Agent installation issue with certs generation for v24.4.2
search cancel

Agent installation issue with certs generation for v24.4.2

book

Article ID: 421530

calendar_today

Updated On:

Products

CA Automic Workload Automation - Automation Engine

Issue/Introduction

When trying to start the agent with new version v24.2.2. It is throwing the following error. Agent is not able to generate the certs to make the connection.

20251030/122622.009 - U02000379 Initiating connection to server '<AEServername>/<unresolved>:<port>' using WebSocket URI: 'wss://<AEServername>:<port>/agent'.
20251030/122622.012 - U02000378 Loading certificates from directory: '<trustedCertsFolder Path>'.
20251030/122622.478 - U02000004 Connection to Server 'AUTOMIC#CP002' successfully created.
20251030/122622.478 - U02000075 CP Server 'AUTOMIC#CP002' has '1' client connections.
20251030/122622.480 - U02000297 Agent doesn't have valid certificate, requesting new one from server.
20251030/122623.285 - U02000306 Unable to generate private key, reason 'java.security.NoSuchAlgorithmException: Cannot find any provider supporting PBEWithSHA1AndDESede'.
20251030/122623.286 - U02000299 Error during handling Certificate Signing Request: 'Cannot find any provider supporting PBEWithSHA1AndDESede'.
20251030/122623.286 - U02000041 Shutdown Agent '<AgentName>'

Environment

Automic Automation Agent: v24.4.2

Redhat Linux

Cause

The agent fails to generate certificates because the JVM, when FIPS is enforced, cannot initialize the algorithm PBEWithSHA1AndDESede, which is used during PKCS#12 keystore creation and private key protection. As a result, the certificate creation process stops and the agent terminates.

 

Resolution

Workarounds:

Option 1 — Run the agent with Temurin JDK
Temurin does not appear to enforce OS-level FIPS restrictions, allowing the agent to successfully generate its keypair and certificate.
To use it, place the Temurin JDK/JRE in the agent directory and rename it to jre so the agent will launch using it.

Option 2 — Temporarily disable FIPS at agent startup
Start the agent with:

nohup ./ucxjlx6 -I /path/to/ucxjlx6.ini \
  -vm:/usr/lib/jvm/java-17-openjdk-17.0.17.0.10-1.el8.x86_64 \
  -Dcom.redhat.fips=false &
 

This allows the initial certificate generation to complete.
After cert creation, the agent may start normally without -Dcom.redhat.fips=false, though ongoing impact under FIPS-enforced environments has not been fully validated—this workaround is best used to bootstrap the agent while cert generation is blocked.

Powered by Wolken Software