000034738 - "Error Handling KEK" when accessing the RSA Identity Governance and Lifecycle portal after upgrading to 7.0.1 in a WebSphere environment

Document created by RSA Customer Support Employee on Jan 27, 2017Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • Comment0
  • View in full screen mode

Article Content

Article Number000034738
Applies ToRSA Product Set: RSA Identity Governance and Lifecycle
RSA Version/Condition: 7.0.1
Platform: WebSphere 8.5
 
IssueAfter completing an upgrade from 6.8.1 to 7.0.1 in a software only - WebSphere environment, the following Initialization Status messages appears when accessing the RSA Identity Governance and Lifecycle portal.

User-added image

The aveksaServer.log located in /home/oracle/IBM/WebSphere/AppServer/profiles/AppSrv01/installedApps/<nodename>/aveksa.ear/aveksa.war/log contains the following stack traces:


01/24/2017 14:35:34.088 ERROR (server.startup : 1) [com.aveksa.server.core.crypto.EncryptionServiceProvider] Error handling KEK

 
com.aveksa.server.runtime.ServerException: Unable to generate default encryption key entry
 at com.aveksa.server.core.crypto.EncryptionServiceProvider.createEncryptionKey(EncryptionServiceProvider.java:593)
 at com.aveksa.server.core.crypto.EncryptionServiceProvider.createDefaultKek(EncryptionServiceProvider.java:204)
 at com.aveksa.server.core.crypto.EncryptionServiceProvider.getOrCreateDefaultKek(EncryptionServiceProvider.java:176)
 at com.aveksa.server.core.crypto.EncryptionServiceProvider.setupEncryptors(EncryptionServiceProvider.java:103)
 at com.aveksa.server.core.crypto.EncryptionServiceProvider.initialize(EncryptionServiceProvider.java:86)
 at com.aveksa.server.core.Container.registerService(Container.java:289)
 at com.aveksa.server.core.Container.initialize(Container.java:83)
 at com.aveksa.server.runtime.AveksaSystem.doStartupOperations(AveksaSystem.java:329)
 at com.aveksa.server.runtime.AveksaSystem.initialize(AveksaSystem.java:305)
 at com.aveksa.init.Startup.init(Startup.java:52)
 at com.aveksa.gui.core.ACMFramework.init(ACMFramework.java:94)
 at com.aveksa.gui.core.ACMFramework.initInstance(ACMFramework.java:83)
 at com.aveksa.init.InitServlet.init(InitServlet.java:42)
 at com.ibm.ws.webcontainer.servlet.ServletWrapper.init(ServletWrapper.java:344)
 at com.ibm.ws.webcontainer.servlet.ServletWrapperImpl.init(ServletWrapperImpl.java:168)
 at com.ibm.ws.webcontainer.servlet.ServletWrapper.loadOnStartupCheck(ServletWrapper.java:1368)
 at com.ibm.ws.webcontainer.webapp.WebApp.doLoadOnStartupActions(WebApp.java:629)
 at com.ibm.ws.webcontainer.webapp.WebApp.commonInitializationFinally(WebApp.java:595)
 at com.ibm.ws.webcontainer.webapp.WebAppImpl.initialize(WebAppImpl.java:422)
 at com.ibm.ws.webcontainer.webapp.WebGroupImpl.addWebApplication(WebGroupImpl.java:88)
 at com.ibm.ws.webcontainer.VirtualHostImpl.addWebApplication(VirtualHostImpl.java:170)
 at com.ibm.ws.webcontainer.WSWebContainer.addWebApp(WSWebContainer.java:904)
 at com.ibm.ws.webcontainer.WSWebContainer.addWebApplication(WSWebContainer.java:789)
 at com.ibm.ws.webcontainer.component.WebContainerImpl.install(WebContainerImpl.java:427)
 at com.ibm.ws.webcontainer.component.WebContainerImpl.start(WebContainerImpl.java:719)
 at com.ibm.ws.runtime.component.ApplicationMgrImpl.start(ApplicationMgrImpl.java:1177)
 at com.ibm.ws.runtime.component.DeployedApplicationImpl.fireDeployedObjectStart(DeployedApplicationImpl.java:1382)
 at com.ibm.ws.runtime.component.DeployedModuleImpl.start(DeployedModuleImpl.java:639)
 at com.ibm.ws.runtime.component.DeployedApplicationImpl.start(DeployedApplicationImpl.java:971)
 at com.ibm.ws.runtime.component.ApplicationMgrImpl.startApplication(ApplicationMgrImpl.java:776)
 at com.ibm.ws.runtime.component.ApplicationMgrImpl$5.run(ApplicationMgrImpl.java:2195)
 at com.ibm.ws.security.auth.ContextManagerImpl.runAs(ContextManagerImpl.java:5477)
 at com.ibm.ws.security.auth.ContextManagerImpl.runAsSystem(ContextManagerImpl.java:5603)
 at com.ibm.ws.security.core.SecurityContext.runAsSystem(SecurityContext.java:255)
 at com.ibm.ws.runtime.component.ApplicationMgrImpl.start(ApplicationMgrImpl.java:2200)
 at com.ibm.ws.runtime.component.CompositionUnitMgrImpl.start(CompositionUnitMgrImpl.java:435)
 at com.ibm.ws.runtime.component.CompositionUnitImpl.start(CompositionUnitImpl.java:123)
 at com.ibm.ws.runtime.component.CompositionUnitMgrImpl.start(CompositionUnitMgrImpl.java:378)
 at com.ibm.ws.runtime.component.CompositionUnitMgrImpl.access$500(CompositionUnitMgrImpl.java:126)
 at com.ibm.ws.runtime.component.CompositionUnitMgrImpl$CUInitializer.run(CompositionUnitMgrImpl.java:984)
 at com.ibm.wsspi.runtime.component.WsComponentImpl$_AsynchInitializer.run(WsComponentImpl.java:502)
 at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1881)
Caused by: 
com.aveksa.common.crypto.EncryptionException: An issue with handling encryption was encountered
 at com.aveksa.common.crypto.EncryptionMgr.getSecureRandom(EncryptionMgr.java:708)
 at com.aveksa.common.crypto.EncryptionMgr.generateRandomString(EncryptionMgr.java:1113)
 at com.aveksa.common.crypto.EncryptionMgr.generateUniqueKeyValue(EncryptionMgr.java:1162)
 at com.aveksa.common.crypto.EncryptionMgr.generateUniqueKeyValue(EncryptionMgr.java:1134)
 at com.aveksa.server.core.crypto.EncryptionServiceProvider.generateKeyValue(EncryptionServiceProvider.java:983)
 at com.aveksa.server.core.crypto.EncryptionServiceProvider.generateNewEncryptionKeyEntry(EncryptionServiceProvider.java:853)
 at com.aveksa.server.core.crypto.EncryptionServiceProvider.createEncryptionKey(EncryptionServiceProvider.java:588)
