Unable to access Spectrum OneClick on Webapp after SSL configuration
search cancel

Unable to access Spectrum OneClick on Webapp after SSL configuration

book

Article ID: 129913

calendar_today

Updated On:

Products

Spectrum Network Observability

Issue/Introduction

After configuring HTTPS SSL for OneClick we're unable to access the OC admin web site or the WebApp.

Failed to initialize Tomcat on port 8443 - the trustAnchors parameter must be non-empty:

 

Unable to access the DX NetOps Spectrum OneClick OC admin site using SSL  port 8443.

The HTTPS on port 8443 is not initialized by the Tomcat

The following error is logged in the Tomcat's log file (stdout.log or catalina.out file) found in $SPECROOT/tomcat/logs directory:

INFO: Initializing ProtocolHandler ["https-jsse-nio-8443"]
Nov 20, 20254 12:47:45 PM org.apache.catalina.util.LifecycleBase handleSubClassException
SEVERE: Failed to initialize component [Connector[HTTP/1.1-8443]]
org.apache.catalina.LifecycleException: Protocol handler initialization failed
 ...
Caused by: java.lang.IllegalArgumentException: the trustAnchors parameter must be non-empty
...
Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty ...

 

The HTTPS on port 9443 is not initialized by WebApp tomcat:

The following error is logged in the WebTomcat's log file (stdout.log or catalina.out file) found in $SPECROOT/web/tomcat/logs directory:

20-Nov-2025 12:47:06.428 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent The Apache Tomcat Native library which allows using OpenSSL was not found on the java.library.path: [/usr/java/packages/lib:/usr/lib64:/lib64:/lib:/usr/lib]
20-Nov-2025 12:47:06.713 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["https-jsse-nio-9443"]
20-Nov-2025 12:47:07.015 SEVERE [main] org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to initialize component [Connector["https-jsse-nio-9443"]]
 org.apache.catalina.LifecycleException: Protocol handler initialization failed
 ...

Caused by: java.lang.IllegalArgumentException: the trustAnchors parameter must be non-empty at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:115)

Environment

All supported DX NetOps Spectrum releases

Cause

One of two possible reasons: 

  1. The $SPECROOT/custom/keystore/cacerts file was mistakenly deleted.
  2. The truststore must be declared in the $SPECROOT/tomcat/conf/server.xml and $SPECROOT/webtomcat/conf/server.xml files

Resolution

Solutions:

If the keystore is missing you will need to rebuild it:

  1. Recover the $SPECROOT/custom/keystore/cacerts file from the $SPECROOT/Java/jre/lib/security/ directory.
    • Copy the cacerts file from $SPECROOT/Java/jre/lib/security to $SPECROOT/custom/keystore.
    • The cacerts file cannot be deleted.
    • If entries from the cacerts file need to be removed use the following command.
      • Sample shown, edit values to match your environment.
      • ./keytool.exe -delete -alias tomcatssl -keyalg RSA -keystore c:/win32app/Spectrum/custom/keystore/cacerts

If there is no problem with the keystore, add/verify the truststore entries:

  1. If there are missing trustStore entries in the $SPECROOT/tomcat/conf/server.xml within the https 8443 connector tag add them.
    1. Edit the file and add these lines after the keystorePass entry in the connector.
      • truststoreFile="/SPECTRUM/Java/jre/lib/security/cacerts"
      • truststoreType="JKS"
      • truststorePass="changeit"
    2. Set the truststoreFile with the correct absolute path for your environment.
    3. Save the file changes.
    4. Stop and restart the tomcat server from $SPECROOT/tomcat/bin:  ./startTomcat.sh
    5. Confirm the error for trustAnchors parameter values is no longer seen.

  2. If there are missing trustStore entries in the $SPECROOT/webtomcat/conf/server.xml within the https 9443 connector tag add them.  You can copy them from the tomcat/conf/server.xml
      1. Edit the file and add these lines after the keystorePass entry in the connector.
        • truststoreFile="/SPECTRUM/Java/jre/lib/security/cacerts"
        • truststoreType="JKS"
        • truststorePass="changeit"
      2. Set the truststoreFile with the correct absolute path for your environment.
      3. Save the file changes.
      4. Stop and restart the webtomcat web server from $SPECROOT/webtomcat/bin:  ./startWebTomcat.sh
      5. Confirm the error for trustAnchors parameter values is no longer seen.

 

Here is an example of the configuration for tomcat:

<Connector port="8443" URIEncoding="UTF-8" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" enableLookups="true" disableUploadTimeout="true" tcpNoDelay
="true" acceptCount="100" connectionTimeout="20000" scheme="https" secure="true" SSLEnabled="true" clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1.2,TLSv
1.3" ciphers="TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_25
6_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256" keystoreFile="/usr/Spectrum/custom/keystor
e/cacerts" keystorePass="changeit" truststoreFile="/opt/CA/Spectrum/Java/jre/lib/security/cacerts" truststoreType="JKS" truststorePass="changeit" ></Connector>

Here is an example of the configuration for webtomcat:

<Connector port="8443" URIEncoding="UTF-8" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" enableLookups="true" disableUploadTimeout="true" tcpNoDelay
="true" acceptCount="100" connectionTimeout="20000" scheme="https" secure="true" SSLEnabled="true" clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1.2,TLSv
1.3" ciphers="TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_25
6_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256" keystoreFile="/usr/Spectrum/custom/keystor
e/cacerts" keystorePass="changeit" truststoreFile="/opt/CA/Spectrum/Java/jre/lib/security/cacerts" truststoreType="JKS" truststorePass="changeit" ></Connector>

Additional Information

See the Enable HTTPS for OneClick documentation topic for complete OneClick SSL configuration steps.

See Failed to Initialize Tomcat on Port 443 for further details

Powered by Wolken Software