AutoSys AEWS Upgrade to 24.2 Fails to Migrate Custom Keystores
search cancel

AutoSys AEWS Upgrade to 24.2 Fails to Migrate Custom Keystores

book

Article ID: 442224

calendar_today

Updated On:

Products

Autosys Workload Automation

Issue/Introduction

After upgrading AutoSys Workload Automation AE from version 12.x to 24.2, the Web Server (AEWS) starts but the REST API is inaccessible via HTTPS (typically port 9443).

Reviewing the cawa_installer.log reveals errors similar to:

2026-05-29 09:14:04,045 [main] INFO  com.ca.wla.ae.installer.util.KeyStoreUtil(292) - keystoreType from server.xml: JKS
2026-05-29 09:14:04,045 [main] DEBUG com.ca.wla.ae.installer.util.FileUtil(118) - Does file exists? /opt/CA/WorkloadAutomationAE/autouser.ACE/webserver/conf/.keystore : true
2026-05-29 09:14:04,046 [main] INFO  com.ca.wla.ae.installer.util.KeyStoreUtil(125) - Renamed existing keystore to /opt/CA/WorkloadAutomationAE/autouser.ACE/webserver/conf/.keystore_1780046044045
2026-05-29 09:14:04,046 [main] DEBUG com.ca.wla.ae.installer.util.KeyStoreUtil(303) - serverXml:/opt/CA/WorkloadAutomationAE/autouser.ACE/webserver/conf/server.xml
2026-05-29 09:14:04,049 [main] DEBUG com.ca.wla.ae.installer.util.KeyStoreUtil(315) - connectorNode:[Connector: null]
2026-05-29 09:14:04,049 [main] DEBUG com.ca.wla.ae.installer.util.KeyStoreUtil(320) - keystoreMap:{keyPass=, keyAlias=, keystorePass=CUSTOM-PASS}
2026-05-29 09:14:04,049 [main] INFO  com.ca.wla.ae.installer.util.KeyStoreUtil(148) - keyStoreAlias is not found in server.xml. Checking keystore file

2026-05-29 09:14:04,052 [main] DEBUG com.ca.wla.ae.installer.util.KeyStoreUtil(166) - Failed to load keystore java.io.IOException: Invalid keystore format
 at java.base/sun.security.provider.JavaKeyStore.engineLoad(Unknown Source)
 at java.base/sun.security.util.KeyStoreDelegator.engineLoad(Unknown Source)
 at java.base/java.security.KeyStore.load(Unknown Source)
 at com.ca.wla.ae.installer.util.KeyStoreUtil.updateToBCFKSKeystore(KeyStoreUtil.java:156)
 at com.ca.wla.ae.installer.mm.action.restws.CreateRestWSKeystore.install(CreateRestWSKeystore.java:39)
 at com.zerog.ia.installer.actions.CustomAction.installSelf(Unknown Source)
 at com.zerog.ia.installer.InstallablePiece.install(Unknown Source)
 at com.zerog.ia.installer.InstallablePiece.install(Unknown Source)
 at com.zerog.ia.installer.InstallablePiece.install(Unknown Source)
 at com.zerog.ia.installer.InstallablePiece.install(Unknown Source)
 at com.zerog.ia.installer.GhostDirectory.install(Unknown Source)
 at com.zerog.ia.installer.InstallablePiece.install(Unknown Source)
 at com.zerog.ia.installer.Installer.install(Unknown Source)
 at com.zerog.ia.installer.LifeCycleManager.consoleInstallMain(Unknown Source)
 at com.zerog.ia.installer.LifeCycleManager.executeApplication(Unknown Source)
 at com.zerog.ia.installer.Main.main(Unknown Source)
 at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(Unknown Source)
 at java.base/java.lang.reflect.Method.invoke(Unknown Source)
 at com.zerog.lax.LAX.launch(Unknown Source)
 at com.zerog.lax.LAX.main(Unknown Source)
 
