SpectrumDataPublisher fails to start with the following error: the trustAnchors parameter must be non-empty

Products

CA Spectrum CA eHealth DX NetOps

Issue/Introduction

The SpectrumDataPublisher is not sending any alarms to DX OI and the following exceptions can be seen in the SpectrumDataPublisher.log file:

2020-11-02 04:51:15,010 ERROR [13132]: [manager.DOISync] [performConnectionTest] - Catching
com.ca.spectrum.spub.common.ConnectorException: Got the Error java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty while parse the response from AXA
at com.ca.spectrum.spub.client.SpubConnection.postData(SpubConnection.java:252) ~[spectrum-data-publisher100.jar:?]
at com.ca.spectrum.spub.manager.DOISync.performConnectionTest(DOISync.java:99) [spectrum-data-publisher100.jar:?]
at com.ca.spectrum.spub.manager.DOISync.execute(DOISync.java:84) [spectrum-data-publisher100.jar:?]
at org.quartz.core.JobRunShell.run(JobRunShell.java:202) [quartz-2.2.1.jar:?]
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573) [quartz-2.2.1.jar:?]

Alternate Errors Also seen

SpectrumDataPublisher.log
-----------------------------------------
2021-12-08 21:28:50,723 INFO main: [client.ConnectionValidator] [validateSpectrum] - Requested URL : https://OneClickServer.acme.net:8443/spectrum/restful/heartbeat
2021-12-08 21:28:50,822 ERROR main: [handler.HttpResponseHandler] [handleIOException] - Connection IOException: https://spectrum-api.chtrse.com/spectrum/restful/heartbeat
2021-12-08 21:28:50,877 FATAL main: [client.AbstractHttpClient] [execute] - Error Message: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
2021-12-08 21:28:50,877 ERROR main: [client.ConnectionValidator] [validateSpectrum] - Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
2021-12-08 21:28:50,877 ERROR main: [client.ConnectionValidator] [validateSpectrum] - SSL error, import valid certificates.
2021-12-08 21:28:50,877 ERROR main: [client.ConnectionValidator] [validateAll] - Spectrum connection failed

Environment

Release : 10.4.1

SpectrumDataPublisher

DX Operations Insight

Cause

If you see “java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty while parse the response from AXA” in the SpectrumDataPublisher log, Make sure to import the Jarvis ssl certificate into the keystore of SpectrumDataPublisher.

In addition if OneClick is using SSL the OneClick server certificate will also need to be imported into the keystore of the SpectrumDataPublisher

Resolution

Follow these steps to import the certificate:

Ensure that the 'HTTPS' certificate is exported and copied to the server where the SpectrumDataPublisher is installed. For export instructions, refer to the notes provided at the end of this section.
Perform one of the following steps to download the CA Jarvis Server SSL/HTTPS certificate:
Run the following command:

openssl s_client -connect Jarvis_Hostname:443 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > jarvisServer.cer openssl s_client -connect TAS_Endpoint:443 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > tas.cer

-OR-
Access the Jarvis URL using HTTPS in a browser and save the certificate from site information.
Run the following command to import the certificate into the Keystore of SpectrumDataPublisher.

keytool -importcert -alias <certificate_alias> -file /<PATH>/<FILENAME.cer> -keystore /<PATH>

For example:

keytool -importcert -alias tomcatssl -file /SpectrumDataPublisher/OCServer.cer -keystore /SpectrumDataPublisher/Security/cacerts keytool -importcert -alias jarvisssl -file /SpectrumDataPublisher/jarvisServer.cer -keystore /SpectrumDataPublisher/Security/cacerts keytool -importcert -alias tas -file /SpectrumDataPublisher/tas.cer -keystore /SpectrumDataPublisher/Security/cacerts

Ignore the warning about migrating to PKCS12 format.
When prompts, provide the Keystore 'changeit' as a password.
After the certificate is imported, stop the SpectrumDataPublisher service.
Make sure the hostname, port, and protocol details are proper in the /SpectrumDataPublisher/config/ConnectorConfig.xml
Start the SpectrumDataPublisher service.