AFX Server fails to start and unable to create a new AFX Server on WebSphere in RSA Identity Governance & Lifecycle
Originally Published: 2020-06-26
Article Number
Applies To
RSA Version/Condition: 7.1.0, 7.1.1, 7.2.0
Platform: WebSphere
Issue
The following error is logged in the aveksaserver.log file:
05/01/2020 14:18:20.940 ERROR (WebContainer : 5) [com.aveksa.gui.core.filters.LoginFilter]
com.ibm.websphere.servlet.error.ServletErrorReport: java.lang.VerifyError: JVMVRFY012 stack shape inconsistent; class=org/bouncycastle/openssl/PEMReader$ECDSAKeyPairParser, method=parseObject(Lorg/bouncycastle/util/io/pem/PemObject;)Ljava/lang/Object;, pc=26; Type Mismatch, argument 0 in signature org/bouncycastle/asn1/x509/AlgorithmIdentifier.<init>:(Lorg/bouncycastle/asn1/DERObjectIdentifier;Lorg/bouncycastle/asn1/DEREncodable;)V does not match
com.ibm.websphere.servlet.error.ServletErrorReport: java.lang.VerifyError: JVMVRFY012 stack shape inconsistent; class=org/bouncycastle/openssl/PEMReader$ECDSAKeyPairParser, method=parseObject(Lorg/bouncycastle/util/io/pem/PemObject;)Ljava/lang/Object;, pc=26; Type Mismatch, argument 0 in signature org/bouncycastle/asn1/x509/AlgorithmIdentifier.<init>:(Lorg/bouncycastle/asn1/DERObjectIdentifier;Lorg/bouncycastle/asn1/DEREncodable;)V does not match
Note the aveksaServer.log file on WebSphere may be found in a directory similar to the following (where the specific node name would be different), /home/oracle/IBM/WebSphere/AppServer/profiles/AppSrv01/installedApps/vm-support-11Node01Cell/aveksa.ear/aveksa.war/log. The aveksaServer.log may also be downloaded from the RSA Identity Governance & Lifecycle user interface (Admin > System > Server Nodes tab > under Logs.)
Cause
This issue occurs when attempting to parse self-signed certificates generated on an older version of RSA Identity Governance & Lifecycle. Parsing these certificates leads to a call to a deprecated method in the bouncycastle crypto library.
Resolution
Workaround
- Generate new certificates.
For instructions on how to generate and install new RSA Identity Governance & Lifecycle certificates on WebSphere, see the section entitled Configure SSL for Internal Communication Between RSA Identity Governance and Lifecycle Components under the WebSphere Installation section in the RSA Identity Governance & Lifecycle Installation Guide for your specific RSA Identity Governance & Lifecycle version.
- Redeploy AFX.
See RSA Knowledge Base Article 000037993 -- How to download and install the AFX Server Archive in RSA Identity Governance & Lifecycle for instructions on redeploying AFX.
Notes
000038503 -- AFX Server and Remote Collection Agents fail to start after updating Java to version 1.8u241 (1.8.0.241) or later in RSA Identity Governance & Lifecycle.
Related Articles
SDNEWDB: Create a new database for the Primary 5.0 ACE/Server UNIX Number of Views JSP Processing Error and HTTP Error Code: 500 when attempting to edit or create a new AFX Server on Websphere in RSA Ident… Number of Views Remote syslog server is unable to recognize a new rsyslog format in RSA Authentication Manager 8.4 or later Number of Views How to create a new ActiveMQ KahaDB for use with AFX in RSA Identity Governance & Lifecycle Number of Views Unable to create an account in Active Directory with a custom objectClass in RSA Governance & Lifecycle Number of Views
Don't see what you're looking for?
