"Protocol handler initialization failed" during OneClick Tomcat startup
search cancel

"Protocol handler initialization failed" during OneClick Tomcat startup

book

Article ID: 441745

calendar_today

Updated On:

Products

Network Observability Spectrum

Issue/Introduction

The OneClick web page is not accessible after you update the certificate in the $SPECROOT/custom/keystore/cacerts file and restart the Tomcat service․​​​​‌​‍

ERROR MESSAGE: "Protocol handler initialization failed" "Error creating SSLContext" "the trustAnchors parameter must be non-empty"

SYMPTOMS:

  • OneClick web page fails to load

  • Tomcat service fails to initialize the HTTPS connector on port 8443

  • catalina․out logs display SSLContext errors

CONTEXT: This occurs immediately after updating the keystore certificates․

IMPACT: Users cannot access the OneClick web interface․

Environment

Spectrum OneClick

Environment:

  • OS: Linux

  • Application: Spectrum OneClick

Cause

The issue occurs because the $SPECROOT/custom/keystore/cacerts file contains a PrivateKeyEntry instead of the required trustedCertEntry․

Resolution

PREREQUISITES:

  • Administrator access to the OneClick server

  • Keystore passwords

STEPS:

1․ BACKUP EXISTING KEYSTORE

Command: mv $SPECROOT/custom/keystore/cacerts $SPECROOT/custom/keystore/cacerts․bkp_yyyymmdd

EXPECTED: The existing file is safely renamed․

2․ COPY DEFAULT KEYSTORE

Command: cp $SPECROOT/Java/lib/security/cacerts $SPECROOT/custom/keystore/

EXPECTED: The out-of-box keystore is copied to the custom directory․

3․ IDENTIFY CERTIFICATE ALIAS

Command: $SPECROOT/Java/bin/keytool -list -v -keystore [organization-certificate]․pfx -storetype PKCS12

EXPECTED: The command returns the alias name (e․g․, [cert-alias])․

4․ IMPORT CERTIFICATE

Command: $SPECROOT/Java/bin/keytool -importkeystore -srckeystore [organization-certificate]․pfx -srcstoretype pkcs12 -destkeystore cacerts -destalias tomcatssl -srcalias [cert-alias]

EXPECTED: The certificate imports successfully․

5․ RESTART TOMCAT SERVICE

Command: $SPECROOT/tomcat/bin/stopTomcat․sh

Command: ps -ef | grep tomcat | grep -v webtomcat

Command: kill [process-id] (if Tomcat is still listed)

Command: $SPECROOT/tomcat/bin/startTomcat․sh

EXPECTED: Tomcat starts without SSLContext errors․

6․ IMPORT LDAP CERTIFICATE

Navigate to the OneClick web page and import the LDAP certificate․

EXPECTED: The web page loads and accepts the certificate․

VERIFY SUCCESS:

  • OneClick web page loads successfully

  • No Protocol handler errors appear in catalina․out

Additional Information

KNOWN LIMITATIONS:

  • The password to the key inside the certificate must match the keystore password․

  • Command to update key password: keytool -keypasswd -alias [key-name] -keystore [keystore-name]

Powered by Wolken Software