This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SecurID® Governance & Lifecycle Knowledge Base

Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID Governance & Lifecycle experts.

“An issue with handling encryption was encountered" with IBM JDK 1.8.0_281 and later in RSA Identity Governance & Lifecycle

Article Number

000044471

Applies To

RSA Product Set: RSA Identity Governance & Lifecycle
RSA Version/Condition: 7.2.0, 7.2.1, 7.5.0, 7.5.2
Platform: IBM WebSphere

Issue

After updating IBM WebSphere to the latest patch containing IBM JDK 1.8.0_281 (or later), RSA Identity Governance & Lifecycle fails to start and logs the following message in system.out and aveksaServer.log file: 
[9/23/21 21:45:52:197 CEST] 0000007d SystemOut     O ERROR (server.startup : 1) [CheckDatabase] Error reading Aveksa_System.cfg
java.lang.IllegalStateException: An issue with handling encryption was encountered
	at com.aveksa.common.crypto.EncryptionMgr.encrypt(EncryptionMgr.java:459)

This issue occurs on the first attempt to load the third-party crypto libraries in the CheckDatabase step.

Cause

This issue is caused by changes to the IBM JRE in JDK 1.8.0_281 (and later) which removed expired certificates from the "trusted provider verification list" used to sign third-party JCE libraries in the RSA Identity Governance & Lifecycle product.  This issue will affect any RSA Identity Governance & Lifecycle deployment on IBM WebSphere where the latest IBM updates have been applied.

This is a known issue in the following versions of WebSphere:

  • IBM WebSphere 9.0.5.7 and later running IBM JDK 1.8
  • IBM WebSphere 8.5.5.19 and later running IBM JDK 1.8
  • IBM WebSphere 8.5.5.14 and later running IBM JDK 1.7

Resolution

This issue is resolved in the following patches/versions of RSA Identity Governance & Lifecycle:

  • RSA Identity Governance & Lifecycle 7.2.0 (upgrade to 7.2.1 or later version and apply the patch where this issue is fixed)
  • RSA Identity Governance & Lifecycle 7.2.1 P12
  • RSA Identity Governance & Lifecycle 7.5.0 P07
  • SecurID Governance & Lifecycle 7.5.2 P03 (see Note1 below)

Workaround

The following workaround may be used if the official fix for RSA Identity Governance & Lifecycle cannot be applied immediately:
  • Defer applying the latest IBM fix pack until you can complete the patching of RSA Identity Governance & Lifecycle.

Note that you may apply an IBM WebSphere Interim Fix for a security vulnerability on an earlier WebSphere Fix Pack level that does not break RSA Identity Governance & Lifecycle deployment.  For example, applying an Interim Fix as recommended by IBM on the following page should be fine as long as the WebSphere Fix Pack level is earlier than the ones listed above that cause problems with RSA Identity Governance & Lifecycle:
https://www.ibm.com/support/pages/node/6445171

 

Notes

Note a similar failure if you attempt to upgrade RSA Identity Governance & Lifecycle without applying the latest IBM fix pack:
000067915 - "JCE cannot authenticate the provider JsafeJCE" when starting SecurID Governance & Lifecycle

This issue is specific to IBM WebSphere and the IBM JRE and is not known to affect deployments on Wildfly or Weblogic.

Note1 - SecurID Governance & Lifecycle 7.5.2 original full installer (build 181918) was replaced with an updated full installer build 182642 (same build as the 7.5.2 P03 patch) in June 2022.  Customers who installed 7.5.2 build 181918 before June 2022 need to patch to 7.5.2 P03.

0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2022-11-08 05:18 PM
Updated by:
Administrator Administrator

Related Content

© 2023 RSA Security LLC or its affiliates. All rights reserved.