Symantec IGA

  • Private Community

  • 1.  ERROR [ims.ui]JBAS011843: Failed instantiate InitialContextFactory

    Posted Aug 29, 2018 04:30 AM

    06:35:57,409 ERROR [ims.ui] (http-/0.0.0.0:8080-3) JBAS011843: Failed instantiate InitialContextFactory com.sun.jndi.ldap.LdapCtxFactory from classloader ModuleClassLoader for Module "deployment.iam_im.ear.user_console.war:main" from Service Module Loader: [facility=6 severity=3 reason=0 status=0 message=Wrapped Exception: JBAS011843: Failed instantiate InitialContextFactory com.sun.jndi.ldap.LdapCtxFactory from classloader ModuleClassLoader for Module "deployment.iam_im.ear.user_console.war:main" from Service Module Loader]
    JBAS011843: Failed instantiate InitialContextFactory com.sun.jndi.ldap.LdapCtxFactory from classloader ModuleClassLoader for Module "deployment.iam_im.ear.user_console.war:main" from Service Module Loader
    at org.jboss.as.naming.InitialContext.getDefaultInitCtx(InitialContext.java:124)
    at org.jboss.as.naming.InitialContext.init(InitialContext.java:107)
    at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:153) [rt.jar:1.7.0_80]
    at org.jboss.as.naming.InitialContext.<init>(InitialContext.java:98)
    at org.jboss.as.naming.InitialContextFactory.getInitialContext(InitialContextFactory.java:44)
    at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) [rt.jar:1.7.0_80]
    at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307) [rt.jar:1.7.0_80]
    at javax.naming.InitialContext.init(InitialContext.java:242) [rt.jar:1.7.0_80]
    at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:153) [rt.jar:1.7.0_80]
    at com.netegrity.llsdk6.imsimpl.directory.jndi.LdapOps.openLdapContext(LdapOps.java:103) [imsapi6.jar:]
    at com.netegrity.llsdk6.imsimpl.directory.jndi.LdapOps.<init>(LdapOps.java:84) [imsapi6.jar:]
    at com.netegrity.llsdk6.imsimpl.directory.jndi.LdapOps.getLdapOps(LdapOps.java:222) [imsapi6.jar:]
    at com.netegrity.llsdk6.imsimpl.directory.jndi.JNDIBase.getObject(JNDIBase.java:518) [imsapi6.jar:]
    at com.netegrity.llsdk6.imsimpl.directory.jndi.JNDIDirectoryProvider.getObject(JNDIDirectoryProvider.java:391) [imsapi6.jar:]
    at com.netegrity.llsdk6.imsimpl.provider.UserProviderImpl.findUser(UserProviderImpl.java:220) [imsapi6.jar:]
    at com.netegrity.llsdk6.imsimpl.provider.UserProviderImpl.findUser(UserProviderImpl.java:196) [imsapi6.jar:]
    at com.netegrity.llsdk6.imsimpl.ImsEnvironmentImpl.getPublicUser(ImsEnvironmentImpl.java:734) [imsapi6.jar:]
    at com.netegrity.llsdk6.imsimpl.ImsEnvironmentImpl.getPublicUser(ImsEnvironmentImpl.java:718) [imsapi6.jar:]
    at com.netegrity.ims.businessprocess.TaskServiceImpl.createTaskSession(TaskServiceImpl.java:164) [ims.jar:]
    at com.netegrity.webapp.page.TaskController.getTaskSessionByTag(TaskController.java:2482) [user_console.jar:]
    at com.netegrity.webapp.page.TaskController.createTaskControllerByTaskTag(TaskController.java:2178) [user_console.jar:]
    at com.netegrity.taglib.skin.TagUtilLocal.update(TagUtilLocal.java:246) [user_console.jar:]
    at com.netegrity.taglib.skin.UpdateTag.doEndTag(UpdateTag.java:132) [user_console.jar:]
    at org.apache.jsp.app.imcss.index_jsp._jspx_meth_skin_005fupdate_005f0(index_jsp.java:708)
    at org.apache.jsp.app.imcss.index_jsp._jspService(index_jsp.java:127)
    at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:69) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-1.jar:1.0.2.Final-redhat-1]
    at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:365) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
    at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:309) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
    at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:242) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-1.jar:1.0.2.Final-redhat-1]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
    at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:832) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
    at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:620) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
