on Jul 14, 2020Article Content
| Article Number | 000039123 | |||||||||
| Applies To | RSA Product Set: RSA Identity Governance & Lifecycle RSA Product/Service Type: Enterprise Software RSA Version/Condition: 7.0.2 Platform/Application Server: WebSphere | |||||||||
| Issue | The Amazon AWS account collector (Collectors > Account Collectors > {Collector name} > Data Source Type: Amazon AWS) on WebSphere fails in RSA Identity Governance & Lifecycle. The error reported in the aveksaServer.log is dependent on the version of RSA Identity Governance & Lifecycle and WebSphere. Note the location of the aveksaServer.log file on WebSphere is located in a directory similar to the following: (where the specific node name would be different): /home/oracle/IBM/WebSphere/AppServer/profiles/AppSrv01/installedApps/vm-support-11Node01Cell/aveksa.ear/aveksa.war/log. The aveksaServer.log may also be downloaded from the RSA Identity Governance & Lifecycle user interface (Admin > System > Server Nodes tab > under Logs.) RSA Identity Governance & Lifecycle 7.0.2 through 7.0.2 P10: at com.amazonaws.internal.config.InternalConfig.<clinit>(InternalConfig.java:43) at java.lang.J9VMInternals.initializeImpl(Native Method) at java.lang.J9VMInternals.initialize(J9VMInternals.java:235) at com.amazonaws.internal.config.InternalConfig$Factory.<clinit>(InternalConfig.java:304) at java.lang.J9VMInternals.initializeImpl(Native Method) at java.lang.J9VMInternals.initialize(J9VMInternals.java:235) at com.amazonaws.util.VersionInfoUtils.userAgent(VersionInfoUtils.java:141) at com.amazonaws.util.VersionInfoUtils.initializeUserAgent(VersionInfoUtils.java:136) at com.amazonaws.util.VersionInfoUtils.getUserAgent(VersionInfoUtils.java:97) at com.amazonaws.ClientConfiguration.<clinit>(ClientConfiguration.java:60) at java.lang.J9VMInternals.initializeImpl(Native Method) at java.lang.J9VMInternals.initialize(J9VMInternals.java:235) at com.amazonaws.ClientConfigurationFactory.getDefaultConfig(ClientConfigurationFactory.java:46) at com.amazonaws.ClientConfigurationFactory.getConfig(ClientConfigurationFactory.java:36) at com.amazonaws.services.identitymanagement.AmazonIdentityManagementClient.<init>(AmazonIdentityManagementClient.java:214) at com.aveksa.collector.amazonaws.AmazonAWSDataHandler.<init>(AmazonAWSDataHandler.java:49) at com.aveksa.collector.amazonaws.AmazonAWSAccountDataHandler.<init>(AmazonAWSAccountDataHandler.java:58) at com.aveksa.collector.amazonaws.adc.AmazonAWSAccountDataReader.testConnection(AmazonAWSAccountDataReader.java:93) at com.aveksa.client.datacollector.collectors.accountdatacollectors.AccountDataCollector.collectData(AccountDataCollector.java:351) at com.aveksa.client.datacollector.collectors.accountdatacollectors.AccountDataCollector.collect(AccountDataCollector.java:302) at com.aveksa.client.datacollector.collectors.accountdatacollectors.AccountDataCollector.collectTestData(AccountDataCollector.java:277) at com.aveksa.client.datacollector.framework.DataCollectorManager.collect(DataCollectorManager.java:532) at com.aveksa.client.component.collector.DefaultCollectorManager.actUpon(DefaultCollectorManager.java:203) at com.aveksa.client.component.collector.DefaultCollectorManager.handle(DefaultCollectorManager.java:102) at com.aveksa.client.component.event.DefaultEventManager.handle(DefaultEventManager.java:60) at com.aveksa.client.datacollector.framework.SimpleEventSource.notifyListeners(SimpleEventSource.java:67) at com.aveksa.client.component.communication.DefaultCommunicationManager.notifyEvent(DefaultCommunicationManager.java:377) at com.aveksa.client.component.communication.ChangeListHandler.applyChanges(ChangeListHandler.java:364) at com.aveksa.client.component.communication.ChangeListHandler.access$300(ChangeListHandler.java:58) at com.aveksa.client.component.communication.ChangeListHandler$ChangeApplyingRunnable.run(ChangeListHandler.java:275) at java.lang.Thread.run(Thread.java:798) Caused by: java.lang.ClassNotFoundException: com.fasterxml.jackson.databind.ObjectMapper at java.net.URLClassLoader.findClass(URLClassLoader.java:602) at com.ibm.ws.bootstrap.ExtClassLoader.findClass(ExtClassLoader.java:243) at java.lang.ClassLoader.loadClassHelper(ClassLoader.java:777) at java.lang.ClassLoader.loadClass(ClassLoader.java:754) at com.ibm.ws.bootstrap.ExtClassLoader.loadClass(ExtClassLoader.java:134) at java.lang.ClassLoader.loadClass(ClassLoader.java:731) at com.ibm.ws.classloader.ProtectionClassLoader.loadClass(ProtectionClassLoader.java:62) at com.ibm.ws.classloader.ProtectionClassLoader.loadClass(ProtectionClassLoader.java:58) at com.ibm.ws.classloader.CompoundClassLoader.loadClass(CompoundClassLoader.java:586) at java.lang.ClassLoader.loadClass(ClassLoader.java:731) ... 