Title	AFX Server fails to start in a WebSphere deployment after upgrading to 7.0.x or higher of RSA Identity Governance & Lifecycle

URL Name	AFX-Server-fails-to-start-in-a-WebSphere-deployment-after-upgrading-to-7-0-x-or-higher-of-RSA-Identity-Governance-Lifecycle

Summary	AFX Server fails to start in a WebSphere deployment after upgrading to 7.0.x or higher of RSA Identity Governance & Lifecycle

Validation Status	Work in Progress

Age	2,411.84

Translate To

Applies To

RSA Product Set: RSA Identity Governance & Lifecycle
RSA Version/Condition: 7.0.1, 7.0.2 7.1.x, 7.2.x
Platform/Application Server: WebSphere

Issue

After upgrading to 7.0.1 or higher of RSA Identity Governance & Lifecycle from an earlier version, AFX fails to start and remains in a Not running state:

The following errors are seen in the AFX log files:

$AFX_HOME/esb/logs/esb.AFX-INIT.log

2017-09-20 17:06:04.117 [ERROR] com.aveksa.afx.server.init.SubmitInitializationRequestComponent:156 - 
Error submitting initialization request to RSA Identity Governance and Lifecycle server!
2017-09-20 17:06:04.117 [ERROR] com.aveksa.afx.server.init.SubmitInitializationRequestComponent:162 - 
Unable to establish secure (SSL) connection with RSA Identity Governance and Lifecycle server.
2017-09-20 17:06:04.118 [ERROR] com.aveksa.afx.server.init.SubmitInitializationRequestComponent:171 - 
SSL certificates for RSA Identity Governance and Lifecycle server and AFX were not issued by the same 
RSA Identity Governance and Lifecycle Certificate Authority(CA). 
You may encounter this problem if the RSA Identity Governance and Lifecycle certificate store has been changed, but either 
the RSA Identity Governance and Lifecycle server OR AFX installation hasn't been updated with the respective keystore 
containing new certificate and CA entries. Please update both the RSA Identity Governance and Lifecycle server and AFX 
installations with latest respective keystore available for download in the RSA Identity Governance and Lifecycle application.
2017-09-20 17:06:04.119 [ERROR] com.aveksa.afx.server.init.ServerInitializationComponent:79 - 
Server initialization failed! Please correct the issue and restart AFX.
org.mule.api.transport.DispatchException: Failed to route event via endpoint: 
DefaultOutboundEndpoint{endpointUri=https://sedcasod0020.emea.isn.corpintra.net:8444/aveksa/afx/initialization, 
connector=HttpsConnector

$AFX_HOME/esb/logs/mule_ee.log

ERROR 2017-09-12 16:07:44,357 [WrapperListener_start_runner] org.mule.module.launcher.DefaultArchiveDeployer: 
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ Failed to deploy artifact '10_AFX-INIT', see below       +
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
org.mule.module.launcher.DeploymentInitException: CertPathBuilderException: Could not build a validated path.
	at org.mule.module.launcher.application.DefaultMuleApplication.init(DefaultMuleApplication.java:196)
	at org.mule.module.launcher.artifact.ArtifactWrapper$2.execute(ArtifactWrapper.java:62)
	at org.mule.module.launcher.artifact.ArtifactWrapper.executeWithinArtifactClassLoader(ArtifactWrapper.java:129)
	at org.mule.module.launcher.artifact.ArtifactWrapper.init(ArtifactWrapper.java:57)
	at org.mule.module.launcher.DefaultArtifactDeployer.deploy(DefaultArtifactDeployer.java:25)
	at org.mule.module.launcher.DefaultArchiveDeployer.guardedDeploy(DefaultArchiveDeployer.java:310)
	at org.mule.module.launcher.DefaultArchiveDeployer.deployArtifact(DefaultArchiveDeployer.java:330)
	at org.mule.module.launcher.DefaultArchiveDeployer.deployExplodedApp(DefaultArchiveDeployer.java:297)
	at org.mule.module.launcher.DefaultArchiveDeployer.deployExplodedArtifact(DefaultArchiveDeployer.java:108)
	at org.mule.module.launcher.DeploymentDirectoryWatcher.deployExplodedApps(DeploymentDirectoryWatcher.java:289)
	at org.mule.module.launcher.DeploymentDirectoryWatcher.start(DeploymentDirectoryWatcher.java:146)
	at org.mule.module.launcher.MuleDeploymentService.start(MuleDeploymentService.java:99)
	at org.mule.module.launcher.MuleContainer.start(MuleContainer.java:152)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:606)
	at org.mule.module.reboot.MuleContainerWrapper.start(MuleContainerWrapper.java:52)
	at org.tanukisoftware.wrapper.WrapperManager$11.run(WrapperManager.java:4048)
Caused by: org.mule.api.config.ConfigurationException: 
Error creating bean with name 'serverInitialization' defined in URL 
[file:/home/afxusr/AFX/esb/apps/10_AFX-INIT/mule-config.xml]: 
Instantiation of bean failed; nested exception is org.springframework.beans.BeanInstantiationException: 
Could not instantiate bean class [com.aveksa.afx.server.init.ServerInitializationComponent]: 
Constructor threw exception; nested exception is org.mule.api.lifecycle.InitialisationException: 
Server initialization failed! Please correct the issue and restart AFX.

$AFX_HOME/esb/logs/esb.AFX-MAIN.log

2017-09-12 16:07:45.588 [ERROR] org.mule.module.launcher.application.DefaultMuleApplication:361 - 
null java.lang.IllegalArgumentException: Could not resolve placeholder 'afx.server.activemq.password' 
in string value "${afx.server.activemq.password}"

Cause

Starting in RSA Identity Governance & Lifecycle 7.0.1, the required Quality of Protection (QoP) protocol is TLSv1.2. By default, Websphere defines this value as SSL_TLS.

Resolution

Steps to resolve this error are in the RSA Identity Governance and Lifecycle Installation Guide (versions 7.0.1 through 7.2.0) under the section entitled Create a Keystore in the WebSphere Server. Here are the steps:

In the WebSphere console, navigate to Security > SSL certificate and key management > SSL configurations.

Select the associated Aveksa SSL configuration.

Under Additional Properties, select Quality of Protection (QoP) settings.

Under Client authentication, select Required.
Under Protocol, select TLSv1.2.
Click OK to save the changes.

Restart WebSphere.

Workaround

Notes

Legacy Article ID 000035592

Audience	External

Article Source	Case

Original Article Author	Diane McCoy

Original Created Date	9/28/2017 7:43 PM

Owner	Diane McCoy

Assigned To

Assigned By

Assignment Note

Assignment Due Date

Publication Status	Published

Article Type	Knowledge

Article Number	000041522

Created By	Diane McCoy

Last Modified By	Admin9 Integration (AWS)

Language	English

AFX Server fails to start in a WebSphere deployment after upgrading to 7.0.x or higher of RSA Identity Governance & Lifecycle