The CertAndKeyGen security class cannot be found error when configuring OpenAM 13.x

Last updated Jan 5, 2021

The purpose of this article is to provide assistance if you encounter a "The CertAndKeyGen security class cannot be found" error when configuring OpenAM on JBoss®. This error only occurs if you have also upgraded to JDK 8.


This article has been archived and is no longer maintained by ForgeRock.


An error similar to the following is shown when running the configurator tool:

2017-06-11 12:57:03,196 ERROR [stderr] (http- Caused by: java.lang.ExceptionInInitializerError: The CertAndKeyGen security class cannot be found, consider setting -Dorg.forgerock.opendj.CertAndKeyGenProvider= 2017-06-11 12:57:03,211 ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/login].[AMSetupServlet]] (http- JBWEB000236: Servlet.service() for servlet AMSetupServlet threw exception: java.lang.ExceptionInInitializerError: The CertAndKeyGen security class cannot be found, consider setting -Dorg.forgerock.opendj.CertAndKeyGenProvider= at org.opends.server.util.Platform$PlatformIMPL.<clinit>( [opendj-server-legacy-3.5.0.jar:] at org.opends.server.util.Platform.<clinit>( [opendj-server-legacy-3.5.0.jar:] at org.opends.server.util.CertificateManager.generateSelfSignedCertificate( [opendj-server-legacy-3.5.0.jar:] at org.opends.server.config.AdministrationConnector.createSelfSignedCertificateIfNeeded( [opendj-server-legacy-3.5.0.jar:] at org.opends.server.core.DirectoryServer.startServer( [opendj-server-legacy-3.5.0.jar:] at org.opends.server.util.EmbeddedUtils.startServer( [opendj-server-legacy-3.5.0.jar:] at com.sun.identity.setup.EmbeddedOpenDS.startServer( [openam-core-13.5.0.jar:13.5.0 - 2016-Jul-13 07:32:29] at com.sun.identity.setup.EmbeddedOpenDS.setup( [openam-core-13.5.0.jar:13.5.0 - 2016-Jul-13 07:32:29] at com.sun.identity.setup.AMSetupServlet.setupEmbeddedDS( [openam-core-13.5.0.jar:13.5.0 - 2016-Jul-13 07:32:29] at com.sun.identity.setup.AMSetupServlet.setupSMDatastore( [openam-core-13.5.0.jar:13.5.0 - 2016-Jul-13 07:32:29] at com.sun.identity.setup.AMSetupServlet.configure( [openam-core-13.5.0.jar:13.5.0 - 2016-Jul-13 07:32:29] at com.sun.identity.setup.AMSetupServlet.processRequest( [openam-core-13.5.0.jar:13.5.0 - 2016-Jul-13 07:32:29] at com.sun.identity.setup.AMSetupServlet.doPost( [openam-core-13.5.0.jar:13.5.0 - 2016-Jul-13 07:32:29] ...

Recent Changes

Upgraded to, or installed OpenAM 13.x.

Upgraded to Oracle® Java Development Kit (JDK) 8.


The CertAndKeyGen class is not loaded by the JVM even when the following JVM option is set correctly:


This issue can be resolved by updating the jboss-deployment-structure.xml file to include paths to the Sun x509 security module (sun/security/x509) and the keytool (sun/security/tools/keytool). For example, the revised file would now look similar to this:  

<paths> <path name="sun/security/x509" /> <path name="sun/security/tools/keytool" /> <path name="com/sun/org/apache/xpath/internal" /> <path name="com/sun/org/apache/xerces/internal/dom" /> <path name="com/sun/org/apache/xml/internal/utils" /> </paths>

See Also

A security class cannot be found in this JVM because of the following reason: error in OpenDJ 2.6.0, 2.6.1, 2.6.2 and 2.6.3

FAQ: Configuring AM

FAQ: Installing AM

FAQ: Upgrading AM

Related Training


Related Issue Tracker IDs


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.