 ... 41 more
Caused by: 
com.aveksa.common.crypto.EncryptionException: Non-FIPS140 Crypto-J toolkit in classpath.
 at com.aveksa.common.crypto.EncryptionMgr.addProvider(EncryptionMgr.java:754)
 at com.aveksa.common.crypto.EncryptionMgr.getSecureRandom(EncryptionMgr.java:706)
 ... 47 more
01/24/2017 14:35:34.096 ERROR (server.startup : 1) [com.aveksa.server.core.Container] Unable to register service EncryptionService. 
com.aveksa.server.runtime.ServerException: Unable to generate default encryption key entry
 at com.aveksa.server.core.crypto.EncryptionServiceProvider.getOrCreateDefaultEncryptionKey(EncryptionServiceProvider.java:550)
 at com.aveksa.server.core.crypto.EncryptionServiceProvider.setupDefaultEncryptor(EncryptionServiceProvider.java:127)
 at com.aveksa.server.core.crypto.EncryptionServiceProvider.setupEncryptors(EncryptionServiceProvider.java:112)
 at com.aveksa.server.core.crypto.EncryptionServiceProvider.initialize(EncryptionServiceProvider.java:86)
 at com.aveksa.server.core.Container.registerService(Container.java:289)
 at com.aveksa.server.core.Container.initialize(Container.java:83)
 at com.aveksa.server.runtime.AveksaSystem.doStartupOperations(AveksaSystem.java:329)
 at com.aveksa.server.runtime.AveksaSystem.initialize(AveksaSystem.java:305)
 at com.aveksa.init.Startup.init(Startup.java:52)
 at com.aveksa.gui.core.ACMFramework.init(ACMFramework.java:94)
 at com.aveksa.gui.core.ACMFramework.initInstance(ACMFramework.java:83)
 at com.aveksa.init.InitServlet.init(InitServlet.java:42)
 at com.ibm.ws.webcontainer.servlet.ServletWrapper.init(ServletWrapper.java:344)
 at com.ibm.ws.webcontainer.servlet.ServletWrapperImpl.init(ServletWrapperImpl.java:168)
 at com.ibm.ws.webcontainer.servlet.ServletWrapper.loadOnStartupCheck(ServletWrapper.java:1368)
 at com.ibm.ws.webcontainer.webapp.WebApp.doLoadOnStartupActions(WebApp.java:629)
 at com.ibm.ws.webcontainer.webapp.WebApp.commonInitializationFinally(WebApp.java:595)
 at com.ibm.ws.webcontainer.webapp.WebAppImpl.initialize(WebAppImpl.java:422)
 at com.ibm.ws.webcontainer.webapp.WebGroupImpl.addWebApplication(WebGroupImpl.java:88)
 at com.ibm.ws.webcontainer.VirtualHostImpl.addWebApplication(VirtualHostImpl.java:170)
 at com.ibm.ws.webcontainer.WSWebContainer.addWebApp(WSWebContainer.java:904)
 at com.ibm.ws.webcontainer.WSWebContainer.addWebApplication(WSWebContainer.java:789)
 at com.ibm.ws.webcontainer.component.WebContainerImpl.install(WebContainerImpl.java:427)
 at com.ibm.ws.webcontainer.component.WebContainerImpl.start(WebContainerImpl.java:719)
 at com.ibm.ws.runtime.component.ApplicationMgrImpl.start(ApplicationMgrImpl.java:1177)
 at com.ibm.ws.runtime.component.DeployedApplicationImpl.fireDeployedObjectStart(DeployedApplicationImpl.java:1382)
 at com.ibm.ws.runtime.component.DeployedModuleImpl.start(DeployedModuleImpl.java:639)
 at com.ibm.ws.runtime.component.DeployedApplicationImpl.start(DeployedApplicationImpl.java:971)
 at com.ibm.ws.runtime.component.ApplicationMgrImpl.startApplication(ApplicationMgrImpl.java:776)
 at com.ibm.ws.runtime.component.ApplicationMgrImpl$5.run(ApplicationMgrImpl.java:2195)
 at com.ibm.ws.security.auth.ContextManagerImpl.runAs(ContextManagerImpl.java:5477)
 at com.ibm.ws.security.auth.ContextManagerImpl.runAsSystem(ContextManagerImpl.java:5603)
 at com.ibm.ws.security.core.SecurityContext.runAsSystem(SecurityContext.java:255)
 at com.ibm.ws.runtime.component.ApplicationMgrImpl.start(ApplicationMgrImpl.java:2200)
 at com.ibm.ws.runtime.component.CompositionUnitMgrImpl.start(CompositionUnitMgrImpl.java:435)
 at com.ibm.ws.runtime.component.CompositionUnitImpl.start(CompositionUnitImpl.java:123)
 at com.ibm.ws.runtime.component.CompositionUnitMgrImpl.start(CompositionUnitMgrImpl.java:378)
 at com.ibm.ws.runtime.component.CompositionUnitMgrImpl.access$500(CompositionUnitMgrImpl.java:126)
 at com.ibm.ws.runtime.component.CompositionUnitMgrImpl$CUInitializer.run(CompositionUnitMgrImpl.java:984)
 at com.ibm.wsspi.runtime.component.WsComponentImpl$_AsynchInitializer.run(WsComponentImpl.java:502)
 at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1881)
Caused by: 
com.aveksa.server.runtime.ServerException: Unable to generate default encryption key entry
 at com.aveksa.server.core.crypto.EncryptionServiceProvider.createEncryptionKey(EncryptionServiceProvider.java:593)
 at com.aveksa.server.core.crypto.EncryptionServiceProvider.getOrCreateDefaultEncryptionKey(EncryptionServiceProvider.java:509)
 ... 40 more
Caused by: 
com.aveksa.common.crypto.EncryptionException: An issue with handling encryption was encountered
 at com.aveksa.common.crypto.EncryptionMgr.getSecureRandom(EncryptionMgr.java:708)
 at com.aveksa.common.crypto.EncryptionMgr.generateRandomString(EncryptionMgr.java:1113)
 at com.aveksa.common.crypto.EncryptionMgr.generateUniqueKeyValue(EncryptionMgr.java:1162)
 at com.aveksa.common.crypto.EncryptionMgr.generateUniqueKeyValue(EncryptionMgr.java:1134)
 at com.aveksa.server.core.crypto.EncryptionServiceProvider.generateKeyValue(EncryptionServiceProvider.java:983)
 at com.aveksa.server.core.crypto.EncryptionServiceProvider.generateNewEncryptionKeyEntry(EncryptionServiceProvider.java:853)
 at com.aveksa.server.core.crypto.EncryptionServiceProvider.createEncryptionKey(EncryptionServiceProvider.java:588)
 ... 41 more
Caused by: 
com.aveksa.common.crypto.EncryptionException: Non-FIPS140 Crypto-J toolkit in classpath.
 at com.aveksa.common.crypto.EncryptionMgr.addProvider(EncryptionMgr.java:754)
 at com.aveksa.common.crypto.EncryptionMgr.getSecureRandom(EncryptionMgr.java:706)
 ... 47 more


