AFX Server and Remote Collection Agents fail to start after updating Java to version 1.8u241 (1.8.0_241) / 1.7u251 (1.7.0_251) or later in RSA Identity Governance & Lifecycle
Originally Published: 2020-02-24
Article Number
Applies To
RSA Version/Condition: 7.0.x, 7.1.x, 7.2.0
Issue
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException:
PKIX path validation failed: sun.security.validator.ValidatorException:
TrustAnchor with subject "CN=aveksa_ca, OU=Aveksa, O=Aveksa, L=Waltham, ST=Massachusetts, C=US" is not a CA certificate
PKIX path validation failed: sun.security.validator.ValidatorException:
TrustAnchor with subject "CN=aveksa_ca, OU=Aveksa, O=Aveksa, L=Waltham, ST=Massachusetts, C=US" is not a CA certificate
Cause
New checks have been added to Java 1.8.0_241 and 1.7.0_251 and later to ensure that trust anchors are CA certificates and contain proper extensions. Trust anchors are used to validate certificate chains used in TLS and signed code. Trust anchor certificates must include a Basic Constraints extension with the cA field set to true. Also, if they include a Key Usage extension, the keyCertSign bit must be set.
AFX Servers and Remote Collection Agents use a self-signed certificate when communicating with the RSA Identity Governance & Lifecycle server over a Secure Sockets Layer (SSL) connection. This self-signed certificate has yet to adapt the above change introduced in Java 1.8.0_241 and 1.7.0_251 and later.
Resolution
- RSA Identity Governance & Lifecycle 7.1.1 P08
- RSA Identity Governance & Lifecycle 7.2.0 P02
The patch ensures that certificates are generated in the proper format. To resolve the issue:
- Install the patch.
- Re-generate the certificates as per RSA Knowledge Base Article 000038314 - How to Update the Root (Server) and Client Certificates in RSA Identity Governance & Lifecycle.
Note: In 7.2.0 P02, the following error message will be logged on startup if the server certificate does not have BasicConstraints set
Server certificate is not compliant to RFC-5280 standard
Workaround
Known Workarounds: (choose one)
Java Version (only known workaround for AFX)
Revert back to a Java version earlier than Java JDK version 1.8u241 (1.8.0.241).
For RSA Identity Governance & Lifecycle 7.0.x versions which use Java 7, revert back to a Java version earlier than Java JDK version 1.7u251 (1.7.0.251). Since RSA Identity Governance & Lifecycle 7.0.x is End of Product Support (EOPS), it is recommended that the RSA Identity Governance & Lifecycle version be upgraded as soon as possible.
For RSA Identity Governance & Lifecycle 7.0.x versions which use Java 7, revert back to a Java version earlier than Java JDK version 1.7u251 (1.7.0.251). Since RSA Identity Governance & Lifecycle 7.0.x is End of Product Support (EOPS), it is recommended that the RSA Identity Governance & Lifecycle version be upgraded as soon as possible.
Externally Signed Certificates
Generate externally signed certificates.
-Djdk.security.allowNonCaAnchor (Remote Agent only)
Add the -Djdk.security.allowNonCaAnchor system property to the Remote Agent configuration(s) and the Application Server configuration (if the Application Server JRE/JDK is updated) to restore the previous behavior.
Remote Collection Agent:
To add the -Djdk.security.allowNonCaAnchor system property to Remote Collection Agents, perform the steps below:
For the Linux Agent:
- Backup AveksaAgent/bin/agent.sh
cd AveksaAgent/bin cp agent.sh agent.sh.backup_<date>
- Edit agent.sh, update the JAVA_OPTS environment variable and add -Djdk.security.allowNonCaAnchor=true as follows:
export JAVA_OPTS="-Xms128m -Xmx256m -Djdk.security.allowNonCaAnchor=true"
For Windows Agent:
- Backup AveksaAgent\bin\agent.bat
- Edit agent.bat and add the last line indicated in bold:
set JAVA=java if not "%JAVA_HOME%"=="" set JAVA=%JAVA_HOME%\bin\java set CLASSPATH=%AGENT_HOME%\bin\bootstrap.jar;%AGENT_HOME%\common\lib\log4j-1.2.14.jar;%AGENT_HOME%\conf set JAVA_OPTS=%JAVA_OPTS% -Djdk.security.allowNonCaAnchor=true
Application Server:
If the Application Server JRE/JDK is updated, the JVM parameter, -Djdk.security.allowNonCaAnchor=true system property, needs to be added as well.
Notes
Related Articles
Error 'Could not find necessary package adoptjdk_8u292b10.tar.gz' when installing or upgrading to SecurID Governance & Lif… Number of Views 01388463 Number of Views RSA Authentication Manager 8.8 upgrade fails with ERROR: auth_manager.rest_service.old_access_key is not found Number of Views Download RSA SecurID Access Cloud User Event audit logs using Cloud Administration REST API CLU Number of Views Mandatory Certificate Upgrade Required by 6th October 2025 for RSA MFA Agent for PAM, RSA MFA Agent for Apache, and Third … Number of Views
Trending Articles
Passwordless Authentication in Windows MFA Agent for Active Directory – Quick Setup Guide RSA Authentication Manager 8.9 Release Notes (January 2026) RSA Authentication Manager Upgrade Process RSA Authentication Manager 8.7 SP2 Setup and Configuration Guide An example of SSO using SAML and ADFS with RSA Identity Management and Governance 6.9.x
Don't see what you're looking for?