    at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:553) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
    at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:482) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
    at com.netegrity.webapp.filter.ConsolePageFilter.doFilter(ConsolePageFilter.java:527) [user_console.jar:]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
    at com.netegrity.webapp.page.jsf.FacesFilter.doFilter2(FacesFilter.java:180) [user_console.jar:]
    at com.netegrity.webapp.page.jsf.FacesFilter.doFilter(FacesFilter.java:151) [user_console.jar:]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
    at org.apache.myfaces.webapp.filter.ExtensionsFilter.doFilter(ExtensionsFilter.java:147) [tomahawk-1.1.5.jar:]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
    at com.netegrity.webapp.authentication.FrameworkLoginFilter.doFilter(FrameworkLoginFilter.java:248) [user_console.jar:]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
    at com.netegrity.webapp.filter.LocaleFilter.doFilter(LocaleFilter.java:100) [user_console.jar:]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
    at com.netegrity.webapp.filter.ClientExtractFilter.doFilter(ClientExtractFilter.java:35) [user_console.jar:]
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:231) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
    at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) [jboss-as-web-7.4.0.Final-redhat-19.jar:7.4.0.Final-redhat-19]
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
    at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
    at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926) [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
    at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_80]
    Caused by: javax.naming.CommunicationException: simple bind failed: wwl.2wglobal.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: server certificate change is restrictedduring renegotiation]
    at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:218) [rt.jar:1.7.0_80]
    at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2740) [rt.jar:1.7.0_80]
    at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:316) [rt.jar:1.7.0_80]
    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193) [rt.jar:1.7.0_80]
    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211) [rt.jar:1.7.0_80]
    at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154) [rt.jar:1.7.0_80]
    at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84) [rt.jar:1.7.0_80]
    at org.jboss.as.naming.InitialContext.getDefaultInitCtx(InitialContext.java:122)
    ... 66 more
    Caused by: javax.net.ssl.SSLHandshakeException: server certificate change is restrictedduring renegotiation
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) [jsse.jar:1.7.0_80]
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1904) [jsse.jar:1.7.0_80]
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:279) [jsse.jar:1.7.0_80]
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:269) [jsse.jar:1.7.0_80]
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1409) [jsse.jar:1.7.0_80]
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:209) [jsse.jar:1.7.0_80]
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:913) [jsse.jar:1.7.0_80]
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:849) [jsse.jar:1.7.0_80]
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1023) [jsse.jar:1.7.0_80]
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1332) [jsse.jar:1.7.0_80]
    at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:709) [jsse.jar:1.7.0_80]
    at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:122) [jsse.jar:1.7.0_80]
    at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82) [rt.jar:1.7.0_80]
    at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140) [rt.jar:1.7.0_80]
    at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:431) [rt.jar:1.7.0_80]
    at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:404) [rt.jar:1.7.0_80]
    at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:358) [rt.jar:1.7.0_80]
    at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:213) [rt.jar:1.7.0_80]
    ... 73 more

