PKI Login failures such as "bouncycastle" error for ITSM 17.1
Article ID: 114138
Updated On:
Products
Issue/Introduction
Sometimes, the pkilogin.htm may work on the first attempt, but then fail on subsequent attempts.
A test of the normal Web Services (http:/localhost:8080/axis/services/USD_R11_WebService) shows that its is correctly responding.
<Please see attached file for image>
The PKI Login test must be successful, in order to use a Web Services integration that uses the Web Services access policy, such as the third party Luma Connector to CA Service Desk Manager.
Environment
Resolution
Main Steps
NOTE: Take care with all path names.
The majority of faults are due to be files not in the right place, or a path name is mistyped.
1. The following .jar files are required.
Download this zip file from below URL:
http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html
2. Unzip the contents into "~\CA\SC\JRE\1.8.0_112\lib\security"
The two key files are local_policy.jar and US_export_policy.jar.
Note: Backup the original files before replacing them.
3. Restart tomcat and verify the issue.
pdm_tomcat_nxd -c STOP
pdm_tomcat_nxd -c START
pdm_tomcat_nxd -c STATUS
Note that only a Tomcat restart is required.
It should not be necessary to restart either the CA SDM Windows Service or the server itself, in order to update the pkilogin use of the right security files.
Example:
C:\PROGRA~2\CA\SC\JRE>pdm_tomcat_nxd -c stop
C:\PROGRA~2\CA\SC\JRE>pdm_tomcat_nxd -c status
SERVICEDESK Tomcat was stopped on Wed Dec 12 15:47:14 AEDT 2018
C:\PROGRA~2\CA\SC\JRE>pdm_tomcat_nxd -c start
C:\PROGRA~2\CA\SC\JRE>pdm_tomcat_nxd -c status
SERVICEDESK Tomcat was stopped on Wed Dec 12 15:47:14 AEDT 2018
C:\PROGRA~2\CA\SC\JRE>pdm_tomcat_nxd -c status
SERVICEDESK Tomcat was started on Wed Dec 12 15:47:48 AEDT 2018
4. A successful use of pkilogin.htm to get to pkilogin.jsp will produce this result:
|
| |
| Service Desk - Attempting to Login using PKI | |
|
| |
| Created USD_WebServiceSoap object usd encryption o02fN0I9CNWlvMcTLaTxJCLMFzA7RnMlFGa3eS+khPhvko3kVI+HM6RR9C8wNzJ52EguYmqn+ /fWTJu1yGRGgvcsHHaI0epsypza7LtIOif0I9EhbdnINlTQXbFxsBgpwXvwBsxhbB8eDp6o2NFczFxXwI05hnKp4twiHel9ZjR9BU6ElLka31yLYVi2ic+ 7qyppA5Q22SVxNWe5B52332tgD5uTnagFJfd+WeBHMOYdHQHg9wx08dQ6c21i/hIW6s5o21jLfdLmb+98OVz6uDF91GFuVFIsIxOL5wIv6co3 UTPYphsV4i5bmyfhlsNUx3jjqkIioq8f02j+Hfje/g== Login was successful, got Session ID of '1503048669' Got user handle for ServiceDesk of 'cnt:16608F1FE9C4E2439CE5903B6CAD42C1' Got BOPSID for ServiceDesk of '912829542' Click here VERY SOON to login seamlessly using the BOPSID as user ServiceDesk Logout was successful | |
5. TIP: You may edit the variables in pklogin.htm so that the following login screen contains the correct defaults and does not need to be edited each time:
Note: Change the values to those used by your system. For example, the default accessPolicy is "DEFAULT", but you may wish to create your own named policy such as "LUMA_POLICY".
<td><input type=text id=server name=server value="localhost"></td>
<td><input type=text id=port name=port value="8080"></td>
<td><input type=text id=dir name=dir value="C:\Program Files (x86)\CA\Service Desk Manager\bopcfg\www\CATALINA_BASE\webapps\axis"></td>
<td><input type=text id=accessPolicy name=accessPolicy value="DEFAULT"></td>
<td><input type=text id=userId name=userId value="ServiceDesk"></td>
<td><input type=text id=protocol name=protocol value="http"></td>
The above values produce this PKI Login page:
<Please see attached file for image>
Additional Comments and Troubleshooting
1. Test that the pkilogin.htm works by testing it twice.
If the first time only works, but the second time fails with the above "bouncycastle" message then the contents of the downloaded file (local_policy.jar and US_export_policy.jar) are not being found. Check that the two jar files have the correct date and size that match to the download.
This check should also be done if the bouncycastle message is produced on the first attempt.
