Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
After upgrading Java8, HP-UX Software Assistant (SWA) clireg may fail with the following message: ERROR: Failed to access authorization service. Note : SWA C.03.xxxx depends on Java8 to communicate with the server. Root or intermediate certificate for SWA must be installed correctly in the keystore file, /opt/java8/jre/lib/security/cacerts. Java security policy needs to be properly set.
Any HPE Integrity server running HP-UX 11i v3 and the following: HP-UX Software Assistant C.03.xxxx Java80.JDK and Java80.JRE
Scenario #1 Java 8 1.0.8.25 and Java 8 1.0.8.26 do not have valid root/intermediate certificate for SWA installed in the keystore. Workaround #1 If upgrading Java 8 version to 1.0.8.25 or 1.0.8.26, save the keystore file before upgrading then restore or wait for the next Java 8 release that fixes the keystore issue. If already upgraded Java 8 to 1.0.8.25 or 1.0.8.26 and this issue is occurring, perform either of the following: Copy the keystore file (/opt/java8/jre/lib/security/cacerts) from the system which has Java 8 1.0.8.24 (or earlier) installed. Or Download root certificate (Digicert Global Root G2) then add it into the keystore file. a) Download the root CA, DigiCert Global Root G2 from the URL below: https://www.digicert.com/kb/digicert-root-certificates.htm#roots # ll DigiCertGlobalRootG2.crt.pem -rw-r--r-- 1 root sys 1294 Sep 8 15:46 DigiCertGlobalRootG2.crt.pem b) Check fingerprint. # openssl x509 -in DigiCertGlobalRootG2.crt.pem -fingerprint -sha256 SHA256 Fingerprint=CB:3C:CB:B7:60:31:E5:E0:13:8F:8D:D3:9A:23:F9:DE:47:FF:C3:5E:43:C1:14:4C:EA:27:D4:6A:5A:B1:CB:5F digicertglobalrootg2, May 17, 2016, trustedCertEntry, Certificate fingerprint (SHA-256): CB:3C:CB:B7:60:31:E5:E0:13:8F:8D:D3:9A:23:F9:DE:47:FF:C3:5E:43:C1:14:4C:EA:27:D4:6A:5A:B1:CB:5F c) Check if the keystore have the entry for the root CA. - Java80 1.0.8.24: # /opt/java8/jre/bin/keytool -list -keystore /opt/java8/jre/lib/security/cacerts -storepass changeit | \ > grep -i -e 'CB:3C:CB:B7:60:31:E5:E0:13:8F:8D:D3:9A:23:F9:DE:47:FF:C3:5E:43:C1:14:4C:EA:27:D4:6A:5A:B1:CB:5F' Certificate fingerprint (SHA-256): CB:3C:CB:B7:60:31:E5:E0:13:8F:8D:D3:9A:23:F9:DE:47:FF:C3:5E:43:C1:14:4C:EA:27:D4:6A:5A:B1:CB:5F - Java80 1.0.8.25 and Java80 1.0.8.26: # /opt/java8/jre/bin/keytool -list -keystore /opt/java8/jre/lib/security/cacerts -storepass changeit | \ > grep -i -e 'CB:3C:CB:B7:60:31:E5:E0:13:8F:8D:D3:9A:23:F9:DE:47:FF:C3:5E:43:C1:14:4C:EA:27:D4:6A:5A:B1:CB:5F' d) Install the root CA to the keystore. # /opt/java8/jre/bin/keytool -import -trustcacerts \ > -keystore /opt/java8/jre/lib/security/cacerts \ > -storepass changeit \ > -file DigiCertGlobalRootG2.crt.pem \ > -alias digicertglobalrootg2 e) Ensure it is installed. # /opt/java8/jre/bin/keytool -list -keystore /opt/java8/jre/lib/security/cacerts -storepass changeit | \ > grep -i -e digicertglobalroot -e 'CB:3C:CB:B7:60:31:E5:E0:13:8F:8D:D3:9A:23:F9:DE:47:FF:C3:5E:43:C1:14:4C:EA:27:D4:6A:5A:B1:CB:5F' digicertglobalrootg2, Sep 8, 2023, trustedCertEntry, Certificate fingerprint (SHA-256): CB:3C:CB:B7:60:31:E5:E0:13:8F:8D:D3:9A:23:F9:DE:47:FF:C3:5E:43:C1:14:4C:EA:27:D4:6A:5A:B1:CB:5F Resolution #1 HPE will release Java 8 to fix the keystore file (cacerts) in the next Java 8 release. Scenario #2 The error is caused by a known Java 1.8.0.21 issue documented in customer advisory "HP-UX 11i Java - Application may not Start after HP-UX 11i Java upgrade to 8.0.21 or 7.0.32 and Display "java.lang.SecurityException: The jurisdiction policy files are not signed by the expected signer!" https://support.hpe.com/hpesc/public/docDisplay?docId=emr_na-a00115754en_us Resolution #2 Apply the solution described in the document by modifying /opt/java8/jre/lib/security/java.security and setting policy to "unlimited". The issue can be worked around with the steps below, for Java 1.8.0.21.00 (or later). Un-comment "crypto.policy=unlimited" or add "crypto.policy=limited" in /opt/java8/jre/lib/security/java.security, according to country specific conformance rules. OR Remove US_export_policy.jar and local_policy.jar files, e.g.: # mv /opt/java8/jre/lib/security/US_export_policy.jar /tmp # mv /opt/java8/jre/lib/security/local_policy.jar /tmp RECEIVE PROACTIVE UPDATES : Receive support alerts (such as Customer Advisories), as well as updates on drivers, software, firmware, and customer replaceable components, proactively in your e-mail through HPE Support Alerts. Sign up for Support Alerts at the following URL: HPE Email Preference Center NAVIGATION TIP: For hints on navigating HPE.com to locate the latest drivers, patches and other support software downloads, refer to the Navigation Tips document. SEARCH TIP: For hints on locating similar documents on HPE.com, refer to the Search Tips document.