TIBCO Administrator/TRA 5.10.3 & 5.11.2 versions Post Domain Migration Task
Article ID: KB0073624
Updated On:
| Products | Versions |
|---|---|
| TIBCO Administrator | 5.11.2, 5.10.3 |
Description
Description:
==========
Post Successful Domain upgrade/migration with Admin/TRA 5.11.2 or 5.10.3 versions, administrator & hawk services fails to start and throw JCE policy-related errors.
This applies to all the Domains with EMS transport.
Symptoms
==========
Domain Administrator & Hawk Services do not start and throw below error
<-----------------------------------------------------------------
Exception in thread
"Thread-1" java.lang.ExceptionInInitializerError at javax.crypto.Cipher.getInstance(Cipher.java:656) at javax.crypto.Cipher.getInstance(Cipher.java:599)
at com.tibco.security.providers.CryptoVendorImpl_bcfips.undo(CryptoVendorImpl_bcfips.java:225)
at com.tibco.security.Crypto.undo(Crypto.java:73)
at com.tibco.security.ObfuscationEngine.decrypt(ObfuscationEngine.java:320)
at com.tibco.repo.JMSRepoProcess.<init>(JMSRepoProcess.java:69)
at com.tibco.repo.JMSRepoProcessFactory.getJMSRepoProcessIntfImplementation(JMSRepoProcessFactory.java:8)
at com.tibco.repo.RemoteRepoServlet$JMSRepoProcessThread.run(RemoteRepoServlet.java:190)
...
Caused by: java.lang.SecurityException: Can not initialize cryptographic mechanism at javax.crypto.JceSecurity.<clinit>(JceSecurity.java:93) ... 8 more
Caused by: java.lang.SecurityException: The jurisdiction policy files are not signed by the expected signer! (Policy files are specific per major JDK release.Ensure the correct version is installed.)
at javax.crypto.JarVerifier.verifyPolicySigned(JarVerifier.java:336)
at javax.crypto.JceSecurity.loadPolicies(JceSecurity.java:378)
at javax.crypto.JceSecurity.setupJurisdictionPolicies(JceSecurity.java:323)
at javax.crypto.JceSecurity.access$000(JceSecurity.java:50)
at javax.crypto.JceSecurity$1.run(JceSecurity.java:85)
at java.security.AccessController.doPrivileged(Native Method)
at javax.crypto.JceSecurity.<clinit>(JceSecurity.java:82)
------------------------------------------->
Cause:
The certificate for the old stand-alone jar has expired. Please refer to "JDK 8u261 Update Release Notes" below:
=============================================
security-libs/javax.crypto
➜ JCE Jurisdiction Policy Files updated
Since January 2018 (8u161, 7u171) unlimited Java Cryptography Extension (JCE) Jurisdiction Policy files have been bundled with the JDK and enabled by default (see JDK Cryptographic Roadmap).
The certificate for the old stand alone jar has expired, and if used the following exception will be seen:
Caused By: java.lang.SecurityException: The jurisdiction policy files are not signed by the expected signer! (Policy files are specific per major JDK release.Ensure the correct version is installed.) at javax.crypto.JarVerifier.verifyPolicySigned(JarVerifier.java:336) at
javax.crypto.JceSecurity.loadPolicies(JceSecurity.java:378) at
javax.crypto.JceSecurity.setupJurisdictionPolicies(JceSecurity.java:323) at
javax.crypto.JceSecurity.access$000(JceSecurity.java:50) at
javax.crypto.JceSecurity$1.run(JceSecurity.java:85) at java.security.AccessController.doPrivileged(Native Method) at javax.crypto.JceSecurity.<clinit>(JceSecurity.java:82)
If still required for older releases the re-signed files can be found at https://www.oracle.com/java/technologies/oracle-java-archive-downloads.html
=============================================
Issue/Introduction
Environment
Resolution
==========
1) Move "local_policy.jar" & US_export_policy.jar" files under $tibco_home/tibcojre64/lib/security path to a temp location.
2) Restart the Administrator and Hawk Domain services.
Administrator & Hawk domain services now will load/read the JCE policy files from $tibco_home/tibcojre64/lib/security/policy/unlimited location.
Additional Information
Feedback
