search cancel

APM 10.7 - After applying HF#84 the EM failed to start with the message "the trustAnchors parameter must be non-empty"

book

Article ID: 231695

calendar_today

Updated On:

Products

CA Application Performance Management (APM / Wily / Introscope) DX Application Performance Management

Issue/Introduction

Upgrade to HF84 completed successfully, but when trying to start the EMs, we are getting the following error in the log and the EM is shutting down

..

2022-01-05 11:42:45,238 [INFO] [main] [Manager.EMWebServer] Certificate '1' subject: ...
2022-01-05 11:42:45,238 [INFO] [main] [Manager.EMWebServer] Certificate '1' issuer: ...
2022-01-05 11:42:45,238 [INFO] [main] [Manager.EMWebServer] Certificate '1' subject alternative DNS name: ...
2022-01-05 11:42:45,238 [INFO] [main] [Manager.EMWebServer] Certificate '1' subject alternative DNS name: ...
2022-01-05 11:42:45,238 [INFO] [main] [Manager.EMWebServer] Certificate '1' subject alternative DNS name: ...
2022-01-05 11:42:45,238 [DEBUG] [main] [Manager.EMWebServer] Validating certificate '1'
2022-01-05 11:42:45,240 [DEBUG] [main] [Manager.EMWebServer] Failed to start the Jetty web server: the trustAnchors parameter must be non-empty
java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
    at java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200)
    at java.security.cert.PKIXParameters.<init>(PKIXParameters.java:157)
    at com.wily.webserver.WebServerUtilities.validateCertificate(WebServerUtilities.java:827)
    at com.wily.webserver.WebServerUtilities.validateCertificateNow(WebServerUtilities.java:702)
    at com.wily.webserver.WebServerUtilities.logAndValidateUsedCertificate(WebServerUtilities.java:685)
    at com.wily.introscope.server.enterprise.entity.webserver.WebServerEntity.startWebServer(WebServerEntity.java:508)

 

Environment

Release : 10.7.0

Component : Introscope

Cause

The upgrade version does try to validate used certificate at the start so that we can detect issues like this or expired certificate.

The issue here is either that the certificate they are using does not contain the entire certificate chain or that the trust store they are using does not contain all the CA certificates they need.

Resolution

In this specific customer scenario, the same file was used for keystore and also truststore, this approach is no longer valid as the certificate and intermediate have to be placed into keystore and the root CA into the truststore

Solution:

- Split up the keystore and truststore accordingly

- Start the EM 

Additional Information

Error can be due to invalid/expired certificates, certificate passphrase etc.