The CertAndKeyGen security class cannot be found error when configuring OpenAM 13.x
The purpose of this article is to provide assistance if you encounter a "The CertAndKeyGen security class cannot be found" error when configuring OpenAM on JBoss®. This error only occurs if you have also upgraded to JDK 8.
Symptoms
An error similar to the following is shown when running the configurator tool:
2017-06-11 12:57:03,196 ERROR [stderr] (http-198.51.100.0:8080) Caused by: java.lang.ExceptionInInitializerError: The CertAndKeyGen security class cannot be found, consider setting -Dorg.forgerock.opendj.CertAndKeyGenProvider=
2017-06-11 12:57:03,211 ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/login].[AMSetupServlet]] (http-198.51.100.0:8080) JBWEB000236: Servlet.service() for servlet AMSetupServlet threw exception: java.lang.ExceptionInInitializerError: The CertAndKeyGen security class cannot be found, consider setting -Dorg.forgerock.opendj.CertAndKeyGenProvider=
at org.opends.server.util.Platform$PlatformIMPL.<clinit>(Platform.java:171) [opendj-server-legacy-3.5.0.jar:]
at org.opends.server.util.Platform.<clinit>(Platform.java:80) [opendj-server-legacy-3.5.0.jar:]
at org.opends.server.util.CertificateManager.generateSelfSignedCertificate(CertificateManager.java:272) [opendj-server-legacy-3.5.0.jar:]
at org.opends.server.config.AdministrationConnector.createSelfSignedCertificateIfNeeded(AdministrationConnector.java:547) [opendj-server-legacy-3.5.0.jar:]
at org.opends.server.core.DirectoryServer.startServer(DirectoryServer.java:1534) [opendj-server-legacy-3.5.0.jar:]
at org.opends.server.util.EmbeddedUtils.startServer(EmbeddedUtils.java:78) [opendj-server-legacy-3.5.0.jar:]
at com.sun.identity.setup.EmbeddedOpenDS.startServer(EmbeddedOpenDS.java:465) [openam-core-13.5.0.jar:13.5.0 - 2016-Jul-13 07:32:29]
at com.sun.identity.setup.EmbeddedOpenDS.setup(EmbeddedOpenDS.java:262) [openam-core-13.5.0.jar:13.5.0 - 2016-Jul-13 07:32:29]
at com.sun.identity.setup.AMSetupServlet.setupEmbeddedDS(AMSetupServlet.java:741) [openam-core-13.5.0.jar:13.5.0 - 2016-Jul-13 07:32:29]
at com.sun.identity.setup.AMSetupServlet.setupSMDatastore(AMSetupServlet.java:789) [openam-core-13.5.0.jar:13.5.0 - 2016-Jul-13 07:32:29]
at com.sun.identity.setup.AMSetupServlet.configure(AMSetupServlet.java:833) [openam-core-13.5.0.jar:13.5.0 - 2016-Jul-13 07:32:29]
at com.sun.identity.setup.AMSetupServlet.processRequest(AMSetupServlet.java:500) [openam-core-13.5.0.jar:13.5.0 - 2016-Jul-13 07:32:29]
at com.sun.identity.setup.AMSetupServlet.doPost(AMSetupServlet.java:439) [openam-core-13.5.0.jar:13.5.0 - 2016-Jul-13 07:32:29]
...Recent Changes
Upgraded to, or installed OpenAM 13.x.
Upgraded to Oracle® Java Development Kit (JDK) 8.
Causes
The CertAndKeyGen class is not loaded by the JVM even when the following JVM option is set correctly:
-Dorg.forgerock.opendj.CertAndKeyGenProvider=sun.security.tools.keytool.CertAndKeyGen
Solution
This issue can be resolved by updating the jboss-deployment-structure.xml file to include paths to the Sun x509 security module (sun/security/x509) and the keytool (sun/security/tools/keytool). For example, the revised file would now look similar to this:
<paths>
<path name="sun/security/x509" />
<path name="sun/security/tools/keytool" />
<path name="com/sun/org/apache/xpath/internal" />
<path name="com/sun/org/apache/xerces/internal/dom" />
<path name="com/sun/org/apache/xml/internal/utils" />
</paths>See Also
Related Training
N/A
Related Issue Tracker IDs
N/A