"Error Handling KEK" when accessing the RSA Identity Governance and Lifecycle portal after upgrading to 7.0.1 in a WebSphere environment
Originally Published: 2017-01-26
Article Number
Applies To
RSA Version/Condition: 7.0.1
Platform: WebSphere 8.5
Issue
The aveksaServer.log located in /home/oracle/IBM/WebSphere/AppServer/profiles/AppSrv01/installedApps/<nodename>/aveksa.ear/aveksa.war/log contains the following stack traces:
01/24/2017 14:35:34.088 ERROR (server.startup : 1) [com.aveksa.server.core.crypto.EncryptionServiceProvider] Error handling KEK
com.aveksa.server.runtime.ServerException: Unable to generate default encryption key entry
at com.aveksa.server.core.crypto.EncryptionServiceProvider.createEncryptionKey(EncryptionServiceProvider.java:593)
at com.aveksa.server.core.crypto.EncryptionServiceProvider.createDefaultKek(EncryptionServiceProvider.java:204)
at com.aveksa.server.core.crypto.EncryptionServiceProvider.getOrCreateDefaultKek(EncryptionServiceProvider.java:176)
at com.aveksa.server.core.crypto.EncryptionServiceProvider.setupEncryptors(EncryptionServiceProvider.java:103)
at com.aveksa.server.core.crypto.EncryptionServiceProvider.initialize(EncryptionServiceProvider.java:86)
at com.aveksa.server.core.Container.registerService(Container.java:289)
at com.aveksa.server.core.Container.initialize(Container.java:83)
at com.aveksa.server.runtime.AveksaSystem.doStartupOperations(AveksaSystem.java:329)
at com.aveksa.server.runtime.AveksaSystem.initialize(AveksaSystem.java:305)
at com.aveksa.init.Startup.init(Startup.java:52)
at com.aveksa.gui.core.ACMFramework.init(ACMFramework.java:94)
at com.aveksa.gui.core.ACMFramework.initInstance(ACMFramework.java:83)
at com.aveksa.init.InitServlet.init(InitServlet.java:42)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.init(ServletWrapper.java:344)
at com.ibm.ws.webcontainer.servlet.ServletWrapperImpl.init(ServletWrapperImpl.java:168)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.loadOnStartupCheck(ServletWrapper.java:1368)
at com.ibm.ws.webcontainer.webapp.WebApp.doLoadOnStartupActions(WebApp.java:629)
at com.ibm.ws.webcontainer.webapp.WebApp.commonInitializationFinally(WebApp.java:595)
at com.ibm.ws.webcontainer.webapp.WebAppImpl.initialize(WebAppImpl.java:422)
at com.ibm.ws.webcontainer.webapp.WebGroupImpl.addWebApplication(WebGroupImpl.java:88)
at com.ibm.ws.webcontainer.VirtualHostImpl.addWebApplication(VirtualHostImpl.java:170)
at com.ibm.ws.webcontainer.WSWebContainer.addWebApp(WSWebContainer.java:904)
at com.ibm.ws.webcontainer.WSWebContainer.addWebApplication(WSWebContainer.java:789)
at com.ibm.ws.webcontainer.component.WebContainerImpl.install(WebContainerImpl.java:427)
at com.ibm.ws.webcontainer.component.WebContainerImpl.start(WebContainerImpl.java:719)
at com.ibm.ws.runtime.component.ApplicationMgrImpl.start(ApplicationMgrImpl.java:1177)
at com.ibm.ws.runtime.component.DeployedApplicationImpl.fireDeployedObjectStart(DeployedApplicationImpl.java:1382)
at com.ibm.ws.runtime.component.DeployedModuleImpl.start(DeployedModuleImpl.java:639)
at com.ibm.ws.runtime.component.DeployedApplicationImpl.start(DeployedApplicationImpl.java:971)
at com.ibm.ws.runtime.component.ApplicationMgrImpl.startApplication(ApplicationMgrImpl.java:776)
at com.ibm.ws.runtime.component.ApplicationMgrImpl$5.run(ApplicationMgrImpl.java:2195)
at com.ibm.ws.security.auth.ContextManagerImpl.runAs(ContextManagerImpl.java:5477)
at com.ibm.ws.security.auth.ContextManagerImpl.runAsSystem(ContextManagerImpl.java:5603)
at com.ibm.ws.security.core.SecurityContext.runAsSystem(SecurityContext.java:255)
at com.ibm.ws.runtime.component.ApplicationMgrImpl.start(ApplicationMgrImpl.java:2200)
at com.ibm.ws.runtime.component.CompositionUnitMgrImpl.start(CompositionUnitMgrImpl.java:435)
