Skip navigation

Log in to create and rate content, and to follow, bookmark, and share content with other members.

000034738 - "Error Handling KEK" when accessing the RSA Identity Governance and Lifecycle portal after upgrading to 7.0.1 in a WebSphere environment

Document created by RSA Customer Support

on Jan 27, 2017•Last modified by RSA Customer Support

on Apr 21, 2017

Version 2Show Document

Like • Show 0 Likes0
Comment • 0
View in full screen mode

Article Content

Article Number	000034738
Applies To	RSA Product Set: RSA Identity Governance and Lifecycle RSA Version/Condition: 7.0.1 Platform: WebSphere 8.5
Issue	After completing an upgrade from 6.8.1 to 7.0.1 in a software only - WebSphere environment, the following Initialization Status messages appears when accessing the RSA Identity Governance and Lifecycle portal. The aveksaServer.log located in /home/oracle/IBM/WebSphere/AppServer/profiles/AppSrv01/installedApps/<nodename>/aveksa.ear/aveksa.war/log contains the following stack traces: 01/24/2017 14:35:34.088 ERROR (server.startup : 1) [com.aveksa.server.core.crypto.EncryptionServiceProvider] Error handling KEK com.aveksa.server.runtime.ServerException: Unable to generate default encryption key entry at com.aveksa.server.core.crypto.EncryptionServiceProvider.createEncryptionKey(EncryptionServiceProvider.java:593) at com.aveksa.server.core.crypto.EncryptionServiceProvider.createDefaultKek(EncryptionServiceProvider.java:204) at com.aveksa.server.core.crypto.EncryptionServiceProvider.getOrCreateDefaultKek(EncryptionServiceProvider.java:176) at com.aveksa.server.core.crypto.EncryptionServiceProvider.setupEncryptors(EncryptionServiceProvider.java:103) at com.aveksa.server.core.crypto.EncryptionServiceProvider.initialize(EncryptionServiceProvider.java:86) at com.aveksa.server.core.Container.registerService(Container.java:289) at com.aveksa.server.core.Container.initialize(Container.java:83) at com.aveksa.server.runtime.AveksaSystem.doStartupOperations(AveksaSystem.java:329) at com.aveksa.server.runtime.AveksaSystem.initialize(AveksaSystem.java:305) at com.aveksa.init.Startup.init(Startup.java:52) at com.aveksa.gui.core.ACMFramework.init(ACMFramework.java:94) at com.aveksa.gui.core.ACMFramework.initInstance(ACMFramework.java:83) at com.aveksa.init.InitServlet.init(InitServlet.java:42) at com.ibm.ws.webcontainer.servlet.ServletWrapper.init(ServletWrapper.java:344) at com.ibm.ws.webcontainer.servlet.ServletWrapperImpl.init(ServletWrapperImpl.java:168) at com.ibm.ws.webcontainer.servlet.ServletWrapper.loadOnStartupCheck(ServletWrapper.java:1368) at com.ibm.ws.webcontainer.webapp.WebApp.doLoadOnStartupActions(WebApp.java:629) at com.ibm.ws.webcontainer.webapp.WebApp.commonInitializationFinally(WebApp.java:595) at com.ibm.ws.webcontainer.webapp.WebAppImpl.initialize(WebAppImpl.java:422) at com.ibm.ws.webcontainer.webapp.WebGroupImpl.addWebApplication(WebGroupImpl.java:88) at com.ibm.ws.webcontainer.VirtualHostImpl.addWebApplication(VirtualHostImpl.java:170) at com.ibm.ws.webcontainer.WSWebContainer.addWebApp(WSWebContainer.java:904) at com.ibm.ws.webcontainer.WSWebContainer.addWebApplication(WSWebContainer.java:789) at com.ibm.ws.webcontainer.component.WebContainerImpl.install(WebContainerImpl.java:427) at com.ibm.ws.webcontainer.component.WebContainerImpl.start(WebContainerImpl.java:719) at com.ibm.ws.runtime.component.ApplicationMgrImpl.start(ApplicationMgrImpl.java:1177) at com.ibm.ws.runtime.component.DeployedApplicationImpl.fireDeployedObjectStart(DeployedApplicationImpl.java:1382) at com.ibm.ws.runtime.component.DeployedModuleImpl.start(DeployedModuleImpl.java:639) at com.ibm.ws.runtime.component.DeployedApplicationImpl.start(DeployedApplicationImpl.java:971) at com.ibm.ws.runtime.component.ApplicationMgrImpl.startApplication(ApplicationMgrImpl.java:776) at com.ibm.ws.runtime.component.ApplicationMgrImpl$5.run(ApplicationMgrImpl.java:2195) at com.ibm.ws.security.auth.ContextManagerImpl.runAs(ContextManagerImpl.java:5477) at com.ibm.ws.security.auth.ContextManagerImpl.runAsSystem(ContextManagerImpl.java:5603) at com.ibm.ws.security.core.SecurityContext.runAsSystem(SecurityContext.java:255) at