IBM Support

Changing from OpenJDK (HotSpot) to IBM SDK (or viceversa) results in: Failed to start IBM UrbanCode Deploy

Troubleshooting


Problem

Attempts to replace the OpenJDK (HotSpot) (or Oracle® JDK) with the IBM® SDK, Java ™ Technology Edition when configuring IBM UrbanCode Deploy result in the error "java.lang.RuntimeException: Failed to start IBM UrbanCode Deploy" followed by "Caused by: java.io.IOException: com.sun.crypto.provider.SealedObjectForKeyProtector".
A similar error is obtained attempting to replace the IBM SDK with the OpenJDK (HotSpot) or OracleJDK. The same applies to replacing the Java Runtime Environment (JRE) of the corresponding vendors.

Symptom

Starting the UrbanCode Deploy server after replacing the OpenJDK (or the Oracle JDK) with the IBM SDK, Java Technology Edition results in the following error:


2014-12-05 13:39:25,689 ERROR main com.urbancode.container.tomcat.Container - Failed to start IBM UrbanCode Deploy java.lang.RuntimeException: Failed to start IBM UrbanCode Deploy
at com.urbancode.ds.UDeployServer.start(UDeployServer.java:440)
at com.urbancode.container.tomcat.Container.run(Container.java:98)
at com.urbancode.ds.UDeployServer.main(UDeployServer.java:289)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:95)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:56)
at java.lang.reflect.Method.invoke(Method.java:620)
at com.urbancode.launcher.Launcher.invokeMainMethod(Launcher.java:235)
at com.urbancode.launcher.Launcher.launch(Launcher.java:161)
at com.urbancode.launcher.Launcher.main(Launcher.java:89)
Caused by: java.io.IOException: com.sun.crypto.provider.SealedObjectForKeyProtector
at com.ibm.crypto.provider.JceKeyStore.engineLoad(Unknown Source)
at java.security.KeyStore.load(KeyStore.java:1226)
at com.urbancode.ds.UDeployServer.loadKeyStore(UDeployServer.java:1930)
at com.urbancode.ds.UDeployServer.retrieveSecretKey(UDeployServer.java:1883)
at com.urbancode.ds.UDeployServer.initializeEncryptionKey(UDeployServer.java:1864)
at com.urbancode.ds.UDeployServer.start(UDeployServer.java:426)


The same error will appear if you do the following:
  1. Use the OpenJDK (or the Oracle JDK) to launch the installation script of UrbanCode Deploy
     
  2. Provide the path to the IBM JDK, while running the installation script.


The reason is that the file encryption.keystore is created during the installation of IBM UrbanCode Deploy. Therefore encryption.keystore is compatible with the JVM that launches the installer script, not with the JVM that you use for running the server.

Starting with UrbanCode Deploy 6.2.1.1, the Agent also includes a file called encryption.keystore. So from this Agent version, you may also observe the following error in the Agent log, and the Agent will not appear in the list on the Server user interface:


2017-03-22 16:28:59,950 ERROR AgentWorkerThread com.urbancode.air.agent.AgentWorker - java.io.IOException: com.sun.crypto.provider.SealedObjectForKeyProtector
java.io.IOException: com.sun.crypto.provider.SealedObjectForKeyProtector
at com.ibm.crypto.provider.JceKeyStore.engineLoad(Unknown Source)
at java.security.KeyStore.load(KeyStore.java:1456)
at com.urbancode.air.agent.AgentWorker.loadKeyStore(AgentWorker.java:690)
at com.urbancode.air.agent.AgentWorker.assertSecretKeyExists(AgentWorker.java:645)
at com.urbancode.air.agent.AgentWorker.initializeEncryptionKey(AgentWorker.java:632)
at com.urbancode.air.agent.AgentWorker.startAgent(AgentWorker.java:302)
at com.urbancode.air.agent.AgentWorker.execute(AgentWorker.java:228)
at com.urbancode.air.agent.AgentWorker.access$100(AgentWorker.java:102)
at com.urbancode.air.agent.AgentWorker$1.run(AgentWorker.java:169)

This change is documented here: Starting with version 6.2.1.1 of the product, you can enable end-to-end encryption of traffic that uses the JMS protocol.

Cause

The file encryption.keystore contains a secret key used to encrypt secured properties stored in the UrbanCode Deploy Database (in the case of the Server), or the API Key (in the case of the Agent). The IBM SDK cannot open the file encryption.keystore created by the OpenJDK (or the Oracle JDK) because the underlying formats are different.

As a consequence:
- any UrbanCode Deploy server installed with the OpenJDK (or the Oracle JDK) cannot start with the IBM SDK because the server cannot read the secured properties from the database.
- any UrbanCode Deploy agent installed with the OpenJDK (or the Oracle JDK) cannot start with the IBM SDK because the agent cannot read the encryption key and decipher the API Key. (Note: You can view the API key of an agent by clicking Settings > Security > API Keys on the server).

Diagnosing The Problem

Server:

Check the server log, located in: <server_installation>\var\log\deployserver.out to diagnose the problem.

Agent:

Check the agent log, located in: <agent_installation>\var\log\agent.out to diagnose the problem.

Resolving The Problem

Please open a Support Case with the IBM UrbanCode Deploy Support team to obtain the KeystoreConverter utility that will allow you to convert the encryption.keystore created by the OpenJDK (or Oracle JDK) into a keystore that the IBM SDK can read.
Note: You can also use the converter utility to convert the encryption.keystore created by the IBM SDK into a keystore that the OpenJDK (HotSpot) (or Oracle JDK) can read.

[{"Type":"MASTER","Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS4GSP","label":"IBM UrbanCode Deploy"},"ARM Category":[{"code":"a8m50000000Ceh3AAC","label":"UrbanCode Deploy"}],"ARM Case Number":"","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"All Versions"}]

Document Information

Modified date:
26 August 2022

UID

swg21692970

Page Feedback