| Article Number | 000029249 |
| Applies To | RSA Product Set: Identity Management and Governance (IMG), AFX
RSA Product/Service Type: AFX Server
RSA Version/Condition: 6.9 |
| Issue | When attempting to start AFX startup times out and the following is seen in your <afx user>/AFX/mule/logs files. This has occurred in several occasions after upgrading RSA IMG from 6.8.1 to 6.9 and our UI shows the AFX server with a status of "Not Running" and AFX times out while starting.
mule.AFX-INIT.log
[ERROR] com.aveksa.afx.server.init.ConfigureDefaultSSLContextComponent:126 - Error configuing default SSL context
java.io.IOException: Keystore was tampered with, or password was incorrect
mule_ee.log
org.mule.module.launcher.DeploymentInitException: UnrecoverableKeyException: Password verification failed
mule.AFX-MAIN.log
[ERROR] org.mule.module.launcher.application.DefaultMuleApplication:365 - null
org.mule.api.lifecycle.InitialisationException: Application initialization error: AFX server environment has not been properly initialized!
-NOTE-
You may have generated new server and client certificates (server.keystore and client.keystore), checked that the fingerprints match, and restarted AFX, and yet the problem remains. |
| Cause | This issue occurs because the truststore password that is in use for the JDK truststore (cacerts) is incorrect or needs to be updated for the AFX Server.
The underlying password for the JDK's JRE truststore could be different from the default, which is changeit.
The IMG UI could have been altered under AFX / Servers and the server's default truststore password could have been altered thinking that this field relates to the server.keystore or client.keystore used by AFX. |
| Resolution | To resolve the issue, follow the steps below.
- Find out what the truststore password is for cacerts.
The default truststore password for cacerts is 'changeit'. If you have not modified the default password, then you should be able to do the following:
- Login as the user oracle.
- Navigate to the appropriate directory with the following command: cd /usr/bin/jdk1.6.0_38/jre/lib/security (in 6.9.1 P03: cd /u01/app/11.2.0/grid/jdk/jre/lib/security)
- List the keystore contents with the following command: keytool -list -v -storepass changeit -keystore cacerts
If this command yields results, then the cacerts password is changeit. Please go to step 2. If this command fails with the error below, then you have changed the default password and you need to contact your system administrator to find out the current password.
[oracle@small-02 security]$ keytool -list -v -storepass changeit -keystore cacerts
keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect
java.io.IOException: Keystore was tampered with, or password was incorrect
- Once you confirm the cacerts password; in the UI, go to AFX -> Servers -> AFX Server -> Edit.
In the Default Truststore Password field, type in the cacerts password. Please type this password into the field, even if it has not changed. I.e. even if it is changeit, type it in again and press 'OK'.
- Restart the AFX service:
If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article number for further assistance. |
on Jun 14, 2016