Correcting error "The trustAnchors parameter must be non-empty"

book

Article ID: 208558

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

For using the RemoteCLI tool on the "Credential Manager" side the below procedure must be followed

"https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/privileged-access-manager/3-4-2/programming/credential-manager-remote-cli-and-java-api/install-and-set-up-the-remote-cli-and-java-api.html#concept.dita_1244cb23e74795add3c3a38d0e43e1308cc1d99d_gatherinfo"

However, sometimes this results in the following error: 


C:\Users\...\remoteCLI-3.4.2>capam_command capam=capamtest adminUserID=super cmdName=getErrorCodes

Enter password:

CommandLineInterface.execute error in GET:Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty

javax.net.ssl.SSLException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty

Cause

This may happen if there are multiple Java versions in the Server and the wrong one is used when launching the command. This may happen, for instance if the keytool command, as specified in the installation guide, has been issued for a java version different from the one that is eventually used when launching the CLI commands. 

Environment

CA PAM 3.4.2

Resolution

1. Be careful about running the keytool command from the %JAVA_HOME% location in case of multiple java versions running on the server.

    In my case, Java Home is 'C:\Program Files\AdoptOpenJDK\jdk-8.0.282.8-hotspot\'

2. Run the below command from the %CAPAM_CLI% location (CAPAM_CLI is the environment variable pointing to the CLI installation folder).

$JAVA_HOME/bin/keytool -import -trustcacerts -file capam.crt -alias capamerver -keystore capam.keystore

3. Verify the keystore from the same location:

keytool -list -v –keystore capam.keystore

4. The below command may be used to see the command errorcodes,

capam_command capam=forwardinc.com adminUserID=super cmdName=getErrorCodes

 

Additional Information

If the PAM Client is on the same host, it is best practice to use the keytool.exe from our installation directory.

Example:

"C:\Users\<userid>\CA PAM Client\runtime-1.8.0_282\bin\keytool.exe" -import -trustcacerts -file pamcertnew.crt -alias capamserver -keystore capam.keystore