at com.ibm.ws.runtime.component.CompositionUnitImpl.start(CompositionUnitImpl.java:123)
at com.ibm.ws.runtime.component.CompositionUnitMgrImpl.start(CompositionUnitMgrImpl.java:378)
at com.ibm.ws.runtime.component.CompositionUnitMgrImpl.access$500(CompositionUnitMgrImpl.java:126)
at com.ibm.ws.runtime.component.CompositionUnitMgrImpl$CUInitializer.run(CompositionUnitMgrImpl.java:984)
at com.ibm.wsspi.runtime.component.WsComponentImpl$_AsynchInitializer.run(WsComponentImpl.java:502)
at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1881)
Caused by:
com.aveksa.common.crypto.EncryptionException: An issue with handling encryption was encountered
at com.aveksa.common.crypto.EncryptionMgr.getSecureRandom(EncryptionMgr.java:708)
at com.aveksa.common.crypto.EncryptionMgr.generateRandomString(EncryptionMgr.java:1113)
at com.aveksa.common.crypto.EncryptionMgr.generateUniqueKeyValue(EncryptionMgr.java:1162)
at com.aveksa.common.crypto.EncryptionMgr.generateUniqueKeyValue(EncryptionMgr.java:1134)
at com.aveksa.server.core.crypto.EncryptionServiceProvider.generateKeyValue(EncryptionServiceProvider.java:983)
at com.aveksa.server.core.crypto.EncryptionServiceProvider.generateNewEncryptionKeyEntry(EncryptionServiceProvider.java:853)
at com.aveksa.server.core.crypto.EncryptionServiceProvider.createEncryptionKey(EncryptionServiceProvider.java:588)
... 41 more
Caused by:
com.aveksa.common.crypto.EncryptionException: Non-FIPS140 Crypto-J toolkit in classpath.
at com.aveksa.common.crypto.EncryptionMgr.addProvider(EncryptionMgr.java:754)
at com.aveksa.common.crypto.EncryptionMgr.getSecureRandom(EncryptionMgr.java:706)
... 47 more
01/24/2017 14:35:34.096 ERROR (server.startup : 1) [com.aveksa.server.core.Container] Unable to register service EncryptionService.
com.aveksa.server.runtime.ServerException: Unable to generate default encryption key entry
at com.aveksa.server.core.crypto.EncryptionServiceProvider.getOrCreateDefaultEncryptionKey(EncryptionServiceProvider.java:550)
at com.aveksa.server.core.crypto.EncryptionServiceProvider.setupDefaultEncryptor(EncryptionServiceProvider.java:127)
at com.aveksa.server.core.crypto.EncryptionServiceProvider.setupEncryptors(EncryptionServiceProvider.java:112)
at com.aveksa.server.core.crypto.EncryptionServiceProvider.initialize(EncryptionServiceProvider.java:86)
at com.aveksa.server.core.Container.registerService(Container.java:289)
at com.aveksa.server.core.Container.initialize(Container.java:83)
at com.aveksa.server.runtime.AveksaSystem.doStartupOperations(AveksaSystem.java:329)
at com.aveksa.server.runtime.AveksaSystem.initialize(AveksaSystem.java:305)
at com.aveksa.init.Startup.init(Startup.java:52)
at com.aveksa.gui.core.ACMFramework.init(ACMFramework.java:94)
at com.aveksa.gui.core.ACMFramework.initInstance(ACMFramework.java:83)
at com.aveksa.init.InitServlet.init(InitServlet.java:42)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.init(ServletWrapper.java:344)
at com.ibm.ws.webcontainer.servlet.ServletWrapperImpl.init(ServletWrapperImpl.java:168)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.loadOnStartupCheck(ServletWrapper.java:1368)
at com.ibm.ws.webcontainer.webapp.WebApp.doLoadOnStartupActions(WebApp.java:629)
at com.ibm.ws.webcontainer.webapp.WebApp.commonInitializationFinally(WebApp.java:595)
at com.ibm.ws.webcontainer.webapp.WebAppImpl.initialize(WebAppImpl.java:422)
at com.ibm.ws.webcontainer.webapp.WebGroupImpl.addWebApplication(WebGroupImpl.java:88)
at com.ibm.ws.webcontainer.VirtualHostImpl.addWebApplication(VirtualHostImpl.java:170)
at com.ibm.ws.webcontainer.WSWebContainer.addWebApp(WSWebContainer.java:904)
at com.ibm.ws.webcontainer.WSWebContainer.addWebApplication(WSWebContainer.java:789)
at com.ibm.ws.webcontainer.component.WebContainerImpl.install(WebContainerImpl.java:427)
