Known Workarounds: (choose one)
Java Version (only known workaround for AFX)
Revert back to a Java version earlier than Java JDK version 1.8u241 (1.8.0.241).
For RSA Identity Governance & Lifecycle 7.0.x versions which use Java 7, revert back to a Java version earlier than Java JDK version 1.7u251 (1.7.0.251). Since RSA Identity Governance & Lifecycle 7.0.x is End of Product Support (EOPS), it is recommended that the RSA Identity Governance & Lifecycle version be upgraded as soon as possible.
Externally Signed Certificates
Generate externally signed certificates.
-Djdk.security.allowNonCaAnchor (Remote Agent only)
Add the -Djdk.security.allowNonCaAnchor system property to the Remote Agent configuration(s) and the Application Server configuration (if the Application Server JRE/JDK is updated) to restore the previous behavior.
Remote Collection Agent:
To add the -Djdk.security.allowNonCaAnchor system property to Remote Collection Agents, perform the steps below:
For the Linux Agent:
- Backup AveksaAgent/bin/agent.sh
cd AveksaAgent/bin
cp agent.sh agent.sh.backup_<date>
- Edit agent.sh, update the JAVA_OPTS environment variable and add -Djdk.security.allowNonCaAnchor=true as follows:
export JAVA_OPTS="-Xms128m -Xmx256m -Djdk.security.allowNonCaAnchor=true"
For Windows Agent:
- Backup AveksaAgent\bin\agent.bat
- Edit agent.bat and add the last line indicated in bold:
set JAVA=java
if not "%JAVA_HOME%"=="" set JAVA=%JAVA_HOME%\bin\java
set CLASSPATH=%AGENT_HOME%\bin\bootstrap.jar;%AGENT_HOME%\common\lib\log4j-1.2.14.jar;%AGENT_HOME%\conf
set JAVA_OPTS=%JAVA_OPTS% -Djdk.security.allowNonCaAnchor=true
Application Server:
If the Application Server JRE/JDK is updated, the JVM parameter, -Djdk.security.allowNonCaAnchor=true system property, needs to be added as well.