000039123 - Amazon AWS Account Collector fails with 'java.lang.NoClassDefFoundError' on WebSphere in RSA Identity Governance & Lifecycle

Document created by RSA Customer Support Employee on Jul 14, 2020Last modified by RSA Customer Support Employee on Jul 14, 2020
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000039123
Applies ToRSA Product Set: RSA Identity Governance & Lifecycle
RSA Product/Service Type: Enterprise Software
RSA Version/Condition: 7.0.2
Platform/Application Server: WebSphere
 
IssueThe Amazon AWS account collector (Collectors > Account Collectors > {Collector name} > Data Source Type: Amazon AWS) on WebSphere fails in RSA Identity Governance & Lifecycle. The error reported in the aveksaServer.log is dependent on the version of RSA Identity Governance & Lifecycle and WebSphere.
 
Note the location of the aveksaServer.log file on WebSphere is located in a directory similar to the following: (where the specific node name would be different):
 /home/oracle/IBM/WebSphere/AppServer/profiles/AppSrv01/installedApps/vm-support-11Node01Cell/aveksa.ear/aveksa.war/log. The aveksaServer.log may also be downloaded from the RSA Identity Governance & Lifecycle user interface (Admin > System > Server Nodes tab > under Logs.)


RSA Identity Governance & Lifecycle 7.0.2 through 7.0.2 P10:
 
 at com.amazonaws.internal.config.InternalConfig.<clinit>(InternalConfig.java:43)
 at java.lang.J9VMInternals.initializeImpl(Native Method)
 at java.lang.J9VMInternals.initialize(J9VMInternals.java:235)
 at com.amazonaws.internal.config.InternalConfig$Factory.<clinit>(InternalConfig.java:304)
 at java.lang.J9VMInternals.initializeImpl(Native Method)
 at java.lang.J9VMInternals.initialize(J9VMInternals.java:235)
 at com.amazonaws.util.VersionInfoUtils.userAgent(VersionInfoUtils.java:141)
 at com.amazonaws.util.VersionInfoUtils.initializeUserAgent(VersionInfoUtils.java:136)
 at com.amazonaws.util.VersionInfoUtils.getUserAgent(VersionInfoUtils.java:97)
 at com.amazonaws.ClientConfiguration.<clinit>(ClientConfiguration.java:60)
 at java.lang.J9VMInternals.initializeImpl(Native Method)
 at java.lang.J9VMInternals.initialize(J9VMInternals.java:235)
 at com.amazonaws.ClientConfigurationFactory.getDefaultConfig(ClientConfigurationFactory.java:46)
 at com.amazonaws.ClientConfigurationFactory.getConfig(ClientConfigurationFactory.java:36)
 at com.amazonaws.services.identitymanagement.AmazonIdentityManagementClient.<init>(AmazonIdentityManagementClient.java:214)
 at com.aveksa.collector.amazonaws.AmazonAWSDataHandler.<init>(AmazonAWSDataHandler.java:49)
 at com.aveksa.collector.amazonaws.AmazonAWSAccountDataHandler.<init>(AmazonAWSAccountDataHandler.java:58)
 at com.aveksa.collector.amazonaws.adc.AmazonAWSAccountDataReader.testConnection(AmazonAWSAccountDataReader.java:93)
 at com.aveksa.client.datacollector.collectors.accountdatacollectors.AccountDataCollector.collectData(AccountDataCollector.java:351)
 at com.aveksa.client.datacollector.collectors.accountdatacollectors.AccountDataCollector.collect(AccountDataCollector.java:302)
 at com.aveksa.client.datacollector.collectors.accountdatacollectors.AccountDataCollector.collectTestData(AccountDataCollector.java:277)
 at com.aveksa.client.datacollector.framework.DataCollectorManager.collect(DataCollectorManager.java:532)
 at com.aveksa.client.component.collector.DefaultCollectorManager.actUpon(DefaultCollectorManager.java:203)
 at com.aveksa.client.component.collector.DefaultCollectorManager.handle(DefaultCollectorManager.java:102)
 at com.aveksa.client.component.event.DefaultEventManager.handle(DefaultEventManager.java:60)
 at com.aveksa.client.datacollector.framework.SimpleEventSource.notifyListeners(SimpleEventSource.java:67)
 at com.aveksa.client.component.communication.DefaultCommunicationManager.notifyEvent(DefaultCommunicationManager.java:377)
 at com.aveksa.client.component.communication.ChangeListHandler.applyChanges(ChangeListHandler.java:364)
 at com.aveksa.client.component.communication.ChangeListHandler.access$300(ChangeListHandler.java:58)
 at com.aveksa.client.component.communication.ChangeListHandler$ChangeApplyingRunnable.run(ChangeListHandler.java:275)
 at java.lang.Thread.run(Thread.java:798)
Caused by:
java.lang.ClassNotFoundException: com.fasterxml.jackson.databind.ObjectMapper
 at java.net.URLClassLoader.findClass(URLClassLoader.java:602)
 at com.ibm.ws.bootstrap.ExtClassLoader.findClass(ExtClassLoader.java:243)
 at java.lang.ClassLoader.loadClassHelper(ClassLoader.java:777)
 at java.lang.ClassLoader.loadClass(ClassLoader.java:754)
 at com.ibm.ws.bootstrap.ExtClassLoader.loadClass(ExtClassLoader.java:134)
 at java.lang.ClassLoader.loadClass(ClassLoader.java:731)
 at com.ibm.ws.classloader.ProtectionClassLoader.loadClass(ProtectionClassLoader.java:62)
 at com.ibm.ws.classloader.ProtectionClassLoader.loadClass(ProtectionClassLoader.java:58)
 at com.ibm.ws.classloader.CompoundClassLoader.loadClass(CompoundClassLoader.java:586)
 at java.lang.ClassLoader.loadClass(ClassLoader.java:731)
 ... 31 more



