Bug 175561 - Certificate Server failed to start with IBM JRE 5.0 GA
Certificate Server failed to start with IBM JRE 5.0 GA
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: java-1.5.0-ibm (Show other bugs)
4.0
i386 Linux
high Severity medium
: ---
: ---
Assigned To: Thomas Fitzsimmons
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-12-12 14:50 EST by Thomas Kwan
Modified: 2007-11-30 17:07 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-08-23 18:36:21 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Thomas Kwan 2005-12-12 14:50:26 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0

Description of problem:
Note that this bug is actually for IBM JRE 5.0.

I am trying to get IBM JRE 5.0 working with Red Hat Certificate System 7.1. At server start up, I got the following error

java.lang.ExceptionInInitializerError
    at java.lang.J9VMInternals.initialize(J9VMInternals.java:154)
    at javax.crypto.Cipher.getInstance(Unknown Source)
    at javax.crypto.Cipher.getInstance(Unknown Source)
    at org.mozilla.jss.SecretDecoderRing.Decryptor.decrypt(Decryptor.java:154)
    at com.netscape.cmscore.security.PWsdrCache.readPWcache(PWsdrCache.java:340)
    at com.netscape.cmscore.security.PWsdrCache.getEntry(PWsdrCache.java:486)
    at com.netscape.cmscore.security.PWCBsdr.getPasswordFirstAttempt(PWCBsdr.java:138)
    at com.netscape.cmscore.ldapconn.LdapAuthInfo.init(LdapAuthInfo.java:118)
    at com.netscape.cmscore.ldapconn.LdapAuthInfo.<init>(LdapAuthInfo.java:53)
    at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.init(LdapBoundConnFactory.java:95)
    at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:228)
    at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:702)
    at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:631)
    at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:237)
    at com.netscape.certsrv.apps.CMS.init(CMS.java:126)
    at com.netscape.certsrv.apps.CMS.start(CMS.java:1432)
    at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:63)
    at com.netscape.server.http.servlet.WServletEntity.loadAndInitServlet(WServletEntity.java:98)
    at com.netscape.server.http.servlet.WebApplication.init(WebApplication.java:356)
    at com.netscape.server.http.servlet.VirtualServer.init(VirtualServer.java:182)
    at com.netscape.server.http.servlet.NSServletRunner.VSInit(NSServletRunner.java:683)
Caused by: java.lang.SecurityException: Cannot set up certs for trusted CAs
    at javax.crypto.b.<clinit>(Unknown Source)
    at java.lang.J9VMInternals.initializeImpl(Native Method)
    at java.lang.J9VMInternals.initialize(J9VMInternals.java:148)
    ... 20 more
Caused by: java.lang.SecurityException: Jurisdiction policy files are not signed by trusted signers!
    at javax.crypto.b.a(Unknown Source)
    at javax.crypto.b.access$600(Unknown Source)
    at javax.crypto.b$0.run(Unknown Source)
    at java.security.AccessController.doPrivileged(AccessController.java:241)
    ... 23 more

When running the JRE with a standalone utility, it works. But when running our server with the JRE, I got the error listed above. The difference is that our server  initializesa JVM in-process using the JNI_CreateJavaVM call to handle servlets.

Another notes, when running the JRE in the server mode, I only got the following providers:

CMSEngine: Java Security Provider 0 class=Mozilla-JSS version 3.7
CMSEngine: Java Security Provider 1 class=IBMJCE version 1.2
CMSEngine: Java Security Provider 2 class=IBMSASL version 1.5

But when running in the standalone mode, I got 

CMSEngine: Java Security Provider 0 class=Mozilla-JSS version 3.7
CMSEngine: Java Security Provider 1 class=IBMJSSE2 version 1.5
CMSEngine: Java Security Provider 2 class=IBMJCE version 1.2
CMSEngine: Java Security Provider 3 class=IBMJGSSProvider version 1.5
CMSEngine: Java Security Provider 4 class=IBMCertPath version 1.1
CMSEngine: Java Security Provider 5 class=IBMSASL version 1.5

To see if the problem can be resolved by getting all the providers, I
manually put ibmjgssprovider.jar, ibmjsseprovider2.jar ibmcertpathprovider.jar into the lib/ext directories. Then I was able to see all providers within the providers, however, I am still getting the same InitializerError exception.


Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Integrate IBM JRE 5.0 into the server
2. Start the server
3. (It is not easy to reproduce the environment, and I am willing to provide additional information if required)
  

Additional info:
Comment 1 Thomas Kwan 2005-12-16 20:29:17 EST
raised priority
Comment 2 RHEL Product and Program Management 2006-08-23 17:40:23 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 3 RHEL Product and Program Management 2006-08-23 17:40:28 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 4 Thomas Kwan 2006-08-23 18:36:21 EDT
I think we have an alternate solution to the problem. So this is no longer a
priority for us.

Note You need to log in before you can comment on or make changes to this bug.