com.ibm.ws.runtime.component.ApplicationMgrImpl.start(ApplicationMgrImpl.java:2200) at com.ibm.ws.runtime.component.CompositionUnitMgrImpl.start(CompositionUnitMgrImpl.java:435) at com.ibm.ws.runtime.component.CompositionUnitImpl.start(CompositionUnitImpl.java:123) at com.ibm.ws.runtime.component.CompositionUnitMgrImpl.start(CompositionUnitMgrImpl.java:378) at com.ibm.ws.runtime.component.CompositionUnitMgrImpl.access$500(CompositionUnitMgrImpl.java:126) at com.ibm.ws.runtime.component.CompositionUnitMgrImpl$CUInitializer.run(CompositionUnitMgrImpl.java:984) at com.ibm.wsspi.runtime.component.WsComponentImpl$_AsynchInitializer.run(WsComponentImpl.java:502) at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1881) Caused by: com.aveksa.common.crypto.EncryptionException: An issue with handling encryption was encountered at com.aveksa.common.crypto.EncryptionMgr.getSecureRandom(EncryptionMgr.java:708) at com.aveksa.common.crypto.EncryptionMgr.generateRandomString(EncryptionMgr.java:1113) at com.aveksa.common.crypto.EncryptionMgr.generateUniqueKeyValue(EncryptionMgr.java:1162) at com.aveksa.common.crypto.EncryptionMgr.generateUniqueKeyValue(EncryptionMgr.java:1134) at com.aveksa.server.core.crypto.EncryptionServiceProvider.generateKeyValue(EncryptionServiceProvider.java:983) at com.aveksa.server.core.crypto.EncryptionServiceProvider.generateNewEncryptionKeyEntry(EncryptionServiceProvider.java:853) at com.aveksa.server.core.crypto.EncryptionServiceProvider.createEncryptionKey(EncryptionServiceProvider.java:588) ... 41 more Caused by: com.aveksa.common.crypto.EncryptionException: Non-FIPS140 Crypto-J toolkit in classpath. at com.aveksa.common.crypto.EncryptionMgr.addProvider(EncryptionMgr.java:754) at com.aveksa.common.crypto.EncryptionMgr.getSecureRandom(EncryptionMgr.java:706) ... 47 more 01/24/2017 14:35:34.096 ERROR (server.startup : 1) [com.aveksa.server.core.Container] Unable to register service EncryptionService. com.aveksa.server.runtime.ServerException: Unable to generate default encryption key entry at com.aveksa.server.core.crypto.EncryptionServiceProvider.getOrCreateDefaultEncryptionKey(EncryptionServiceProvider.java:550) at com.aveksa.server.core.crypto.EncryptionServiceProvider.setupDefaultEncryptor(EncryptionServiceProvider.java:127) at com.aveksa.server.core.crypto.EncryptionServiceProvider.setupEncryptors(EncryptionServiceProvider.java:112) at com.aveksa.server.core.crypto.EncryptionServiceProvider.initialize(EncryptionServiceProvider.java:86) at com.aveksa.server.core.Container.registerService(Container.java:289) at com.aveksa.server.core.Container.initialize(Container.java:83) at com.aveksa.server.runtime.AveksaSystem.doStartupOperations(AveksaSystem.java:329) at com.aveksa.server.runtime.AveksaSystem.initialize(AveksaSystem.java:305) at com.aveksa.init.Startup.init(Startup.java:52) at com.aveksa.gui.core.ACMFramework.init(ACMFramework.java:94) at com.aveksa.gui.core.ACMFramework.initInstance(ACMFramework.java:83) at com.aveksa.init.InitServlet.init(InitServlet.java:42) at com.ibm.ws.webcontainer.servlet.ServletWrapper.init(ServletWrapper.java:344) at com.ibm.ws.webcontainer.servlet.ServletWrapperImpl.init(ServletWrapperImpl.java:168) at com.ibm.ws.webcontainer.servlet.ServletWrapper.loadOnStartupCheck(ServletWrapper.java:1368) at com.ibm.ws.webcontainer.webapp.WebApp.doLoadOnStartupActions(WebApp.java:629) at com.ibm.ws.webcontainer.webapp.WebApp.commonInitializationFinally(WebApp.java:595) at com.ibm.ws.webcontainer.webapp.WebAppImpl.initialize(WebAppImpl.java:422) at com.ibm.ws.webcontainer.webapp.WebGroupImpl.addWebApplication(WebGroupImpl.java:88) at com.ibm.ws.webcontainer.VirtualHostImpl.addWebApplication(VirtualHostImpl.java:170) at com.ibm.ws.webcontainer.WSWebContainer.addWebApp(WSWebContainer.java:904) at com.ibm.ws.webcontainer.WSWebContainer.addWebApplication(WSWebContainer.java:789) at com.ibm.ws.webcontainer.component.WebContainerImpl.install(WebContainerImpl.java:427) at com.ibm.ws.webcontainer.component.WebContainerImpl.start(WebContainerImpl.java:719) at com.ibm.ws.runtime.component.ApplicationMgrImpl.start(ApplicationMgrImpl.java:1177) at