Failed to initialize Tomcat on port 443 - the trustAnchors parameter must be non-empty

book

Article ID: 129913

calendar_today

Updated On:

Products

CA Spectrum

Issue/Introduction

The HTTPS on port 443 is not initialized by the Tomcat

The following error is logged in the Tomcat's log file (stdout.log or catalina.out file):

INFO: Initializing ProtocolHandler ["https-jsse-nio-443"]

Mar 22, 2019 3:47:45 PM org.apache.catalina.util.LifecycleBase handleSubClassException

SEVERE: Failed to initialize component [Connector[HTTP/1.1-443]]

org.apache.catalina.LifecycleException: Protocol handler initialization failed

    at org.apache.catalina.connector.Connector.initInternal(Connector.java:935)

    at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)

    at org.apache.catalina.core.StandardService.initInternal(StandardService.java:530)

    at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)

    at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:852)

    at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)

    at org.apache.catalina.startup.Catalina.load(Catalina.java:633)

    at org.apache.catalina.startup.Catalina.load(Catalina.java:656)

    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)

    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

    at java.lang.reflect.Method.invoke(Method.java:498)

    at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:306)

    at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:491)

Caused by: java.lang.IllegalArgumentException: the trustAnchors parameter must be non-empty

    at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:114)

    at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:85)

    at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:216)

    at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1043)

    at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:540)

    at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:74)

    at org.apache.catalina.connector.Connector.initInternal(Connector.java:932)

    ... 13 more

Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty

    at java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200)

    at java.security.cert.PKIXParameters.<init>(PKIXParameters.java:157)

    at java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:130)

    at org.apache.tomcat.util.net.jsse.JSSEUtil.getParameters(JSSEUtil.java:389)

    at org.apache.tomcat.util.net.jsse.JSSEUtil.getTrustManagers(JSSEUtil.java:313)

    at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:112)

    ... 19 more

Cause

One of two possible reasons: 

  1. The $SPECROOT/custom/keystore/cacerts file was deleted.

  2. In Spectrum 10.4.1 and up, the Truststore must be declared in the server.xml

Environment

CA Spectrum 10.3.x

Resolution

#1. Recover the $SPECROOT/custom/keystore/cacerts file from the $SPECROOT/Java/jre/lib/security/ directory. (Copy cacerts file from $SPECROOT/Java/jre/lib/security to $SPECROOT/custom/keystore)

The cacerts file cannot be deleted. If you want to remove the entries from the cacerts file, run the following syntax (example):

./keytool.exe -delete -alias tomcatssl -keyalg RSA -keystore c:/win32app/Spectrum/custom/keystore/cacerts


#2. add the following to the $SPECROOT/tomcat/conf/server.xml within the https 8443 connector tag: 

truststoreFile="/SPECTRUM/Java/jre/lib/security/cacerts"

truststoreType="JKS"

truststorePass="changeit"


example: 

Attachments