000038503 - AFX Server and Remote Collection Agents fail to start after updating Java to version 1.8u241 (1.8.0.241) or later in RSA Identity Governance & Lifecycle

Document created by RSA Customer Support Employee on Feb 25, 2020Last modified by RSA Customer Support Employee on Jul 6, 2020
Version 11Show Document
  • View in full screen mode

Article Content

Article Number000038503
Applies ToRSA Product Set: RSA Identity Governance & Lifecycle
RSA Version/Condition: 7.1.0, 7.1.1, 7.2.0
 
IssueAccess Fulfillment Express (AFX) Server and Remote Collection Agents fail to startup after updating Java JDK to version 1.8u242 (1.8.0.241) or later. An error similar to the following can be seen in the startup log files for both AFX ($AVEKSA_HOME/AFX/esb/logs/esb.AFX-INIT.log) and Remote Collection Agents (home/{remoteagentuser}/AveksaAgent/logs/aveksaAgent.log.)
 
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException:
PKIX path validation failed: sun.security.validator.ValidatorException:
TrustAnchor with subject "CN=aveksa_ca, OU=Aveksa, O=Aveksa, L=Waltham, ST=Massachusetts, C=US" is not a CA certificate
CauseThis error message occurs if the CA certificate in the truststore does not have the BasicConstraints attribute set. The default CA in $AVEKSA_HOME/keystore/server.keystore does not have this set.

New checks have been added to Java 1.8.0_241 and later to ensure that trust anchors are CA certificates and contain proper extensions. Trust anchors are used to validate certificate chains used in TLS and signed code. Trust anchor certificates must include a Basic Constraints extension with the cA field set to true. Also, if they include a Key Usage extension, the keyCertSign bit must be set.

AFX Servers and Remote Collection Agents use a self-signed certificate when communicating with the RSA Identity Governance & Lifecycle server over a Secure Sockets Layer (SSL) connection. This self-signed certificate has yet to adapt the above change introduced in Java 1.8.0_241 and later.
 
ResolutionThis issue is resolved in RSA Identity Governance & Lifecycle 7.2.0 P02.

The patch ensures that certificates in the proper format are generated. To resolve the issue:
  1. Install the patch.
  2. Re-generate the certificates as per RSA Knowledge Base Article 000038314 - How to Update the Root (Server) and Client Certificates in RSA Identity Governance & Lifecycle.

Note: The following error message will be logged on startup if the server certificate does not have BasicConstraints set.


Server certificate is not compliant to RFC-5280 standard


 
Workaround

Known Workarounds:


Below are several options to workaround this issue. Any option should work. There is no need to implement more than one.

Java Version



Revert back to a Java version earlier than Java JDK version 1.8u241 (1.8.0.241).


Externally Signed Certificates



Generate externally signed certificates.


-Djdk.security.allowNonCaAnchor



Add the -Djdk.security.allowNonCaAnchor system property to the AFX Agent configuration(s), Remote Agent configuration(s) and the Application Server configuration (if the Application Server JRE/JDK is updated) to restore the previous behavior.


AFX



To add the -Djdk.security.allowNonCaAnchor system property to AFX, perform the steps below as the afx user:


  1. Backup the additional.groovy file:


cd $AFX_HOME/esb/bin
cp additional.groovy additional.groovy.backup_<date>


  1. Edit the additional.groovy file and add the last line indicated in bold:


if (javaMajorVersion >= 8) {
  w << "wrapper.java.additional.${paramIndex++}=-Dcom.sun.xml.bind.v2.bytecode.ClassTailor.noOptimize=true\n"
  w << "wrapper.java.additional.${paramIndex++}=-XX:MaxMetaspaceSize=512m\n"
  w << "wrapper.java.additional.${paramIndex++}=-XX:+AlwaysPreTouch\n"
  w << "wrapper.java.additional.${paramIndex++}=-XX:+UseG1GC\n"
  w << "wrapper.java.additional.${paramIndex++}=-XX:+ExplicitGCInvokesConcurrent\n"
  w << "wrapper.java.additional.${paramIndex++}=-XX:+ParallelRefProcEnabled\n"
  w << "wrapper.java.additional.${paramIndex++}=-XX:+UseStringDeduplication\n"
  w << "wrapper.java.additional.${paramIndex++}=-XX:InitiatingHeapOccupancyPercent=5\n"
  w << "wrapper.java.additional.${paramIndex++}=-Djdk.security.allowNonCaAnchor=true\n"


  1. Restart AFX.


afx stop
afx start




NOTE: If you reinstall AFX, the above changes will be overwritten so you must perform the above steps again if you reinstall AFX. See RSA Knowledge Base Article 000034089 -- How to install Access Fulfillment Express (AFX) for use with RSA Identity Governance & Lifecycle for more information on installing AFX.


 



Remote Collection Agent:



To add the -Djdk.security.allowNonCaAnchor system property to Remote Collection Agents, perform the steps below:



For the Linux Agent:



  1. Backup AveksaAgent/bin/agent.sh



cd AveksaAgent/bin
cp agent.sh agent.sh.backup_<date>



  1. Edit agent.sh, update the JAVA_OPTS environment variable and add -Djdk.security.allowNonCaAnchor=true as follows:


export JAVA_OPTS="-Xms128m -Xmx256m -Djdk.security.allowNonCaAnchor=true"


For Windows Agent:



  1. Backup AveksaAgent\bin\agent.bat
  2. Edit agent.bat and add the last line indicated in bold:


set JAVA=java
if not "%JAVA_HOME%"=="" set JAVA=%JAVA_HOME%\bin\java

set CLASSPATH=%AGENT_HOME%\bin\bootstrap.jar;%AGENT_HOME%\common\lib\log4j-1.2.14.jar;%AGENT_HOME%\conf
set JAVA_OPTS=%JAVA_OPTS% -Djdk.security.allowNonCaAnchor=true


Application Server:



If the Application Server JRE/JDK is updated, the JVM parameter, -Djdk.security.allowNonCaAnchor=true system property, needs to be added as well.


 
NotesFor more information on the changes in JDK 8u241, see the JDK 8u421 Update Release Notes.
 

Attachments

    Outcomes