After upgrading Spectrum to 25.4.6 the OneClick web UI fails to allow access.

Trying to go to the login page for the OC admin site or WebApp a 503 browser error appears.

The OS is configured with FIPS enabled.

The OC tomcat configuration was set up to enable FIPS following the steps in the Enable FIPS Mode in Tomcat documentation topic.

The errors from the tomcat catalina.out log file are the following messages.

2026-04-21 13:44:12,079 [main] WARN  org.apache.tomcat.util.net.openssl.OpenSSLEngine - Failed getting cipher list
java.lang.Exception: Invalid Server SSL Protocol (error:0308010C:digital envelope routines::unsupported)
...
2026-04-21 13:44:12,120 [main] ERROR org.apache.catalina.util.LifecycleBase - Failed to initialize component [Connector["https-openssl-nio-8443"]]
org.apache.catalina.LifecycleException: Protocol handler initialization failed
...
Caused by: java.lang.IllegalArgumentException: Error creating SSLContext
...
Caused by: javax.net.ssl.SSLException: Error initializing SSL context
...
Caused by: java.lang.Exception: Unable to create SSLContext. Check that SSLEngine is enabled in the AprLifecycleListener, the AprLifecycleListener has initialised correctly a
nd that a valid SSLProtocol has been specified
...
Caused by: java.lang.Exception: Invalid Server SSL Protocol (error:12000090:random number generator::unable to fetch drbg)
...

This message will be seen repeating throughout the log post upgrade.

2026-04-16 20:09:46,017 [PoolThread-2: GlobalPool => DB InitializationCheckTask] WARN  com.aprisma.errorlog - Could not initialize MySQL connection, retry in 5 seconds: Access denied for user 'OC_user'@'localhost' (using password: NO)

During the upgrade the Spectrum Data Source in Portal was set to Disabled. This problem also prevents the Data Source being set to Enabled. When attempting to do so the Portal web UI returns an error "Invalid Data Source Parameter".

Network Observability DX NetOps Spectrum OneClick web servers running on Linux OS with FIPS enabled

Releases 25.4.6 and newer

Changes to tomcat FIPS implementations in newer tomcat versions that require different configurations for release 25.4.6.

There are two options to resolve this.

1. Disable FIPS configuration in tomcat and restart tomcat.
2. Configure the following in OneClick tomcat.
   1. Stop tomcat. Run:
      • $SPECROOT/tomcat/bin/stopTomcat.sh 
   2. Edit the $SPECROOT/tomcat/conf/server.xml file
      • Set FIPSMode from off to on in AprLifecycleListener line. Change this line:
        

            <Listener FIPSMode="off" SSLEngine="on" className="org.apache.catalina.core.AprLifecycleListener"/>

      • To this:
        

            <Listener FIPSMode="on" SSLEngine="on" className="org.apache.catalina.core.AprLifecycleListener"/>

   3. Edit the $SPECROOT/tomcat/bin/catalina.sh
      1. Uncomment the following two lines. They are commented out by default. Do not edit the content, only remove the '#' symbols to uncomment them.
         • Default appearance:
           

           #export OPENSSL_CONF=$SPECROOT/tomcat/bin/ossl-modules/openssl_fips.cnf
           #export OPENSSL_MODULES=$SPECROOT/tomcat/bin/ossl-modules

         • After editing to uncomment them.
           

           export OPENSSL_CONF=$SPECROOT/tomcat/bin/ossl-modules/openssl_fips.cnf
           export OPENSSL_MODULES=$SPECROOT/tomcat/bin/ossl-modules

   4. Start tomcat. Run:
      • $SPECROOT/tomcat/bin/stopTomcat.sh 
      • Validate FIPS is enabled. We will see these two messages appear from the AprLifecycleListener by the time start up of tomcat has completed.
        • They'll appear in the $SPECROOT/tomcat/logs/catalina.out as follows.
          
          2026-04-22 17:18:40,489 [main] INFO  org.apache.catalina.core.AprLifecycleListener - Using OpenSSL with the FIPS provider as the default provider
          2026-04-22 17:18:40,489 [main] INFO  org.apache.catalina.core.AprLifecycleListener - OpenSSL successfully initialized [OpenSSL 3.0.19 27 Jan 2026]

If FIPS was configured prior to 25.4.6, ensure there is only one OPENSSL_CONF entry referencing the openssl_fips.cnf file.

Releases 25.4.5 and earlier required it in $SPECROOT. Releases 25.4.6 and newer require only the default line as seen above referencing the default $SPECROOT/tomcat/bin/ossl-modules/openssl_fips.cnf file.