|Applies To||RSA Product Set: RSA Identity Governance & Lifecycle|
RSA Version/Condition: 7.1.0, 7.1.1, 7.2.0
|Issue||After upgrading or migrating from an earlier version of RSA Identity Governance & Lifecycle on WebSphere, AFX fails to start. An attempt to create a new AFX server also fails. This issue is unique to WebSphere installations.|
The following error is logged in the aveksaserver.log file:
05/01/2020 14:18:20.940 ERROR (WebContainer : 5) [com.aveksa.gui.core.filters.LoginFilter]
com.ibm.websphere.servlet.error.ServletErrorReport: java.lang.VerifyError: JVMVRFY012 stack shape inconsistent; class=org/bouncycastle/openssl/PEMReader$ECDSAKeyPairParser, method=parseObject(Lorg/bouncycastle/util/io/pem/PemObject;)Ljava/lang/Object;, pc=26; Type Mismatch, argument 0 in signature org/bouncycastle/asn1/x509/AlgorithmIdentifier.<init>:(Lorg/bouncycastle/asn1/DERObjectIdentifier;Lorg/bouncycastle/asn1/DEREncodable;)V does not match
Note the aveksaServer.log file on WebSphere may be found in a directory similar to the following (where the specific node name would be different), /home/oracle/IBM/WebSphere/AppServer/profiles/AppSrv01/installedApps/vm-support-11Node01Cell/aveksa.ear/aveksa.war/log. The aveksaServer.log may also be downloaded from the RSA Identity Governance & Lifecycle user interface (Admin > System > Server Nodes tab > under Logs.)
|Cause||This is a known issue reported in engineering ticket ACM-103785.|
This issue occurs when attempting to parse self-signed certificates generated on an older version of RSA Identity Governance & Lifecycle. Parsing these certificates leads to a call to a deprecated method in the bouncycastle crypto library.
|Resolution||This issue is being investigated by the Engineering team in order to provide a permanent resolution in a future release.|
|Workaround||This issue may be resolved by generating new self-signed certificates. This generates certificates to replace legacy certificates that may have deprecated certificate attributes. AFX will have to be redeployed after this change. |
For instructions on how to generate and install new RSA Identity Governance & Lifecycle certificates on WebSphere, see the section entitled Configure SSL for Internal Communication Between RSA Identity Governance and Lifecycle Components under the WebSphere Installation section in the RSA Identity Governance & Lifecycle Installation Guide for your specific RSA Identity Governance & Lifecycle version.
See RSA Knowledge Base Article 000037993 -- How to download and install the AFX Server Archive in RSA Identity Governance & Lifecycle for instructions on redeploying AFX.
|Notes||Also refer to the following RSA Knowledge Base Article for additional changes that may be required for self-signed certificates with later Java versions.|
000038503 -- AFX Server and Remote Collection Agents fail to start after updating Java to version 1.8u241 (126.96.36.199) or later in RSA Identity Governance & Lifecycle.