2026-05-29 09:14:04,052 [main] DEBUG com.ca.wla.ae.installer.util.KeyStoreUtil(166) - Failed to load keystore java.io.IOException: DerValue.getBigIntegerInternal, not expected 48
 at java.base/sun.security.util.DerValue.getBigIntegerInternal(Unknown Source)
 at java.base/sun.security.util.DerValue.getIntegerInternal(Unknown Source)
 at java.base/sun.security.util.DerValue.getInteger(Unknown Source)
 at java.base/sun.security.util.DerInputStream.getInteger(Unknown Source)
 at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(Unknown Source)
 at java.base/sun.security.util.KeyStoreDelegator.engineLoad(Unknown Source)
 at java.base/java.security.KeyStore.load(Unknown Source)
 at com.ca.wla.ae.installer.util.KeyStoreUtil.updateToBCFKSKeystore(KeyStoreUtil.java:156)
 at com.ca.wla.ae.installer.mm.action.restws.CreateRestWSKeystore.install(CreateRestWSKeystore.java:39)
 at com.zerog.ia.installer.actions.CustomAction.installSelf(Unknown Source)
 at com.zerog.ia.installer.InstallablePiece.install(Unknown Source)
 at com.zerog.ia.installer.InstallablePiece.install(Unknown Source)
 at com.zerog.ia.installer.InstallablePiece.install(Unknown Source)
 at com.zerog.ia.installer.InstallablePiece.install(Unknown Source)
 at com.zerog.ia.installer.GhostDirectory.install(Unknown Source)
 at com.zerog.ia.installer.InstallablePiece.install(Unknown Source)
 at com.zerog.ia.installer.Installer.install(Unknown Source)
 at com.zerog.ia.installer.LifeCycleManager.consoleInstallMain(Unknown Source)
 at com.zerog.ia.installer.LifeCycleManager.executeApplication(Unknown Source)
 at com.zerog.ia.installer.Main.main(Unknown Source)
 at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(Unknown Source)
 at java.base/java.lang.reflect.Method.invoke(Unknown Source)
 at com.zerog.lax.LAX.launch(Unknown Source)
 at com.zerog.lax.LAX.main(Unknown Source)

Environment

Custom keystore file specified in server.xml (rather than the default name: .keystore)

Cause

Because of installer limitation as it stands in 24.2 release, the upgrade process to hardcode the keystore path to $AUTOUSER/webserver/conf/.keystore.

Even if a custom keystore is defined in the server.xml, the installer ignores that path and attempts to migrate the default .keystore file instead. If the passwords do not match or the default file is missing/invalid, the physical conversion to the new BCFKS format required for version 24.2 fails.

Resolution

Workaround 1: Manual Migration (Post-Upgrade)

If the upgrade has already been completed and the web service is not responding, manually convert your custom JKS keystore to the BCFKS format:

  1. Navigate to the configuration directory: cd $AUTOUSER/webserver/conf/

  2. Run the keytool conversion command (ensure $AUTOSYS environment variable is set):

    keytool -importkeystore -srckeystore [CUSTOM_KEYSTORE] -srcstorepass [PASSWORD] -destkeystore [CUSTOM_KEYSTORE].BCFKS -srcstoretype JKS -deststoretype BCFKS -deststorepass [PASSWORD] -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath $AUTOSYS/lib/bc-fips.jar

  3. Replace the active keystore with the converted version:

    mv [CUSTOM_KEYSTORE] [CUSTOM_KEYSTORE].JKS.bkp
mv [CUSTOM_KEYSTORE].BCFKS [CUSTOM_KEYSTORE] 
## ensure [CUSTOM_KEYSTORE]   name is the same as the one in $AUTOUSER/webserver/conf/server.xml

  4. Restart the Web Server: unisrvcntr restart waae_webserver.[INSTANCE]

Workaround 2: Proactive Migration (Pre-Upgrade)

To avoid this issue on future upgrades for remaining instances:

  1. Rename your custom keystore file to .keystore within the $AUTOUSER/webserver/conf/ directory.
  2. Ensure the server.xml points to this .keystore file.
  3. Execute the 24.2 upgrade. The installer will detect and migrate the file correctly as it matches the hardcoded expected name.
Powered by Wolken Software