Release : 3.3.x, 3.4.x, 4.0.x. 4.1.0
Component : PRIVILEGED ACCESS MANAGEMENT
It is a result of failing to get the password for the keypair used for https or the keystore password.
Before proceeding, ensure that you are using 64bit JDK (also not a JRE) for initial deployment tests.
There can be 2 places to check.
1. catalina.properties and encrypted password.
Ensure the encrypted password is correctly set.
Encrypted password is the output from configTCF command
For example:
C:\customconnector8\configTCF>configTCF.cmd -Dcommand=encryptPassword -Dpassword=password
May 31, 2020 4:58:07 PM com.ca.pam.extensions.tcfcryptoutil.util.ObfuscateTCF obfuscate
INFO: Encrypted string is: 0nzl74MIycVng9uz4fZbbmz495zSNbRHb7HqQCxjnUQ=
Encrypted password is: 0nzl74MIycVng9uz4fZbbmz495zSNbRHb7HqQCxjnUQ=
catalina.properties file need following appended to it.
org.apache.tomcat.util.digester.PROPERTY_SOURCE=com.ca.pam.extensions.tcfcryptoutil.TCFPropertySource
tomcat.keystore.pwd=0nzl74MIycVng9uz4fZbbmz495zSNbRHb7HqQCxjnUQ=
2. server.xml with absolute filepath to java keystore
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" xpoweredBy="false" sslProtocol="TLS" clientAuth="false" keystorePass="${tomcat.keystore.pwd}" keystoreFile="C:\keystore\customconnector.jks" SSLEnabled="true" secure="true" scheme="https" maxThreads="200"/>
Side note:
In case if you had tomcat configured with 32bit JDK and later you replaced the JDK to 64bit, it is recommended to re-install tomcat. (same for JRE)
Depending on the existing and selected JDK bit-level, tomcat service configures itself to match it and does not seem to work when the JDK bit-level changes.
This applies to tomcat installer for windows.