000038503 - AFX Server and Remote Collection Agents fail to start after updating Java to version 1.8u241 (1.8.0_241) / 1.7u251 (1.7.0_251) or later in RSA Identity Governance & Lifecycle

Document created by RSA Customer Support Employee on Feb 25, 2020Last modified by RSA Customer Support Employee on Aug 24, 2020
Version 14Show Document
  • View in full screen mode

Article Content

Article Number000038503
Applies ToRSA Product Set: RSA Identity Governance & Lifecycle
RSA Version/Condition: 7.0.x, 7.1.x, 7.2.0
IssueAccess Fulfillment Express (AFX) Server and Remote Collection Agents fail to startup after updating Java JDK to version 1.8u242 ( / 1.7u251 (1.7.0_251) or later. An error similar to the following can be seen in the startup log files for both AFX ($AVEKSA_HOME/AFX/esb/logs/esb.AFX-INIT.log) and Remote Collection Agents (home/{remoteagentuser}/AveksaAgent/logs/aveksaAgent.log.)
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException:
PKIX path validation failed: sun.security.validator.ValidatorException:
TrustAnchor with subject "CN=aveksa_ca, OU=Aveksa, O=Aveksa, L=Waltham, ST=Massachusetts, C=US" is not a CA certificate

CauseThis error message occurs if the CA certificate in the truststore does not have the BasicConstraints attribute set. The default CA in $AVEKSA_HOME/keystore/server.keystore does not have this set.

New checks have been added to Java 1.8.0_241 and 1.7.0_251 and later to ensure that trust anchors are CA certificates and contain proper extensions. Trust anchors are used to validate certificate chains used in TLS and signed code. Trust anchor certificates must include a Basic Constraints extension with the cA field set to true. Also, if they include a Key Usage extension, the keyCertSign bit must be set.

AFX Servers and Remote Collection Agents use a self-signed certificate when communicating with the RSA Identity Governance & Lifecycle server over a Secure Sockets Layer (SSL) connection. This self-signed certificate has yet to adapt the above change introduced in Java 1.8.0_241 and 1.7.0_251 and later.
ResolutionThis issue is resolved in the following RSA Identity Governance & Lifecycle patch levels  for Remote Collection agents only.
  • RSA Identity Governance & Lifecycle 7.1.1 P08
  • RSA Identity Governance & Lifecycle 7.2.0 P02
For AFX agents, see RSA Knowledge Base Article 000039222 -- AFX Connectors remain in a Deployed state and 'java.lang.SecurityException: Algorithm not allowable in FIPS140 mode: MD5' error in RSA Identity Governance & Lifecycle for resolution.

The patch ensures that certificates are generated in the proper format. To resolve the issue:
  1. Install the patch.
  2. Re-generate the certificates as per RSA Knowledge Base Article 000038314 - How to Update the Root (Server) and Client Certificates in RSA Identity Governance & Lifecycle.

Note: In 7.2.0 P02, the following error message will be logged on startup if the server certificate does not have BasicConstraints set

Server certificate is not compliant to RFC-5280 standard


Known Workarounds: (choose one)

Java Version (only known workaround for AFX)

Revert back to a Java version earlier than Java JDK version 1.8u241 ( 

For RSA Identity Governance & Lifecycle 7.0.x versions which use Java 7, revert back to a Java version earlier than Java JDK version 1.7u251 ( Since RSA Identity Governance & Lifecycle 7.0.x is End of Product Support (EOPS), it is recommended that the RSA Identity Governance & Lifecycle version be upgraded as soon as possible.

Externally Signed Certificates

Generate externally signed certificates.

-Djdk.security.allowNonCaAnchor (Remote Agent only)

Add the -Djdk.security.allowNonCaAnchor system property to the Remote Agent configuration(s) and the Application Server configuration (if the Application Server JRE/JDK is updated) to restore the previous behavior.

Remote Collection Agent:

To add the -Djdk.security.allowNonCaAnchor system property to Remote Collection Agents, perform the steps below:

For the Linux Agent:

  1. Backup AveksaAgent/bin/agent.sh

cd AveksaAgent/bin
cp agent.sh agent.sh.backup_<date>

  1. Edit agent.sh, update the JAVA_OPTS environment variable and add -Djdk.security.allowNonCaAnchor=true as follows:

export JAVA_OPTS="-Xms128m -Xmx256m -Djdk.security.allowNonCaAnchor=true"

For Windows Agent:

  1. Backup AveksaAgent\bin\agent.bat
  2. Edit agent.bat and add the last line indicated in bold:

set JAVA=java
if not "%JAVA_HOME%"=="" set JAVA=%JAVA_HOME%\bin\java

set CLASSPATH=%AGENT_HOME%\bin\bootstrap.jar;%AGENT_HOME%\common\lib\log4j-1.2.14.jar;%AGENT_HOME%\conf
set JAVA_OPTS=%JAVA_OPTS% -Djdk.security.allowNonCaAnchor=true

Application Server:

If the Application Server JRE/JDK is updated, the JVM parameter, -Djdk.security.allowNonCaAnchor=true system property, needs to be added as well.

NotesFor more information on the changes in JDK 8u241, see the JDK 8u421 Update Release Notes.