Unable to access OneClick after SSL configuration
book
Article ID: 129913
calendar_today
Updated On: 07-03-2025
Products
Spectrum
Network Observability
Issue/Introduction
After configuring SSL for OneClick we're unable to access the OC admin web site or the WebApp.
Failed to initialize Tomcat on port 443 - the trustAnchors parameter must be non-empty
Unable to access the DX NetOps Spectrum OneClick OC admin site using port 8443.
The HTTPS on port 443 is not initialized by the Tomcat
The following error is logged in the Tomcat's log file (stdout.log or catalina.out file) found in $SPECROOT/tomcat/logs.
INFO: Initializing ProtocolHandler ["https-jsse-nio-443"]
Mar 22, 2019 3:47:45 PM org.apache.catalina.util.LifecycleBase handleSubClassException
SEVERE: Failed to initialize component [Connector[HTTP/1.1-443]]
org.apache.catalina.LifecycleException: Protocol handler initialization failed
...
Caused by: java.lang.IllegalArgumentException: the trustAnchors parameter must be non-empty
...
Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
...
Environment
All supported DX NetOps Spectrum releases
Cause
One of two possible reasons:
- The $SPECROOT/custom/keystore/cacerts file was mistakenly deleted.
- Starting with Spectrum release 10.4.1 the Truststore must be declared in the $SPECROOT/tomcat/conf/server.xml
Resolution
Solutions:
- Recover the $SPECROOT/custom/keystore/cacerts file from the $SPECROOT/Java/jre/lib/security/ directory.
- Copy the cacerts file from $SPECROOT/Java/jre/lib/security to $SPECROOT/custom/keystore.
- The cacerts file cannot be deleted.
- If entries from the cacerts file need to be removed use the following command.
- Sample shown, edit values to match your environment.
- ./keytool.exe -delete -alias tomcatssl -keyalg RSA -keystore c:/win32app/Spectrum/custom/keystore/cacerts
- If there are missing trustStore entries in the $SPECROOT/tomcat/conf/server.xml within the https 8443 connector tag add them.
- Edit the file and add these lines after the keystorePass entry in the connector.
- truststoreFile="/SPECTRUM/Java/jre/lib/security/cacerts"
- truststoreType="JKS"
- truststorePass="changeit"
- Set the truststoreFile with the correct absolute path for your environment.
- Save the file changes.
- Stop and restart the tomcat web server.
- Confirm the error for trustAnchors parameter values is no longer seen.
- See Failed to Initialize Tomcat on Port 443 for further details
Feedback
thumb_up
Yes
thumb_down
No