tracker issue : CF-4198542

select a category, or use search below
(searches all categories and all time range)
Title:

Unable to initialise Security service, Client Storage service, and WatchService service

| View in Tracker

Status/Resolution/Reason: Closed/Withdrawn/NotABug

Reporter/Name(from Bugbase): ANDREW LORIEN / ANDREW LORIEN ()

Created: 04/20/2017

Components: Installation/Config

Versions: 10.0

Failure Type: Others

Found In Build/Fixed In Build: 10,0,22,301868 /

Priority/Frequency: Normal /

Locale/System: / Linux

Vote Count: 0

Problem Description:
When testing Java update (Java SE Development Kit 8u131) on our CF 10 server, I was not able to load CF admin and had the following errors:
- Unable to initialise Security service
- Unable to initialise Client Storage service
- Unable to initialise WatchService service

The detailed error can be found in the attachment (exception.log). I also attach the server log.

Steps to Reproduce:
Set java home to java.home=/usr/java/jdk1.8.0_131/jre/ then restart CF instance.

CF Version 10,0,22,301868
OS: Red Hat Enterprise Linux Server release 6.8

Issue doesn't exist when /usr/java/jdk1.8.0_121/jre is used.

Actual Result:

Expected Result:

Any Workarounds:

Attachments:

  1. April 20, 2017 00:00:00: exception.log
  2. April 20, 2017 00:00:00: server.log

Comments:

Issues are likely to be related to java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: FIPS186PRNG, provider: JsafeJCE, class: com.rsa.jsafe.provider.JSA_FIPS186PRNGXChangeNoticeGeneral) java.lang.SecurityException: JsafeJCE provider self-integrity check failed at com.rsa.jsafe.provider.JsafeJCE.c(Unknown Source) at com.rsa.jsafe.provider.JsafeJCE.b(Unknown Source) at com.rsa.jsafe.provider.JSA_FIPS186PRNGX.<init>(Unknown Source) at com.rsa.jsafe.provider.JSA_FIPS186PRNGXChangeNoticeGeneral.<init>(Unknown Source)
Comment by ANDREW L.
908 | April 20, 2017 04:50:29 AM GMT
Further research that we did seems to confirm that JsafeJCE is likely to be the problem. In the following post https://blogs.oracle.com/java-platform-group/entry/oracle_jre_will_no_longer we found the following statement "Oracle JRE will no longer trust MD5-signed code by default" "Beginning with the April 2017 Critical Patch Update, JAR files signed using MD5 will no longer be considered as signed by the Oracle JRE. Affected MD5-signed JAR files will no longer be considered trusted and as a result will not be able to run by default, such as in the case of Java applets, or Java Web Start applications." Running the following command "jarsigner -verify -verbose /opt/coldfusion10/cfusion/lib/jsafeJCEFIPS.jar" shows the following result: ============================================================================ - Signed by "CN=RSA Security Inc., OU=Java Software Code Signing, O=Sun Microsystems Inc" Digest algorithm: SHA1 Signature algorithm: MD5withRSA (weak), 1024-bit key WARNING: The jar will be treated as unsigned, because it is signed with a weak algorithm that is now disabled by the security property: jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024 ============================================================================ The jar file is treated as unsigned, because it is signed with a weak algorithm that is now disabled Can Adobe let us know if this will be fixed soon or whether there is a workaround? This is quite urgent for us. Thanks
Comment by ANDREW L.
909 | April 21, 2017 12:30:03 AM GMT
Hi Andrew, Is this resolved or are you still facing the issue. Regards, Manas
Comment by Manas M.
910 | May 25, 2017 10:57:37 AM GMT