Autosys webserver fails to process after converting keystore type to BCFKS
search cancel

Autosys webserver fails to process after converting keystore type to BCFKS

book

Article ID: 251519

calendar_today

Updated On:

Products

CA Workload Automation AE

Issue/Introduction

The AutoSys web server service started successfully after following instructions to change its certificates and keystore type to BCFKS.
However, it fails to process the user requests. The following exception is captured in the Autosys webserver's log file $AUTOUSER/out/waae_webservices_wrapper.log -
INFO | jvm 1 | 2022/09/30 20:39:54 | 30-Sep-2022 20:39:54.760 INFO [WrapperStartStopAppMain] com.sun.jersey.server.impl.application.WebApplicationImpl._initiate Initiating Jersey application, version 'Jersey: 1.19.4 05/24/2017 03:46 PM'
INFO | jvm 1 | 2022/09/30 20:39:55 | 30-Sep-2022 20:39:55.204 INFO [WrapperStartStopAppMain] org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web application directory [/opt/CA/WorkloadAutomationAE/autouser.DEV/webserver/webapps/AEWS] has finished in [2,075] ms
INFO | jvm 1 | 2022/09/30 20:39:55 | 30-Sep-2022 20:39:55.207 INFO [WrapperStartStopAppMain] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["https-jsse-nio-9443"]
INFO | jvm 1 | 2022/09/30 20:39:55 | 30-Sep-2022 20:39:55.213 INFO [WrapperStartStopAppMain] org.apache.catalina.startup.Catalina.start Server startup in [2,096] milliseconds
INFO | jvm 1 | 2022/09/30 20:40:46 | 30-Sep-2022 20:40:46.520 INFO [https-jsse-nio-9443-exec-5] IclUtil.itechLibInit iTechSDK initialized successfully
INFO | jvm 1 | 2022/09/30 20:40:47 | 30-Sep-2022 20:40:47.079 WARNING [https-jsse-nio-9443-exec-5] org.apache.catalina.realm.JAASRealm.authenticate Login exception authenticating username [autosys]
INFO | jvm 1 | 2022/09/30 20:40:47 | javax.security.auth.login.LoginException: org.bouncycastle.crypto.fips.FipsUnapprovedOperationError: Attempt to use RSA key with non-approved size: 1024: RSA
INFO | jvm 1 | 2022/09/30 20:40:47 | at org.bouncycastle.crypto.fips.FipsRSA$SignatureOperatorFactory.createSigner(Unknown Source)
INFO | jvm 1 | 2022/09/30 20:40:47 | at org.bouncycastle.crypto.fips.FipsRSA$SignatureOperatorFactory.createSigner(Unknown Source)
INFO | jvm 1 | 2022/09/30 20:40:47 | at org.bouncycastle.jcajce.provider.ProvRSA$AdaptiveSignatureOperatorFactory.createSigner(Unknown Source)
INFO | jvm 1 | 2022/09/30 20:40:47 | at org.bouncycastle.jcajce.provider.ProvRSA$AdaptiveSignatureOperatorFactory.createSigner(Unknown Source)
INFO | jvm 1 | 2022/09/30 20:40:47 | at org.bouncycastle.jcajce.provider.BaseSignature.engineInitSign(Unknown Source)
INFO | jvm 1 | 2022/09/30 20:40:47 | at java.security.Signature$Delegate.engineInitSign(Signature.java:1329)
INFO | jvm 1 | 2022/09/30 20:40:47 | at java.security.Signature.initSign(Signature.java:621)
.......
....
..
INFO | jvm 1 | 2022/09/30 20:40:47 | at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
INFO | jvm 1 | 2022/09/30 20:40:47 | at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
INFO | jvm 1 | 2022/09/30 20:40:47 | at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
INFO | jvm 1 | 2022/09/30 20:40:47 | at java.lang.Thread.run(Thread.java:750)
INFO | jvm 1 | 2022/09/30 20:40:47 |
INFO | jvm 1 | 2022/09/30 20:40:47 | at javax.security.auth.login.LoginContext.invoke(LoginContext.java:856)
INFO | jvm 1 | 2022/09/30 20:40:47 | at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
INFO | jvm 1 | 2022/09/30 20:40:47 | at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
INFO | jvm 1 | 2022/09/30 20:40:47 | at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
INFO | jvm 1 | 2022/09/30 20:40:47 | at java.security.AccessController.doPrivileged(Native Method)
INFO | jvm 1 | 2022/09/30 20:40:47 | at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
INFO | jvm 1 | 2022/09/30 20:40:47 | at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
INFO | jvm 1 | 2022/09/30 20:40:47 | at org.apache.catalina.realm.JAASRealm.authenticate(JAASRealm.java:418)
.......
....
..

Environment

Release : 11.3.6 SP8, 12.0  and later

Component : Autosys Workload Automation Web services

Cause

This exception is due to the existing EEM certificate key-size does not match the bouncy-castle crypto standards.
# cd /opt/CA/SharedComponents/iTechnology
# openssl x509 -in igateway.cer -text -noout | grep "Public-Key"
Public-Key: (1024 bit)

Resolution

Follow the instructions described in the below article to upgrade the keysize of the EEM certificates -

https://knowledge.broadcom.com/external/article?articleId=251518

Regenerate the EEM certificates in Autosys and WebUI (WCC) after successfully upgrading the keysize.

https://knowledge.broadcom.com/external/article?articleId=9957

Additional Information

Customize SSL for Web Services