000029249 - AFX Server not running in RSA IMG 6.9 because the keystore was tampered with or password is incorrect

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000029249
Applies ToRSA Product Set: Identity Management and Governance (IMG), AFX
RSA Product/Service Type: AFX Server
RSA Version/Condition: 6.9
IssueWhen attempting to start AFX startup times out and the following is seen in your <afx user>/AFX/mule/logs files.  This has occurred in several occasions after upgrading RSA IMG from 6.8.1 to 6.9  and our UI shows the AFX server with a status of "Not Running" and AFX times out while starting.


[ERROR] com.aveksa.afx.server.init.ConfigureDefaultSSLContextComponent:126 - Error configuing default SSL context
java.io.IOException: Keystore was tampered with, or password was incorrect


org.mule.module.launcher.DeploymentInitException: UnrecoverableKeyException: Password verification failed


[ERROR] org.mule.module.launcher.application.DefaultMuleApplication:365 - null
org.mule.api.lifecycle.InitialisationException: Application initialization error: AFX server environment has not been properly initialized!

You may have generated new server and client certificates (server.keystore and client.keystore), checked that the fingerprints match, and restarted AFX, and yet the problem remains.
CauseThis issue occurs because the truststore password that is in use for the JDK truststore (cacerts) is incorrect or needs to be updated for the AFX Server.
The underlying password for the JDK's JRE truststore could be different from the default, which is changeit.
The IMG UI could have been altered under AFX / Servers and the server's default truststore password could have been altered thinking that this field relates to the server.keystore or client.keystore used by AFX.
ResolutionTo resolve the issue, follow the steps below.
  1. Find out what the truststore password is for cacerts.
    The default truststore password for cacerts is 'changeit'. If you have not modified the default password, then you should be able to do the following:
    1. Login as the user oracle.
    2. Navigate to the appropriate directory with the following command:  cd /usr/bin/jdk1.6.0_38/jre/lib/security  (in 6.9.1 P03: cd /u01/app/11.2.0/grid/jdk/jre/lib/security)
    3. List the keystore contents with the following command:  keytool -list -v -storepass changeit -keystore cacerts
    If this command yields results, then the cacerts password is changeit. Please go to step 2. If this command fails with the error below, then you have changed the default password and you need to contact your system administrator to find out the current password.
    [oracle@small-02 security]$ keytool -list -v -storepass changeit -keystore cacerts
    keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect
    java.io.IOException: Keystore was tampered with, or password was incorrect

  2. Once you confirm the cacerts password; in the UI, go to AFX -> Servers -> AFX Server -> Edit.
    In the Default Truststore Password field, type in the cacerts password. Please type this password into the field, even if it has not changed. I.e. even if it is changeit, type it in again and press 'OK'.
  3. Restart the AFX service:
    • As the oracle user:
      $ cd $AFX_HOME/bin
      $ ./afx restart

    • As the root user:
      # service afx_server restart

If you are unsure of any of the steps above or experience any issues, contact RSA Support and quote this article number for further assistance.