The CertAndKeyGen security class cannot be found error when configuring AM (All versions) or OpenAM 13.x

Last updated Jul 9, 2018

The purpose of this article is to provide assistance if you encounter a "The CertAndKeyGen security class cannot be found" error when configuring AM/OpenAM on JBoss®. This error only occurs if you have also upgraded to JDK 8.


An error similar to the following is shown when running the configurator tool:

2017-06-11 12:57:03,196 ERROR [stderr] (http- Caused by: java.lang.ExceptionInInitializerError: The CertAndKeyGen security class cannot be found, consider setting -Dorg.forgerock.opendj.CertAndKeyGenProvider=

2017-06-11 12:57:03,211 ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/login].[AMSetupServlet]] (http- JBWEB000236: Servlet.service() for servlet AMSetupServlet threw exception: java.lang.ExceptionInInitializerError: The CertAndKeyGen security class cannot be found, consider setting -Dorg.forgerock.opendj.CertAndKeyGenProvider=
   at org.opends.server.util.Platform$PlatformIMPL.<clinit>( [opendj-server-legacy-3.5.0.jar:]
   at org.opends.server.util.Platform.<clinit>( [opendj-server-legacy-3.5.0.jar:]
   at org.opends.server.util.CertificateManager.generateSelfSignedCertificate( [opendj-server-legacy-3.5.0.jar:]
   at org.opends.server.config.AdministrationConnector.createSelfSignedCertificateIfNeeded( [opendj-server-legacy-3.5.0.jar:]
   at org.opends.server.core.DirectoryServer.startServer( [opendj-server-legacy-3.5.0.jar:]
   at org.opends.server.util.EmbeddedUtils.startServer( [opendj-server-legacy-3.5.0.jar:]
   at com.sun.identity.setup.EmbeddedOpenDS.startServer( [openam-core-13.5.0.jar:13.5.0 - 2016-Jul-13 07:32:29]
   at com.sun.identity.setup.EmbeddedOpenDS.setup( [openam-core-13.5.0.jar:13.5.0 - 2016-Jul-13 07:32:29]
   at com.sun.identity.setup.AMSetupServlet.setupEmbeddedDS( [openam-core-13.5.0.jar:13.5.0 - 2016-Jul-13 07:32:29]
   at com.sun.identity.setup.AMSetupServlet.setupSMDatastore( [openam-core-13.5.0.jar:13.5.0 - 2016-Jul-13 07:32:29]
   at com.sun.identity.setup.AMSetupServlet.configure( [openam-core-13.5.0.jar:13.5.0 - 2016-Jul-13 07:32:29]
   at com.sun.identity.setup.AMSetupServlet.processRequest( [openam-core-13.5.0.jar:13.5.0 - 2016-Jul-13 07:32:29]
   at com.sun.identity.setup.AMSetupServlet.doPost( [openam-core-13.5.0.jar:13.5.0 - 2016-Jul-13 07:32:29]

Recent Changes

Upgraded to, or installed AM 5 or later.

Upgraded to, or installed OpenAM 13.x.

Upgraded to Oracle® Java Development Kit (JDK) 8.


The CertAndKeyGen class is not loaded by the JVM even when the following JVM option is set correctly:


This issue can be resolved by updating the jboss-deployment-structure.xml file to include paths to the Sun x509 security module (sun/security/x509) and the keytool (sun/security/tools/keytool). For example, the revised file would now look similar to this:  

   <path name="sun/security/x509" /> 
   <path name="sun/security/tools/keytool" /> 
   <path name="com/sun/org/apache/xpath/internal" /> 
   <path name="com/sun/org/apache/xerces/internal/dom" /> 
   <path name="com/sun/org/apache/xml/internal/utils" /> 

See Also

A security class cannot be found in this JVM because of the following reason: error in OpenDJ 2.6.0, 2.6.1, 2.6.2 and 2.6.3

FAQ: Configuring AM/OpenAM

FAQ: Installing AM/OpenAM

FAQ: Upgrading AM/OpenAM

Related Training


Related Issue Tracker IDs


Copyright and TrademarksCopyright © 2018 ForgeRock, all rights reserved.