the trustAnchors parameter must be non-empty
search cancel

the trustAnchors parameter must be non-empty

book

Article ID: 276448

calendar_today

Updated On:

Products

CA Service Catalog

Issue/Introduction

When attempting to start Catalog, SSL access does not work.  The ServiceCatalog.log file reports:

SEVERE: Failed to initialize connector [Connector[HTTP/1.1-8443]]
org.apache.catalina.LifecycleException: Protocol handler initialization failed
Caused by: java.lang.IllegalArgumentException: the trustAnchors parameter must be non-empty

Environment

Release: 17.3 or higher
Component:  CA Service Management

Cause

Catalog backend configuration is pointing to an invalid cacert file location.  The "trustAnchors parameter must be non-empty" message appears if the trust store file that is contained in the Java implementation being used by Tomcat is inaccessible or corrupt. 

Resolution

The viewService.conf file, location C:\Program Files\CA\Service Catalog\view\conf\, should be examined to determine the location and the trust store parameters below.  The following is a known working setup configured as part of SSL.

wrapper.java.additional.10=-Djavax.net.ssl.trustStore="C:/Program Files/CA/Service Catalog/embedded/jdk/lib/security/cacerts"
wrapper.java.additional.11=-Djavax.net.ssl.trustPass=changeit
...
wrapper.java.additional.21=-Dusm.java.home="C:/Program Files/CA/Service Catalog/embedded/jdk"

 

The file, usually "cacerts", is located in C:\Program Files\CA\Service Catalog\embedded\jdk\lib\security, assuming a default setup defined in viewService.conf.

Additional Information

While any "cacerts" file within the Catalog server instance may work, it is important to maintain consistency to the given cacerts file as integrations with other products may require this file to be updated as needed.  See KB Article 271959 as an example