An example of a "bouncycastle" failure message:
Created USD_WebServiceSoap object usd Error Message: exception decrypting data - java.lang.NullPointerException Additional Details: org.bouncycastle.jcajce.provider.ProvIOException: exception decrypting data - java.lang.NullPointerException
2. The pkilogin.htm (and therefore pkilogin.jsp) files expect to find the .jar files in the path specified in the \lib\security\ folder at the location of the CA SDM NX.env file variable: NX_JRE_INSTALL_DIR
Example:
The NX.env variable is set as follows:
@NX_JRE_INSTALL_DIR=C:/Program Files (x86)/CA/SC/JRE/1.8.0_112
Therefore the .jar files from the download should be placed here:
C:/Program Files (x86)/CA/SC/JRE/1.8.0_112/lib/security/
NOTES:
- Paste the link that you expect to work into Windows Explorer, to confirm that it pulls up the directory as expected.
- Note the presence of the "SC" directory. This is created by default with a CA product install. If the SC directory is missing, then the Java was perhaps installed by a third party program.
See:
- DocOps - ITSM 17.1 8 dot 3 Name Creation
- An older knowledge document. https://comm.support.ca.com/kb/we-are-not-able-to-install-any-options-in-ca-service-desk-manager-ca-sdm-the-status-of-the-option-remains-as-in-progress-the-ca-sdm-installation-may-present-errors-as-well/kb000004020
4. The following error indicates that **NO** JRE security files could be located, even if the rest of the JRE is present:
_________________
HTTP Status 500 - javax.servlet.ServletException: java.lang.NoClassDefFoundError: Could not initialize class javax.crypto.JceSecurity
type Exception report
message javax.servlet.ServletException: java.lang.NoClassDefFoundError: Could not initialize class javax.crypto.JceSecurity
description The server encountered an internal error that prevented it from fulfilling this request.
exception
org.apache.jasper.JasperException: javax.servlet.ServletException: java.lang.NoClassDefFoundError: Could not initialize class javax.crypto.JceSecurity
org.apache.jasper.servlet.JspServletWrapper.handleJspException(JspServletWrapper.java:565)
org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:466)
org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:385)
org.apache.jasper.servlet.JspServlet.service(JspServlet.java:329)
javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
root cause
javax.servlet.ServletException: java.lang.NoClassDefFoundError: Could not initialize class javax.crypto.JceSecurity
org.apache.jasper.runtime.PageContextImpl.doHandlePageException(PageContextImpl.java:909)
org.apache.jasper.runtime.PageContextImpl.handlePageException(PageContextImpl.java:838)
org.apache.jsp.pkilogin_jsp._jspService(pkilogin_jsp.java:281)
org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:443)
org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:385)
org.apache.jasper.servlet.JspServlet.service(JspServlet.java:329)
javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
root cause
java.lang.NoClassDefFoundError: Could not initialize class javax.crypto.JceSecurity
javax.crypto.SecretKeyFactory.nextSpi(SecretKeyFactory.java:295)
javax.crypto.SecretKeyFactory.<init>(SecretKeyFactory.java:121)
javax.crypto.SecretKeyFactory.getInstance(SecretKeyFactory.java:160)
sun.security.pkcs12.PKCS12KeyStore.getPBEKey(Unknown Source)
_________________
The solution is the same as in the "Main Steps" above:
- Install the correct local_policy.jar and US_export_policy.jar files to the right location. (Check date and timestamps.)
- Recheck the pkilogin configuration from the start, making sure the pdm_pki and build_wsdl.bat file steps are successful.
5. The following message indicates that the access policy was either not found (mostly likely) or not generated correctly.
__________________
|
| |
| Service Desk - Attempting to Login using PKI | |
|
| |
| Created USD_WebServiceSoap object usd Error Message: C:\Program Files (x86)\CA\Service Desk Manager\bopcfg\www\CATALINA_BASE\webapps\axis\DEFAULT.p12 (The system cannot find the file specified) Additional Details: java.io.FileNotFoundException: C:\Program Files (x86)\CA\Service Desk Manager\bopcfg\www\CATALINA_BASE\webapps\axis\DEFAULT.p12 (The system cannot find the file specified) | |
Most commonly this occurs if you have either:
- Not generated the access policy file. Solution - regenerate the file.
- Used a different access policy file name to the one entered into the pkilogin.htm screen. Solution - enter defaults into the pkilogin.htm file.
Additional Information
https://docops.ca.com/ca-service-management/17-1/en/reference/ca-service-desk-manager-reference-commands/technical-reference/loginservicemanaged-method
https://docops.ca.com/ca-service-management/17-1/en/building/building-ca-service-desk-manager/web-services-management/public-key-infrastructure-pki-authentication
Included Product Documentation
The CA walkthrough on the same process can be found in the reference file PKI_loginServiceManaged_JAVA_steps.doc in the $NX_ROOT\samples\sdk\websvc\java\test1_pki\ folder.
Third Party Documentation
This document from a third party site (ServiceAide) contains a good walkthrough from start to end and is a useful reference in the standard case.
Configure Luma for CA Service Desk Manager
Attachments
Feedback