 
CauseThere are BSAFE or Crypto libraries that are conflicting with the RSA Identity Governance and Lifecycle code. The FIPS (Federal Information Processing Standard) compliance is managed by the RSA Identity Governance and Lifecycle application. Hence, the presence of any BSAFE or Crypto libraries outside of the RSA Identity Governance and Lifecycle application conflicts with the RSA Identity Governance and Lifecycle code and does not allow for the enablement of FIPS compliance.
Resolution
  1. Access the WebSphere console and select Troubleshooting > Class Loader viewer > <server_name> > Applications > aveksa > Web modules > aveksa.war.
User-added image

  1. Click Table View and see if any of the .jar files listed below are picked from the classpath outside the aveksa.ear located in /opt/IBM/Websphere/Profiles/<Profile_Name>/installedApps/<cell_name>/aveksa.ear/*. If so, remove the .jar file from the classpath location
  • cryptojce.jar
  • cryptoj.jar
  • cryptojcommon.jar
  • jcmFIPS.jar
  • util .jar
For example, in this case cryptoj.jar was picked from the parent WebSphere installation folder:
 

User-added image

  1. Remove the conflicting jar files found above.
  2. Restart the WebSphere Application Server and then the RSA Identity Governance and Lifecycle application.
 

Attachments

    Outcomes