Skip to Content
0

Fixing https dswsbobe Internal Server error in 4.2 SP4 (trustAnchors)

Sep 06 at 08:49 PM

31

avatar image

Hello,

just performed an upgrade from 4.2 SP3 to 4.2 SP4. Everything else is now good, with one exexception: When accessing anything under https://<bobjserver>/dswsbobje/services/... such as https://<bobjserver>/dswsbobje/services/listServices it now returns Internal Server Error.

The fix in 4.2 SP3 and prior was to add the following 2 parameters to the Java options for Tomcat:
-Djavax.net.ssl.trustStore=keystoreFile
-Djavax.net.ssl.trustStorePassword=<Password>

Where the keystoreFile and Password are the same ones used in the server.xml file connector for port 443.

However, in SP4 when I add these parameters, it throws the error:

SEVERE: Failed to initialize connector [Connector[HTTP/1.1-443]]
org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-443]]
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:112)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:549)
...
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494)
Caused by: org.apache.catalina.LifecycleException: Protocol handler initialization failed
at org.apache.catalina.connector.Connector.initInternal(Connector.java:970)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
... 12 more
Caused by: java.lang.IllegalArgumentException: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:114)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:85)
...
at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:66)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:968)
... 13 more
Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty at java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200)
...
... 20 more

I can't find much online about this error, but the keystore file used is a 2048 bit RSA JKS keystore which is the new minimum required for SP4 and it is in the same location as it was in SP3 and is readable by Tomcat since it works fine in the server.xml.

I tried adding a third parameter for trustAnchors and it still didn't like it:
-Djavax.net.ssl.trustAnchors=keystoreFile

While I am not using web services at the moment, I would prefer not to leave it in a partially broken state.

Thanks in Advance.

10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

2 Answers

Denis Konovalov SAP Employee Moderator Sep 08 at 05:34 PM
1

Why would you need to add those options to Java just to get list of services when accessing dswsbobje ?

some web services functionality does require enabling of https transports in Axis2.xml, but nothing in java opts.
See KBA

https://launchpad.support.sap.com/#/notes/1809210

Do you have any docs that show why those parameters need to be added to java opts ?

Share
10 |10000 characters needed characters left characters exceeded
Nathan Truhan Sep 11 at 08:14 PM
0

Sorry for the late reply:

I believe this is where I got the information from, it has been a while but ever since I have done both steps to modify the axis file and add the parameters to enable https for QaaWS since I got the error the first time a couple years ago in 4.0: https://launchpad.support.sap.com/#/notes/1896549


Per the note it says: Axis2 uses a different interfacing for SSL configuration and cannot pick the SSL connector setup in the server.xml for Tomcat

Show 1 Share
10 |10000 characters needed characters left characters exceeded

I'd say time to raise this to SAP via Support Incident. Need a proper investigation.

0