000029249 - RSA Identity Governance & Lifecycle Access Fulfillment Express (AFX) Server not running because the keystore was tampered with or password is incorrect

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Feb 10, 2018
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000029249
Applies ToRSA Product Set: RSA Identity Governance &  Lifecycle
RSA Product/Service Type: AFX Server
RSA Version/Condition: 6.9, 7.0+
IssueWhen attempting to start the Access Fulfillment Express (AFX) server, the startup times out and the following is seen in the <afxuser>/AFX/mule/logs files or <afxuser>/AFX/esb/logs files, depending on your product version. This occurred on several occasions after upgrading RSA Identity Governance & Lifecycle from 6.8.1 to 6.9. The user interface (UI) shows the AFX server with a status of Not Running and the AFX times out while starting.

mule.AFX-INIT.log or esb.AFX-INIT.log

[ERROR] com.aveksa.afx.server.init.ConfigureDefaultSSLContextComponent:126 - Error configuing default SSL context
java.io.IOException: Keystore was tampered with, or password was incorrect


org.mule.module.launcher.DeploymentInitException: UnrecoverableKeyException: Password verification failed

mule.AFX-MAIN.log or esb.AFX-MAIN.log

[ERROR] org.mule.module.launcher.application.DefaultMuleApplication:365 - null
org.mule.api.lifecycle.InitialisationException: Application initialization error: AFX server environment has not been properly initialized!

Additionally, you may have generated new server and client certificates (server.keystore and client.keystore), checked that the fingerprints match, and restarted AFX, yet the problem remains.
CauseThis issue occurs because the truststore password that is in use for the JDK truststore (cacerts) is incorrect or needs to be updated for the AFX server.

The underlying password for the JDK's JRE truststore could be different from the default, which is changeit.
The RSA Identity Governance & Lifecycle UI could have been altered under AFX > Servers and the server's default truststore password could have been altered thinking that this field relates to the server.keystore or client.keystore used by AFX.
ResolutionTo resolve the issue, follow the steps below.
  1. Find out what the truststore password is for cacerts.  The default truststore password for cacerts is changeit. If you have not modified the default password, then you should be able to do the following: If this command yields results, then the cacerts password is changeit. Please go to step 2. If this command fails with the error below, then you have changed the default password and you need to contact your system administrator to find out the current password.

    [oracle@small-02 security]$ keytool -list -v -storepass changeit -keystore cacerts
    keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect
    java.io.IOException: Keystore was tampered with, or password was incorrect

    1. Login as the user oracle.
    2. Navigate to the appropriate directory with the following command:  

cd $JAVA_HOME/jre/lib/security/cacerts

  1. List the keystore contents with the following command:  keytool -list -v -storepass changeit -keystore cacerts

keytool -list -v -storepass changeit -keystore cacerts

  1. Once you confirm the cacerts password,
    1. In the UI, go to AFX > Servers > AFX Server > Edit
    2. In the Default Truststore Password field, type in the cacerts password. Please type this password into the field, even if it has not changed. Even if the password is still changeit, enter it again.
    3. Press OK.
  2. Restart the AFX service:

  • As the root user:

# service afx_server restart

  • As the oracle user:

$ cd $AFX_HOME/bin
$ ./afx restart

If you are unsure of any of the steps above or experience any issues, please contact RSA Support and quote this article number for further assistance.