31 more RSA Identity Governance & Lifecycle 7.0.2 P11+ and WebSphere lower than version 8.5.5.9: java.lang.NoSuchFieldError: org/apache/http/conn/ssl/AllowAllHostnameVerifier.INSTANCE at org.apache.http.conn.ssl.SSLConnectionSocketFactory.<clinit>(SSLConnectionSocketFactory.java:144) at com.amazonaws.http.apache.client.impl.ApacheConnectionManagerFactory.getPreferredSocketFactory(ApacheConnectionManagerFactory.java:87) at com.amazonaws.http.apache.client.impl.ApacheConnectionManagerFactory.create(ApacheConnectionManagerFactory.java:65) at com.amazonaws.http.apache.client.impl.ApacheConnectionManagerFactory.create(ApacheConnectionManagerFactory.java:58) at com.amazonaws.http.apache.client.impl.ApacheHttpClientFactory.create(ApacheHttpClientFactory.java:51) at com.amazonaws.http.apache.client.impl.ApacheHttpClientFactory.create(ApacheHttpClientFactory.java:39) at com.amazonaws.http.AmazonHttpClient.<init>(AmazonHttpClient.java:282) at com.amazonaws.AmazonWebServiceClient.<init>(AmazonWebServiceClient.java:164) at com.amazonaws.AmazonWebServiceClient.<init>(AmazonWebServiceClient.java:153) at com.amazonaws.AmazonWebServiceClient.<init>(AmazonWebServiceClient.java:138) at com.amazonaws.services.identitymanagement.AmazonIdentityManagementClient.<init>(AmazonIdentityManagementClient.java:234) at com.amazonaws.services.identitymanagement.AmazonIdentityManagementClient.<init>(AmazonIdentityManagementClient.java:214) at com.aveksa.collector.amazonaws.AmazonAWSDataHandler.<init>(AmazonAWSDataHandler.java:49) at com.aveksa.collector.amazonaws.AmazonAWSAccountDataHandler.<init>(AmazonAWSAccountDataHandler.java:58) at com.aveksa.collector.amazonaws.adc.AmazonAWSAccountDataReader.testConnection(AmazonAWSAccountDataReader.java:93) at com.aveksa.client.datacollector.collectors.accountdatacollectors.AccountDataCollector.collectData(AccountDataCollector.java:351) at com.aveksa.client.datacollector.collectors.accountdatacollectors.AccountDataCollector.collect(AccountDataCollector.java:302) at com.aveksa.client.datacollector.collectors.accountdatacollectors.AccountDataCollector.collectTestData(AccountDataCollector.java:277) at com.aveksa.client.datacollector.framework.DataCollectorManager.collect(DataCollectorManager.java:532) at com.aveksa.client.component.collector.DefaultCollectorManager.actUpon(DefaultCollectorManager.java:203) at com.aveksa.client.component.collector.DefaultCollectorManager.handle(DefaultCollectorManager.java:102) at com.aveksa.client.component.event.DefaultEventManager.handle(DefaultEventManager.java:60) at com.aveksa.client.datacollector.framework.SimpleEventSource.notifyListeners(SimpleEventSource.java:67) at com.aveksa.client.component.communication.DefaultCommunicationManager.notifyEvent(DefaultCommunicationManager.java:377) at com.aveksa.client.component.communication.ChangeListHandler.applyChanges(ChangeListHandler.java:364) at com.aveksa.client.component.communication.ChangeListHandler.access$300(ChangeListHandler.java:58) at com.aveksa.client.component.communication.ChangeListHandler$ChangeApplyingRunnable.run(ChangeListHandler.java:275) at java.lang.Thread.run(Thread.java:853) | |||||||||
| Cause | This is a known issue reported in engineering ticket ACM-96764. This issue occurs because WebSphere packs an old version of the Apache HTTP Client library in the installation, which they fixed in version 8.5.5.9 only. For more information, see PI50993:Apache HTTPComponents vulnerabilities in WebSphere Application Server (CVE-2012-6153, CVE-2014-3577). | |||||||||
| Resolution | This issue is resolved in the following RSA Identity Governance & Lifecycle versions and patch levels and WebSphere version:
| |||||||||
| Workaround | WebSphere provides a utility to use shared libraries which can be used to add libraries to an application without updating the application EAR files. RSA Identity Governance & Lifecycle uses the same utility and creates a shared library with the required JARs and associates these same libraries with the aveksa.ear application. To perform this procedure:
 In the screenshot, /opt/IBM/shared is the class path which is configured to contain the libraries. This can be any directory that can contain the required libraries as noted in the following table. Note that the workaround is dependent on the versions of both RSA Identity Governance & Lifecycle and WebSphere. Find your version of RSA Identity Governance & Lifecycle and WebSphere in the table below and configure the shared libraries as noted.
Select the Use an isolated class loader for this shared library option.
|