000022255 - How to install RSA ClearTrust Agent 4.5 for IBM WebSphere 5.1

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000022255
Applies ToRSA ClearTrust Agent 4.5 for IBM WebSphere 5.1
IBM WebSphere Application Server 5.1
IssueHow to install RSA ClearTrust Agent 4.5 for IBM WebSphere 5.1
After installing RSA ClearTrust Agent 4.5 for IBM WebSphere 5.1, WebSphere does not start up. The Agent install log shows that after entering the keystore passphrase:

Invocation of this Java Application has caused an ExceptionInInitializerError. This application will now exit. (LAX)

Stack Trace:
java.lang.SecurityException: Prohibited package name: java.util.logging
        at java.lang.ClassLoader.defineClass(ClassLoader.java:678)
        at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:133)
        at java.net.URLClassLoader.defineClass(URLClassLoader.java:319)
        at java.net.URLClassLoader.access$400(URLClassLoader.java:92)
        at java.net.URLClassLoader$ClassFinder.run(URLClassLoader.java:677)
        at java.security.AccessController.doPrivileged(Native Method)
        at java.net.URLClassLoader.findClass(URLClassLoader.java:238)
        at java.lang.ClassLoader.loadClass(ClassLoader.java:516)
        at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:441)
        at java.lang.ClassLoader.loadClass(ClassLoader.java:448)
        at com.ibm.crypto.provider.IBMJCE.<clinit>(Unknown Source)
        at java.lang.Class.forName1(Native Method)
        at java.lang.Class.forName(Class.java:142)
        at com.rsa.cleartrust.install.IsConServerRunning.executeConsoleAction(IsConServerRunning.java:252)
        at com.zerog.ia.installer.ConsoleBasedAAMgr.a(DashoA8113)
        at com.zerog.ia.installer.Main.c(DashoA8113)
        at com.zerog.ia.installer.Main.a(DashoA8113)
        at com.zerog.ia.installer.Main.main(DashoA8113)
        at java.lang.reflect.Method.invoke(Native Method)
        at com.zerog.lax.LAX.launch(DashoA8113)
        at com.zerog.lax.LAX.main(DashoA8113)
CauseThere is a clash of JRE versions. The message suggests that the JRE being used is JRE 1.3, but that the CLASSPATH has picked up JRE 1.4 classes. The LAX installation utility that installs and uninstalls RSA ClearTrust Agent has a built-in JRE 1.3, but at the preset time, global CLASSPATH has been configured and is being picked up.
ResolutionNullify the existing JAVA_HOME environment variable value such that the installer will not have any conflicts with using it's own JRE to complete the installation process.
To correct this issue, complete the following installation process:

1. Install the RSA ClearTrust Agent 4.5 for IBM WebSphere 5.1 in the GUI mode with Global Security turned off in WAS as described in the RSA ClearTrust Agent 4.5 for IBM WebSphere Installation and Configuration Guide

2. Move the security.xml file to security.xml.postct - this is usually found in /usr/WebSphere/AppServer/config/cells/<server Name>

3. Copy the security.xml.prect file and rename it to security.xml

4. Edit the ClearTrust properties file in /usr/WebSphere/AppServer/properties folder

  a. Set cleartrust.agent.web_filter_enable=false

  b. Set cleartrust.agent.websphere.tai_validate_sessions=false

  NOTE: This may be turned on for added security. When turned on, it will validate the ClearTrust token against the ClearTrust servers.

  c. Set cleartrust.agent.websphere.tai_user_header=ct-remote-user

5. Copy the cleartrust.properties file to the eClient server?s properties folder. This server does not look for the properties file in the WAS default properties folder. If this file is not copied to the appropriate folder, the eClient server will fail to start.

6. Restart WebSphere app server

7. Log in to the WebSphere Admin console

8. Select Authentication Mechanisms- LTPA - Trust Association

9. Add a new Trust Association Interceptor - com.ibm.wps.sso.RSATrustAssociationInterceptor

10. Delete the two default TrustAssociationInterceptors that are not used

11. Save changes

12. Enable Global Security

13. Save changes

14. Restart WebSphere
Legacy Article IDa27696