000039056 - AFX Server fails to start and unable to create a new AFX Server on WebSphere in RSA Identity Governance & Lifecycle

Document created by RSA Customer Support Employee on Jun 29, 2020
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000039056
Applies ToRSA Product Set: RSA Identity Governance & Lifecycle
RSA Version/Condition: 7.1.0, 7.1.1, 7.2.0
Platform: WebSphere
IssueAfter upgrading or migrating from an earlier version of RSA Identity Governance & Lifecycle on WebSphere, AFX fails to start. An attempt to create a new AFX server also fails. This issue is unique to WebSphere installations.

The following error is logged in the aveksaserver.log file:
05/01/2020 14:18:20.940 ERROR (WebContainer : 5) [com.aveksa.gui.core.filters.LoginFilter] 
com.ibm.websphere.servlet.error.ServletErrorReport: java.lang.VerifyError: JVMVRFY012 stack shape inconsistent&#59; class=org/bouncycastle/openssl/PEMReader$ECDSAKeyPairParser, method=parseObject(Lorg/bouncycastle/util/io/pem/PemObject&#59;)Ljava/lang/Object&#59;, pc=26&#59; Type Mismatch, argument 0 in signature org/bouncycastle/asn1/x509/AlgorithmIdentifier.<init>:(Lorg/bouncycastle/asn1/DERObjectIdentifier&#59;Lorg/bouncycastle/asn1/DEREncodable&#59;)V does not match

Note the aveksaServer.log file on WebSphere may be found in a directory similar to the following (where the specific node name would be different), /home/oracle/IBM/WebSphere/AppServer/profiles/AppSrv01/installedApps/vm-support-11Node01Cell/aveksa.ear/aveksa.war/log. The aveksaServer.log may also be downloaded from the RSA Identity Governance & Lifecycle user interface (Admin > System > Server Nodes tab > under Logs.)
CauseThis is a known issue reported in engineering ticket ACM-103785.

This issue occurs when attempting to parse self-signed certificates generated on an older version of RSA Identity Governance & Lifecycle. Parsing these certificates leads to a call to a deprecated method in the bouncycastle crypto library.
ResolutionThis issue is being investigated by the Engineering team in order to provide a permanent resolution in a future release.
WorkaroundThis issue may be resolved by generating new self-signed certificates. This generates certificates to replace legacy certificates that may have deprecated certificate attributes. AFX will have to be redeployed after this change.  
  1. Generate new certificates.

For instructions on how to generate and install new RSA Identity Governance & Lifecycle certificates on WebSphere, see the section entitled Configure SSL for Internal Communication Between RSA Identity Governance and Lifecycle Components under the WebSphere Installation section in the RSA Identity Governance & Lifecycle Installation Guide for your specific RSA Identity Governance & Lifecycle version.

  1. Redeploy AFX.

See RSA Knowledge Base Article 000037993 -- How to download and install the AFX Server Archive in RSA Identity Governance & Lifecycle for instructions on redeploying AFX.

NotesAlso refer to the following RSA Knowledge Base Article for additional changes that may be required for self-signed certificates with later Java versions.

000038503 -- AFX Server and Remote Collection Agents fail to start after updating Java to version 1.8u241 ( or later in RSA Identity Governance & Lifecycle.