Unable to access OneClick after SSL configuration
search cancel

Unable to access OneClick after SSL configuration

book

Article ID: 129913

calendar_today

Updated On:

Products

CA Spectrum DX NetOps

Issue/Introduction

After configuring SSL for OneClick we're unable to access the OC admin web site or the WebApp.

Failed to initialize Tomcat on port 443 - the trustAnchors parameter must be non-empty

Unable to access the DX NetOps Spectrum OneClick OC admin site using port 8443.

The HTTPS on port 443 is not initialized by the Tomcat

The following error is logged in the Tomcat's log file (stdout.log or catalina.out file) found in $SPECROOT/tomcat/logs.

INFO: Initializing ProtocolHandler ["https-jsse-nio-443"]
Mar 22, 2019 3:47:45 PM org.apache.catalina.util.LifecycleBase handleSubClassException
SEVERE: Failed to initialize component [Connector[HTTP/1.1-443]]
org.apache.catalina.LifecycleException: Protocol handler initialization failed
 ...
Caused by: java.lang.IllegalArgumentException: the trustAnchors parameter must be non-empty
...
Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
 ...

Environment

All supported DX NetOps Spectrum releases

Cause

One of two possible reasons: 

  1. The $SPECROOT/custom/keystore/cacerts file was mistakenly deleted.
  2. Starting with Spectrum release 10.4.1 the Truststore must be declared in the $SPECROOT/tomcat/conf/server.xml

Resolution

Solutions:

  1. Recover the $SPECROOT/custom/keystore/cacerts file from the $SPECROOT/Java/jre/lib/security/ directory.
    • Copy the cacerts file from $SPECROOT/Java/jre/lib/security to $SPECROOT/custom/keystore.
    • The cacerts file cannot be deleted.
    • If entries from the cacerts file need to be removed use the following command.
      • Sample shown, edit values to match your environment.
      • ./keytool.exe -delete -alias tomcatssl -keyalg RSA -keystore c:/win32app/Spectrum/custom/keystore/cacerts
  2. If there are missing trustStore entries in the $SPECROOT/tomcat/conf/server.xml within the https 8443 connector tag add them.
    1. Edit the file and add these lines after the keystorePass entry in the connector.
      • truststoreFile="/SPECTRUM/Java/jre/lib/security/cacerts"
      • truststoreType="JKS"
      • truststorePass="changeit"
    2. Set the truststoreFile with the correct absolute path for your environment.
    3. Save the file changes.
    4. Stop and restart the tomcat web server.
    5. Confirm the error for trustAnchors parameter values is no longer seen.

Additional Information

See the Enable HTTPS for OneClick documentation topic for complete OneClick SSL configuration steps.

Powered by Wolken Software