Set up SSL/TLS on Endevor Web Service using SAF Keyring and Java 17
Article ID: 422595
Updated On:
Products
Issue/Introduction
Upgrade to Java 17. use the same CA common services implementation to secure web services Tomcat using an SAF keyring.
The server.xml SSL implementation:
<Connector port="${connector.ssl.port}" protocol="org.apache.coyote.http11.Http11NioProtocol"
keystoreFile="safkeyring://USERID/KeyringName"
keystoreType="JCERACFKS"
sslImplementationName="com.ca.sslsocket.CASSLImplementation"
sslProtocol="TLS" sslEnabledProtocols="TLSv1.2"
scheme="https" secure="true"
maxThreads="150" SSLEnabled="true">
</Connector>
And Tomcat log shows the following error:
15-Dec-2025 20:26:55.185 SEVERE [main] org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to initialize component
[Connector["https-jsse-nio-XXXX"]]
org.apache.catalina.LifecycleException: Protocol handler initialization failed
at org.apache.catalina.connector.Connector.initInternal(Connector.java:1030)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:122)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:525)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:122)
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:957)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:122)
at org.apache.catalina.startup.Catalina.load(Catalina.java:712)
at org.apache.catalina.startup.Catalina.load(Catalina.java:735)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:575)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:302)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:472)
Caused by: java.lang.IllegalArgumentException: unknown protocol: safkeyring
Environment
Endevor V19
Cause
SAFkeyring:// URL protocol supported in Java 8 has been replaced by new protocol in new Java version (11 and 17)
Resolution
Update the server.xml to use the following setting for software keyring
<Connector port="${connector.ssl.port}" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
SSLEnabled="true"
algorithm="SunX509"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
sslEnabledProtocols="+TLSv1.3,+TLSv1.2,+TLSv1.1,+TLSv1"
keystoreType="JCERACFKS"
keystoreFile="safkeyringjce://KEY_RING_OWNER/KEY_RING_NAME"
sslImplementationName="com.ca.sslsocket.CASSLImplementation" />
If hardware keyring is used, use the following setting:
<Connector port="${connector.ssl.port}" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
SSLEnabled="true"
algorithm="SunX509"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
sslEnabledProtocols="+TLSv1.3,+TLSv1.2,+TLSv1.1,+TLSv1"
keystoreType="JCECCARACFKS"
keystoreFile="safkeyringjcecca:////OWNER/KEYRING"
sslImplementationName="com.ca.sslsocket.CASSLImplementation" />
Additional Information
Also add the Java 17 support to WSTOMENV and WSTOMSTC:
WSTOMENV:
Apply PTF LU13996 to add Java 17 support, this PTF will update the WSTOMENV and add the following line before 'export LIBPATH':
LIBPATH="$LIBPATH":"${JAVA_HOME}"/lib/server
LIBPATH="$LIBPATH":"${JAVA_HOME}"/lib
WSTOMSTC:
Update WSTOMSTC JCL to change the Java version to Java 17
// SET VERSION='17' <== 64-bit JVM (JVMLDM17)
Feedback