at com.ibm.ws.webcontainer.component.WebContainerImpl.start(WebContainerImpl.java:719)
at com.ibm.ws.runtime.component.ApplicationMgrImpl.start(ApplicationMgrImpl.java:1177)
at com.ibm.ws.runtime.component.DeployedApplicationImpl.fireDeployedObjectStart(DeployedApplicationImpl.java:1382)
at com.ibm.ws.runtime.component.DeployedModuleImpl.start(DeployedModuleImpl.java:639)
at com.ibm.ws.runtime.component.DeployedApplicationImpl.start(DeployedApplicationImpl.java:971)
at com.ibm.ws.runtime.component.ApplicationMgrImpl.startApplication(ApplicationMgrImpl.java:776)
at com.ibm.ws.runtime.component.ApplicationMgrImpl$5.run(ApplicationMgrImpl.java:2195)
at com.ibm.ws.security.auth.ContextManagerImpl.runAs(ContextManagerImpl.java:5477)
at com.ibm.ws.security.auth.ContextManagerImpl.runAsSystem(ContextManagerImpl.java:5603)
at com.ibm.ws.security.core.SecurityContext.runAsSystem(SecurityContext.java:255)
at com.ibm.ws.runtime.component.ApplicationMgrImpl.start(ApplicationMgrImpl.java:2200)
at com.ibm.ws.runtime.component.CompositionUnitMgrImpl.start(CompositionUnitMgrImpl.java:435)
at com.ibm.ws.runtime.component.CompositionUnitImpl.start(CompositionUnitImpl.java:123)
at com.ibm.ws.runtime.component.CompositionUnitMgrImpl.start(CompositionUnitMgrImpl.java:378)
at com.ibm.ws.runtime.component.CompositionUnitMgrImpl.access$500(CompositionUnitMgrImpl.java:126)
at com.ibm.ws.runtime.component.CompositionUnitMgrImpl$CUInitializer.run(CompositionUnitMgrImpl.java:984)
at com.ibm.wsspi.runtime.component.WsComponentImpl$_AsynchInitializer.run(WsComponentImpl.java:502)
at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1881)
Caused by:
com.aveksa.server.runtime.ServerException: Unable to generate default encryption key entry
at com.aveksa.server.core.crypto.EncryptionServiceProvider.createEncryptionKey(EncryptionServiceProvider.java:593)
at com.aveksa.server.core.crypto.EncryptionServiceProvider.getOrCreateDefaultEncryptionKey(EncryptionServiceProvider.java:509)
... 40 more
Caused by:
com.aveksa.common.crypto.EncryptionException: An issue with handling encryption was encountered
at com.aveksa.common.crypto.EncryptionMgr.getSecureRandom(EncryptionMgr.java:708)
at com.aveksa.common.crypto.EncryptionMgr.generateRandomString(EncryptionMgr.java:1113)
at com.aveksa.common.crypto.EncryptionMgr.generateUniqueKeyValue(EncryptionMgr.java:1162)
at com.aveksa.common.crypto.EncryptionMgr.generateUniqueKeyValue(EncryptionMgr.java:1134)
at com.aveksa.server.core.crypto.EncryptionServiceProvider.generateKeyValue(EncryptionServiceProvider.java:983)
at com.aveksa.server.core.crypto.EncryptionServiceProvider.generateNewEncryptionKeyEntry(EncryptionServiceProvider.java:853)
at com.aveksa.server.core.crypto.EncryptionServiceProvider.createEncryptionKey(EncryptionServiceProvider.java:588)
... 41 more
Caused by:
com.aveksa.common.crypto.EncryptionException: Non-FIPS140 Crypto-J toolkit in classpath.
at com.aveksa.common.crypto.EncryptionMgr.addProvider(EncryptionMgr.java:754)
at com.aveksa.common.crypto.EncryptionMgr.getSecureRandom(EncryptionMgr.java:706)
... 47 more
Cause
Resolution
- Access the WebSphere console and select Troubleshooting > Class Loader viewer > <server_name> > Applications > aveksa > Web modules > aveksa.war.
- Click Table View and see if any of the .jar files listed below are picked from the classpath outside the aveksa.ear located in /opt/IBM/Websphere/Profiles/<Profile_Name>/installedApps/<cell_name>/aveksa.ear/*. If so, remove the .jar file from the classpath location
- cryptojce.jar
- cryptoj.jar
- cryptojcommon.jar
- jcmFIPS.jar
- util .jar
For example, in this case cryptoj.jar was picked from the parent WebSphere installation folder:
- Remove the conflicting jar files found above.
- Restart the WebSphere Application Server and then the RSA Identity Governance and Lifecycle application.
