The CertAndKeyGen security class cannot be found error when configuring OpenAM 13.x

Last updated Sep 27, 2019

The purpose of this article is to provide assistance if you encounter a "The CertAndKeyGen security class cannot be found" error when configuring OpenAM on JBoss®. This error only occurs if you have also upgraded to JDK 8.


An error similar to the following is shown when running the configurator tool:

2017-06-11 12:57:03,196 ERROR [stderr] (http- Caused by: java.lang.ExceptionInInitializerError: The CertAndKeyGen security class cannot be found, consider setting -Dorg.forgerock.opendj.CertAndKeyGenProvider=

2017-06-11 12:57:03,211 ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/login].[AMSetupServlet]] (http- JBWEB000236: Servlet.service() for servlet AMSetupServlet threw exception: java.lang.ExceptionInInitializerError: The CertAndKeyGen security class cannot be found, consider setting -Dorg.forgerock.opendj.CertAndKeyGenProvider=
   at org.opends.server.util.Platform$PlatformIMPL.<clinit>( [opendj-server-legacy-3.5.0.jar:]
   at org.opends.server.util.Platform.<clinit>( [opendj-server-legacy-3.5.0.jar:]
   at org.opends.server.util.CertificateManager.generateSelfSignedCertificate( [opendj-server-legacy-3.5.0.jar:]
   at org.opends.server.config.AdministrationConnector.createSelfSignedCertificateIfNeeded( [opendj-server-legacy-3.5.0.jar:]
   at org.opends.server.core.DirectoryServer.startServer( [opendj-server-legacy-3.5.0.jar:]
   at org.opends.server.util.EmbeddedUtils.startServer( [opendj-server-legacy-3.5.0.jar:]
   at com.sun.identity.setup.EmbeddedOpenDS.startServer( [openam-core-13.5.0.jar:13.5.0 - 2016-Jul-13 07:32:29]
   at com.sun.identity.setup.EmbeddedOpenDS.setup( [openam-core-13.5.0.jar:13.5.0 - 2016-Jul-13 07:32:29]
   at com.sun.identity.setup.AMSetupServlet.setupEmbeddedDS( [openam-core-13.5.0.jar:13.5.0 - 2016-Jul-13 07:32:29]
   at com.sun.identity.setup.AMSetupServlet.setupSMDatastore( [openam-core-13.5.0.jar:13.5.0 - 2016-Jul-13 07:32:29]
   at com.sun.identity.setup.AMSetupServlet.configure( [openam-core-13.5.0.jar:13.5.0 - 2016-Jul-13 07:32:29]
   at com.sun.identity.setup.AMSetupServlet.processRequest( [openam-core-13.5.0.jar:13.5.0 - 2016-Jul-13 07:32:29]
   at com.sun.identity.setup.AMSetupServlet.doPost( [openam-core-13.5.0.jar:13.5.0 - 2016-Jul-13 07:32:29]

Recent Changes

Upgraded to, or installed OpenAM 13.x.

Upgraded to Oracle® Java Development Kit (JDK) 8.


The CertAndKeyGen class is not loaded by the JVM even when the following JVM option is set correctly:


This issue can be resolved by updating the jboss-deployment-structure.xml file to include paths to the Sun x509 security module (sun/security/x509) and the keytool (sun/security/tools/keytool). For example, the revised file would now look similar to this:  

   <path name="sun/security/x509" /> 
   <path name="sun/security/tools/keytool" /> 
   <path name="com/sun/org/apache/xpath/internal" /> 
   <path name="com/sun/org/apache/xerces/internal/dom" /> 
   <path name="com/sun/org/apache/xml/internal/utils" /> 

See Also

A security class cannot be found in this JVM because of the following reason: error in OpenDJ 2.6.0, 2.6.1, 2.6.2 and 2.6.3

FAQ: Configuring AM/OpenAM

FAQ: Installing AM/OpenAM

FAQ: Upgrading AM/OpenAM

Related Training


Related Issue Tracker IDs


Copyright and TrademarksCopyright © 2019 ForgeRock, all rights reserved.