Correcting error "The trustAnchors parameter must be non-empty"
search cancel

Correcting error "The trustAnchors parameter must be non-empty"


Article ID: 208558


Updated On:


CA Privileged Access Manager (PAM)


For using the RemoteCLI tool on the "Credential Manager" side the below procedure must be followed


However, sometimes this results in the following error: 

C:\Users\...\remoteCLI-3.4.2>capam_command capam=capamtest adminUserID=super cmdName=getErrorCodes

Enter password:

CommandLineInterface.execute error in GET:Unexpected error: the trustAnchors parameter must be non-empty Unexpected error: the trustAnchors parameter must be non-empty


CA PAM 3.4.2


This may happen if there are multiple Java versions in the Server and the wrong one is used when launching the command. This may happen, for instance if the keytool command, as specified in the installation guide, has been issued for a java version different from the one that is eventually used when launching the CLI commands. 


1. Be careful about running the keytool command from the %JAVA_HOME% location in case of multiple java versions running on the server.

    In my case, Java Home is 'C:\Program Files\AdoptOpenJDK\jdk-\'

2. Run the below command from the %CAPAM_CLI% location (CAPAM_CLI is the environment variable pointing to the CLI installation folder).

$JAVA_HOME/bin/keytool -import -trustcacerts -file capam.crt -alias capamerver -keystore capam.keystore

3. Verify the keystore from the same location:

keytool -list -v –keystore capam.keystore

4. The below command may be used to see the command errorcodes,

capam_command adminUserID=super cmdName=getErrorCodes


Additional Information

If the PAM Client is on the same host, it is best practice to use the keytool.exe from our installation directory.


"C:\Users\<userid>\CA PAM Client\runtime-1.8.0_282\bin\keytool.exe" -import -trustcacerts -file pamcertnew.crt -alias capamserver -keystore capam.keystore