     

     

     

    Although certificates are in place and after a wait for 5-6 minutes the error goes automatically and the conenction with the directory is established.

     

    IM version is 12.6 and is integrated with SM and AD is used as a user store 



  • 2.  Re: ERROR [ims.ui]JBAS011843: Failed instantiate InitialContextFactory

    Broadcom Employee
    Posted Aug 29, 2018 12:07 PM

    What version of Java are you running?  You can run the following command:

     

    java -version.

     

    I am familar with an issue where you see the error "Caused by: javax.naming.CommunicationException: simple bind failed: wwl.2wglobal.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: server certificate change is restrictedduring renegotiation]"

     

    I saw it when there was an issue with the version of Java.  

     

    The issue was introduced starting in java 1.7.0_41 and was fixed in 1.7.0_85 

     

    http://stackoverflow.com/questions/27105004/what-means-javax-net-ssl-sslhandshakeexception-server-certificate-change-is-re 

     

    https://bugs.openjdk.java.net/browse/JDK-8072385 

     

    Check java.  At the time this was resolved by updating Java version to JDK 1.7.0_85, or by downgrading to Java 1.7.0_40.  Now we have later versions of the JDK but it is possible you are using one of the JDK versions where this was an issue.  Thank you.



  • 3.  Re: ERROR [ims.ui]JBAS011843: Failed instantiate InitialContextFactory

    Posted Aug 29, 2018 01:37 PM

    Yes we are using the older version and i also read about this issue but since this is production  and this issue was not happening before so I am wondering before i upgrade my JDK if this is the root cause?



  • 4.  Re: ERROR [ims.ui]JBAS011843: Failed instantiate InitialContextFactory

    Posted Aug 29, 2018 01:41 PM

    We have 1.7.0_80.



  • 5.  Re: ERROR [ims.ui]JBAS011843: Failed instantiate InitialContextFactory

    Broadcom Employee
    Posted Aug 29, 2018 01:58 PM

    Dhawan,

    I have assisted other clients with the error:

     

    06:35:57,409 ERROR [ims.ui] (http-/0.0.0.0:8080-3) JBAS011843: Failed instantiate InitialContextFactory com.sun.jndi.ldap.LdapCtxFactory from classloader ModuleClassLoader for Module "deployment.iam_im.ear.user_console.war:main" from Service Module Loader: [facility=6 severity=3 reason=0 status=0 message=Wrapped Exception: JBAS011843: Failed instantiate InitialContextFactory com.sun.jndi.ldap.LdapCtxFactory from classloader ModuleClassLoader for Module "deployment.iam_im.ear.user_console.war:main" from Service Module Loader]
    JBAS011843: Failed instantiate InitialContextFactory com.sun.jndi.ldap.LdapCtxFactory from classloader ModuleClassLoader for Module "deployment.iam_im.ear.user_console.war:main" from Service Module Loader

    ...

    Caused by: javax.naming.CommunicationException: simple bind failed: wwl.2wglobal.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: server certificate change is restrictedduring renegotiation]

     

     

    and resolved the issue by updating java to JDK prior to 1.7.0_40.  Please note, this is also supposed to be fixed in JDK 1.7.0_85, but that JDK is not publicly available, and requires a specific support contract with oracle to be able to access.



  • 6.  Re: ERROR [ims.ui]JBAS011843: Failed instantiate InitialContextFactory

    Posted Aug 29, 2018 02:06 PM

    Shall i down load the older versjon n from the Java client Window just select the older versjon ? Will that work or will i have to set the Java home n change in config files

     

    Sent from my iPhone



  • 7.  Re: ERROR [ims.ui]JBAS011843: Failed instantiate InitialContextFactory
    Best Answer

    Broadcom Employee
    Posted Aug 30, 2018 04:47 AM

    I've also seen this problem. I guess that wwl.2wglobal.com is either a load balancer or a generic domain name for the AD domain. What is happening is that when IM tries to renegotiate the SSL connection it is now talking to a different server that presents a different certificate. That was considered a security vulnerability after Poodle.

     

    See the Java 1.7.0_72 release notes on this. In particular the following

     

    Oracle wrote:

     

    Unsafe Server Certificate Change in SSL/TLS Renegotiations Not Allowed.

    Starting with JDK 7u71, unsafe server certificate change in SSL/TLS renegotiations is not allowed by default. Server certificate change in an SSL/TLS renegotiation may be unsafe and should be restricted:

    ...

    If unsafe server certificate change is really required, please set the system property, jdk.tls.allowUnsafeServerCertChange, to "true" before JSSE is initialized. Note that this would re-establish the unsafe server certificate change issue.

     

     

    So you can add -Djdk.tls.allowUnsafeServerCertChange=true to the parameters in the IM start-up script and restart. That should fix the problem and may be easier than downgrading the JDK.

     

    Pearse