (home/{remoteagentuser}/AveksaAgent/logs/aveksaAgent.log.)

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException:
PKIX path validation failed: sun.security.validator.ValidatorException:
TrustAnchor with subject "CN=aveksa_ca, OU=Aveksa, O=Aveksa, L=Waltham, ST=Massachusetts, C=US" is not a CA certificate

Cause

This error message occurs if the CA certificate in the truststore does not have the BasicConstraints attribute set. The default CA in $AVEKSA_HOME/keystore/server.keystore does not have this set.

New checks have been added to Java 1.8.0_241 and 1.7.0_251 and later to ensure that trust anchors are CA certificates and contain proper extensions. Trust anchors are used to validate certificate chains used in TLS and signed code. Trust anchor certificates must include a Basic Constraints extension with the cA field set to true. Also, if they include a Key Usage extension, the keyCertSign bit must be set.

AFX Servers and Remote Collection Agents use a self-signed certificate when communicating with the RSA Identity Governance & Lifecycle server over a Secure Sockets Layer (SSL) connection. This self-signed certificate has yet to adapt the above change introduced in Java 1.8.0_241 and 1.7.0_251 and later.

Resolution

This issue is resolved in the following RSA Identity Governance & Lifecycle patch levels for Remote Collection agents only.

RSA Identity Governance & Lifecycle 7.1.1 P08
RSA Identity Governance & Lifecycle 7.2.0 P02

For AFX agents, see RSA Knowledge Base Article 000039222 -- AFX Connectors remain in a Deployed state and 'java.lang.SecurityException: Algorithm not allowable in FIPS140 mode: MD5' error in RSA Identity Governance & Lifecycle for resolution.

The patch ensures that certificates are generated in the proper format. To resolve the issue:

Install the patch.
Re-generate the certificates as per RSA Knowledge Base Article 000038314 - How to Update the Root (Server) and Client Certificates in RSA Identity Governance & Lifecycle.

Note: In 7.2.0 P02, the following error message will be logged on startup if the server certificate does not have BasicConstraints set

Server certificate is not compliant to RFC-5280 standard

Workaround

Known Workarounds: (choose one)

Java Version (only known workaround for AFX)

Revert back to a Java version earlier than Java JDK version 1.8u241 (1.8.0.241).

For RSA Identity Governance & Lifecycle 7.0.x versions which use Java 7, revert back to a Java version earlier than Java JDK version 1.7u251 (1.7.0.251). Since RSA Identity Governance & Lifecycle 7.0.x is End of Product Support (EOPS), it is recommended that the RSA Identity Governance & Lifecycle version be upgraded as soon as possible.

Externally Signed Certificates

Generate externally signed certificates.

-Djdk.security.allowNonCaAnchor (Remote Agent only)

Add the -Djdk.security.allowNonCaAnchor system property to the Remote Agent configuration(s) and the Application Server configuration (if the Application Server JRE/JDK is updated) to restore the previous behavior.

Remote Collection Agent:

To add the -Djdk.security.allowNonCaAnchor system property to Remote Collection Agents, perform the steps below:

For the Linux Agent:

Backup AveksaAgent/bin/agent.sh

cd AveksaAgent/bin
cp agent.sh agent.sh.backup_<date>

Edit agent.sh, update the JAVA_OPTS environment variable and add -Djdk.security.allowNonCaAnchor=true as follows:

export JAVA_OPTS="-Xms128m -Xmx256m -Djdk.security.allowNonCaAnchor=true"

For Windows Agent:

Backup AveksaAgent\bin\agent.bat
Edit agent.bat and add the last line indicated in bold:

set JAVA=java
if not "%JAVA_HOME%"=="" set JAVA=%JAVA_HOME%\bin\java

set CLASSPATH=%AGENT_HOME%\bin\bootstrap.jar;%AGENT_HOME%\common\lib\log4j-1.2.14.jar;%AGENT_HOME%\conf
set JAVA_OPTS=%JAVA_OPTS% -Djdk.security.allowNonCaAnchor=true

Application Server:

If the Application Server JRE/JDK is updated, the JVM parameter, -Djdk.security.allowNonCaAnchor=true system property, needs to be added as well.

Notes

For more information on the changes in JDK 8u241, see the JDK 8u421 Update Release Notes.

Legacy Article ID 000038503

Audience	External

Article Source	Case

Original Article Author	Ian Staines

Original Created Date	2/24/2020 11:48 PM

Owner	Ian Staines

Assigned To

Assigned By

Assignment Note

Assignment Due Date

Publication Status	Published

Article Type	Knowledge

Article Number	000042703

Created By	Ian Staines

Last Modified By	Venkata SamanthKumarAtchuta

Language	English

AFX Server and Remote Collection Agents fail to start after updating Java to version 1.8u241 (1.8.0_241) / 1.7u251 (1.7.0_251) or later in RSA Identity Governance & Lifecycle