Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-11951

Fix keystore issue with IBM JDK for websphere


    • Type: Improvement
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 13.5.0, 13.5.1, 14.0.0, 14.1.1, 14.5.0
    • Fix Version/s: None
    • Component/s: configurator
    • Labels:
    • Environment:
      IBM JDK 8
    • Target Version/s:
    • Support Ticket IDs:


      AM installation fails if using IBM Java (seen on web-sphere during 5.5 release testing)

      The issue is shown as an error in the configurator UI:

      Failed to create test keys, refer to install.log under C:/openam for more information. 


      The actual cause is that the keystore was not initialised in the first place. This is because AMSetupServlet attempts to create test keys on install but the keystore.jceks which ships with AM was created using SunJCE so IBM, so the keystore can't be loaded, this error is shown in the CoreSystem log: 

      amSecurity:10/12/2017 08:33:56:610 AM PDT: Thread[WebContainer : 1,5,main]: TransactionId[49842bee-a7b3-438b-a0c4-5359ce44ab59-22]
      ERROR: mapPk2Cert.JKSKeyProvider:
      java.io.IOException: com.sun.crypto.provider.SealedObjectForKeyProtector

      Curently there is a documented workaround, involving replacing the keystore.jceks with a new one created using IBM Java before installing the war. 

      see the comments in OPENAM-11946 and resultant PR for more details on the issue and workaround.

      For AM 6 we should either ship a compatible keystore or better would be to programmatically create the keystore on install. 






            • Assignee:
              philip.anderson Philip Anderson
            • Votes:
              0 Vote for this issue
              4 Start watching this issue


              • Created: