Access gateway java.security.KeyStoreException: JKS not found

book

Article ID: 214261

calendar_today

Updated On:

Products

CA Single Sign On Federation (SiteMinder) CA Single Sign On Secure Proxy Server (SiteMinder) SITEMINDER

Issue/Introduction

CA Access gateway is not running properly and intermittently causing an outage. 

This error is logged in server.log when CA Access gateway started.

[04/May/2021:11:07:23-084] [ERROR] - ERROR: SSLConfig
java.security.KeyStoreException: JKS not found
 at java.security.KeyStore.getInstance(KeyStore.java:851) ~[?:1.8.0_222]
 at com.netegrity.util.SSLConfig.<init>(Unknown Source) [proxyutils.jar:?]
 at com.netegrity.util.SmSSLConfig.<init>(Unknown Source) [proxyutils.jar:?]
 at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) [?:1.8.0_222]
 at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) [?:1.8.0_222]
 at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) [?:1.8.0_222]
 at java.lang.reflect.Constructor.newInstance(Constructor.java:423) [?:1.8.0_222]
 at java.lang.Class.newInstance(Class.java:442) [?:1.8.0_222]
 at com.netegrity.util.SSLConfig.getInstance(Unknown Source) [proxyutils.jar:?]
 at org.tigris.noodle.Noodle.init(Unknown Source) [proxyrt.jar:?]
 at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1228) [catalina.jar:7.0.94]
 at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1172) [catalina.jar:7.0.94]
 at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:1066) [catalina.jar:7.0.94]
 at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:5449) [catalina.jar:7.0.94]
 at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5747) [catalina.jar:7.0.94]
 at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145) [catalina.jar:7.0.94]
 at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1707) [catalina.jar:7.0.94]
 at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1697) [catalina.jar:7.0.94]
 at java.util.concurrent.FutureTask.run(FutureTask.java:266) [?:1.8.0_222]
 at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_222]
 at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_222]
 at java.lang.Thread.run(Thread.java:748) [?:1.8.0_222]
Caused by: java.security.NoSuchAlgorithmException: JKS KeyStore not available
 at sun.security.jca.GetInstance.getInstance(GetInstance.java:159) ~[?:1.8.0_222]
 at java.security.Security.getImpl(Security.java:695) ~[?:1.8.0_222]
 at java.security.KeyStore.getInstance(KeyStore.java:848) ~[?:1.8.0_222]
 ... 21 more

 

Cause

Verified server.conf, that Tomcat default keystore actually has not been enabled.

#local.https.keyStoreFileName="tomcat.keystore"

Verified that there was no https ciphers changes recently on CA Access gateway configuration.

Verified that there was no ssl related changes recently on CA Access gateway apache configuration.

Environment

Release : 12.8sp3

Component : SITEMINDER SECURE PROXY SERVER

Resolution

There was a Java JDK/JRE change on the particular system, where ~/java/jre/lib/security/java.security was deleted and missing.

CA Access gateway relies on this JRE in order to run properly, when checking the java process, it will review the path.

Customer restored missing java file, restarted CA Access gateway, then service became stable.