com.ibm.ws.runtime.component.DeployedApplicationImpl.fireDeployedObjectStart(DeployedApplicationImpl.java:1382) at com.ibm.ws.runtime.component.DeployedModuleImpl.start(DeployedModuleImpl.java:639) at com.ibm.ws.runtime.component.DeployedApplicationImpl.start(DeployedApplicationImpl.java:971) at com.ibm.ws.runtime.component.ApplicationMgrImpl.startApplication(ApplicationMgrImpl.java:776) at com.ibm.ws.runtime.component.ApplicationMgrImpl$5.run(ApplicationMgrImpl.java:2195) at com.ibm.ws.security.auth.ContextManagerImpl.runAs(ContextManagerImpl.java:5477) at com.ibm.ws.security.auth.ContextManagerImpl.runAsSystem(ContextManagerImpl.java:5603) at com.ibm.ws.security.core.SecurityContext.runAsSystem(SecurityContext.java:255) at com.ibm.ws.runtime.component.ApplicationMgrImpl.start(ApplicationMgrImpl.java:2200) at com.ibm.ws.runtime.component.CompositionUnitMgrImpl.start(CompositionUnitMgrImpl.java:435) at com.ibm.ws.runtime.component.CompositionUnitImpl.start(CompositionUnitImpl.java:123) at com.ibm.ws.runtime.component.CompositionUnitMgrImpl.start(CompositionUnitMgrImpl.java:378) at com.ibm.ws.runtime.component.CompositionUnitMgrImpl.access$500(CompositionUnitMgrImpl.java:126) at com.ibm.ws.runtime.component.CompositionUnitMgrImpl$CUInitializer.run(CompositionUnitMgrImpl.java:984) at com.ibm.wsspi.runtime.component.WsComponentImpl$_AsynchInitializer.run(WsComponentImpl.java:502) at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1881) Caused by: com.aveksa.server.runtime.ServerException: Unable to generate default encryption key entry at com.aveksa.server.core.crypto.EncryptionServiceProvider.createEncryptionKey(EncryptionServiceProvider.java:593) at com.aveksa.server.core.crypto.EncryptionServiceProvider.getOrCreateDefaultEncryptionKey(EncryptionServiceProvider.java:509) ... 40 more Caused by: com.aveksa.common.crypto.EncryptionException: An issue with handling encryption was encountered at com.aveksa.common.crypto.EncryptionMgr.getSecureRandom(EncryptionMgr.java:708) at com.aveksa.common.crypto.EncryptionMgr.generateRandomString(EncryptionMgr.java:1113) at com.aveksa.common.crypto.EncryptionMgr.generateUniqueKeyValue(EncryptionMgr.java:1162) at com.aveksa.common.crypto.EncryptionMgr.generateUniqueKeyValue(EncryptionMgr.java:1134) at com.aveksa.server.core.crypto.EncryptionServiceProvider.generateKeyValue(EncryptionServiceProvider.java:983) at com.aveksa.server.core.crypto.EncryptionServiceProvider.generateNewEncryptionKeyEntry(EncryptionServiceProvider.java:853) at com.aveksa.server.core.crypto.EncryptionServiceProvider.createEncryptionKey(EncryptionServiceProvider.java:588) ... 41 more Caused by: com.aveksa.common.crypto.EncryptionException: Non-FIPS140 Crypto-J toolkit in classpath. at com.aveksa.common.crypto.EncryptionMgr.addProvider(EncryptionMgr.java:754) at com.aveksa.common.crypto.EncryptionMgr.getSecureRandom(EncryptionMgr.java:706) ... 47 more
Cause	There are BSAFE or Crypto libraries that are conflicting with the RSA Identity Governance and Lifecycle code. The FIPS (Federal Information Processing Standard) compliance is managed by the RSA Identity Governance and Lifecycle application. Hence, the presence of any BSAFE or Crypto libraries outside of the RSA Identity Governance and Lifecycle application conflicts with the RSA Identity Governance and Lifecycle code and does not allow for the enablement of FIPS compliance.
Resolution	Access the WebSphere console and select Troubleshooting > Class Loader viewer > <server_name> > Applications > aveksa > Web modules > aveksa.war. Click Table View and see if any of the .jar files listed below are picked from the classpath outside the aveksa.ear located in /opt/IBM/Websphere/Profiles/<Profile_Name>/installedApps/<cell_name>/aveksa.ear/*. If so, remove the .jar file from the classpath location cryptojce.jar cryptoj.jar cryptojcommon.jar jcmFIPS.jar util .jar For example, in this case cryptoj.jar was picked from the parent WebSphere installation folder: Remove the conflicting jar files found above. Restart the WebSphere Application Server and then the RSA Identity Governance and Lifecycle application.

Attachments

Outcomes

0 Comments

Recommended Content