RSA Identity Governance & Lifecycle 7.0.2 P11+ and WebSphere lower than version 8.5.5.9:



java.lang.NoSuchFieldError: org/apache/http/conn/ssl/AllowAllHostnameVerifier.INSTANCE
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.<clinit>(SSLConnectionSocketFactory.java:144)
at com.amazonaws.http.apache.client.impl.ApacheConnectionManagerFactory.getPreferredSocketFactory(ApacheConnectionManagerFactory.java:87)
at com.amazonaws.http.apache.client.impl.ApacheConnectionManagerFactory.create(ApacheConnectionManagerFactory.java:65)
at com.amazonaws.http.apache.client.impl.ApacheConnectionManagerFactory.create(ApacheConnectionManagerFactory.java:58)
at com.amazonaws.http.apache.client.impl.ApacheHttpClientFactory.create(ApacheHttpClientFactory.java:51)
at com.amazonaws.http.apache.client.impl.ApacheHttpClientFactory.create(ApacheHttpClientFactory.java:39)
at com.amazonaws.http.AmazonHttpClient.<init>(AmazonHttpClient.java:282)
at com.amazonaws.AmazonWebServiceClient.<init>(AmazonWebServiceClient.java:164)
at com.amazonaws.AmazonWebServiceClient.<init>(AmazonWebServiceClient.java:153)
at com.amazonaws.AmazonWebServiceClient.<init>(AmazonWebServiceClient.java:138)
at com.amazonaws.services.identitymanagement.AmazonIdentityManagementClient.<init>(AmazonIdentityManagementClient.java:234)
at com.amazonaws.services.identitymanagement.AmazonIdentityManagementClient.<init>(AmazonIdentityManagementClient.java:214)
at com.aveksa.collector.amazonaws.AmazonAWSDataHandler.<init>(AmazonAWSDataHandler.java:49)
at com.aveksa.collector.amazonaws.AmazonAWSAccountDataHandler.<init>(AmazonAWSAccountDataHandler.java:58)
at com.aveksa.collector.amazonaws.adc.AmazonAWSAccountDataReader.testConnection(AmazonAWSAccountDataReader.java:93)
at com.aveksa.client.datacollector.collectors.accountdatacollectors.AccountDataCollector.collectData(AccountDataCollector.java:351)
at com.aveksa.client.datacollector.collectors.accountdatacollectors.AccountDataCollector.collect(AccountDataCollector.java:302)
at com.aveksa.client.datacollector.collectors.accountdatacollectors.AccountDataCollector.collectTestData(AccountDataCollector.java:277)
at com.aveksa.client.datacollector.framework.DataCollectorManager.collect(DataCollectorManager.java:532)
at com.aveksa.client.component.collector.DefaultCollectorManager.actUpon(DefaultCollectorManager.java:203)
at com.aveksa.client.component.collector.DefaultCollectorManager.handle(DefaultCollectorManager.java:102)
at com.aveksa.client.component.event.DefaultEventManager.handle(DefaultEventManager.java:60)
at com.aveksa.client.datacollector.framework.SimpleEventSource.notifyListeners(SimpleEventSource.java:67)
at com.aveksa.client.component.communication.DefaultCommunicationManager.notifyEvent(DefaultCommunicationManager.java:377)
at com.aveksa.client.component.communication.ChangeListHandler.applyChanges(ChangeListHandler.java:364)
at com.aveksa.client.component.communication.ChangeListHandler.access$300(ChangeListHandler.java:58)
at com.aveksa.client.component.communication.ChangeListHandler$ChangeApplyingRunnable.run(ChangeListHandler.java:275)
at java.lang.Thread.run(Thread.java:853)


 

CauseThis is a known issue reported in engineering ticket ACM-96764.
 
This issue occurs because WebSphere packs an old version of the Apache HTTP Client library in the installation, which they fixed in version 8.5.5.9 only. For more information, see PI50993:Apache HTTPComponents vulnerabilities in WebSphere Application Server (CVE-2012-6153, CVE-2014-3577).
 
ResolutionThis issue is resolved in the following RSA Identity Governance & Lifecycle versions and patch levels and WebSphere version:
  • RSA Identity Governance & Lifecycle 7.0.2 P11 and WebSphere 8.5.5.9
  • RSA Identity Governance & Lifecycle 7.1.0 and WebSphere 8.5.5.9
Note that both RSA Identity Governance & Lifecycle and WebSphere need to be upgraded to specific versions to resolve this issue.
 
WorkaroundWebSphere provides a utility to use shared libraries which can be used to add libraries to an application without updating the application EAR files. RSA Identity Governance & Lifecycle uses the same utility and creates a shared library with the required JARs and associates these same libraries with the aveksa.ear application. To perform this procedure:
  1. Log in to the WebSphere Administration Console as admin.
  2. Under Environment, navigate to Shared Libraries.


User-added image


  1. Select the scope of the library and create a New Library.

User-added image


In the screenshot, /opt/IBM/shared is the class path which is configured to contain the libraries. This can be any directory that can contain the required libraries as noted in the following table. Note that the workaround is dependent on the versions of both RSA Identity Governance & Lifecycle and WebSphere. Find your version of RSA Identity Governance & Lifecycle and WebSphere in the table below and configure the shared libraries as noted.




  
RSA Identity Governance & Lifecycle Version

  

  
Libraries to be kept in Shared library location for
   WebSphere Version < 8.5.5.9

  

  
Libraries to be kept in Shared library location for
   WebSphere version 8.5.5.9 and above.

  

  
7.0.2 versions prior to P11

  

  
jackson-annotations-2.6.6.jar
   jackson-databind-2.6.6.jar
   jackson-core-2.6.6.jar
   httpclient-4.5.1.jar
   httpcore-4.4.3.jar

  

  
jackson-annotations-2.6.6.jar
   jackson-databind-2.6.6.jar
   jackson-core-2.6.6.jar

  

  
7.0.2 P11 and above

  

  
httpclient-4.5.1.jar
   httpcore-4.4.3.jar

  

  
The collector should work without this workaround.

  



Select the Use an isolated class loader for this shared library option.


  1. Save the configuration into the master configuration.
  2. Once you create the shared library and store the required JARs in the configured location, navigate to Application > Application Types > WebSphere Enterprise Applications.
  3. Click on aveksa.
  4. In the References section, click on Shared Library References.
  5. Select aveksa and click Reference Shared libraries.

User-added image


  1. Map the created shared library and click OK.

User-added image


  1. After saving the changes, restart the server using the following commands:


stopServer.sh
startServer.sh



 

Attachments

    Outcomes