Java 17 / JCEKS not found

IdentityIQ (IIQ) IIQ Discussion and Questions
,
1

Which IIQ version are you inquiring about?

Version 8.3

Share all details related to your problem, including any error messages you may have received.

I’m logged in to our IIQ server, and I’m in …/WEB-INF/bin. I type “./iiq keystore” and get back the message:

adding exports for Java 17
sailpoint.tools.GeneralException: Error initializing alternate configuration store.java.security.KeyStoreException: JCEKS not found

I believe that this is causing other problems in IIQ as I am seeing, “sailpoint.tools.GeneralException: There is a problem with the keystore installed on this system.” in the server logs.

2

Hi @jsgentry1,

Welcome back to the developer community!

Did you recently updated sailpoint(patch or version upgrade)?

3

No, we haven’t updated SailPoint IIQ. We are using 8.3p1.

4

open cmd on web-inf/bin folder and try this command-> iiq sailpoint.server.KeyStoreConsole

instead of .\iiq keystore

5

Thank you. I tried your suggestion, and got the same result. :frowning:

6

was there any changes to java version in the system recently?

7

No, there were no changes to our Java version it is:

$  java -version
openjdk version "17.0.10" 2024-01-16 LTS
OpenJDK Runtime Environment (Red_Hat-17.0.10.0.7-1) (build 17.0.10+7-LTS)
OpenJDK 64-Bit Server VM (Red_Hat-17.0.10.0.7-1) (build 17.0.10+7-LTS, mixed mode, sharing)
8

Can you check in your jdk java.security policy file if JCEKS entries are present or not

9

Hi Sunny!

What should the JCEKS entries look like?

10

Please see below link if this might help:

https://portal.microfocus.com/s/article/KM000004885?language=en_US

Resolution

It is recommended to disable it.

It can be disabled by setting Java system property "com.redhat.fips" to "false" as SSC starts Java sub-processes for some operations, we would recommend setting the system property via JDK_JAVA_OPTIONS or JAVA_TOOL_OPTIONS environment variable to apply the setting also to the sub-processes.
 
For example: JDK_JAVA_OPTIONS='-Dcom.redhat.fips=false'; export JDK_JAVA_OPTIONS;
 
An alternative workaround would be to edit "${java.home}/conf/security/java.security" (changes from the default are marked and the provider order is important):
1 Like
12

Thanks! That got iiq keystore running!

13

It turns ou that we needed to add the line below to our iiq.properties file to get everything ship-shape:
keyStore.type = PKCS12

14

HI @jsgentry1 and @sunnyajmera
Do you know why we are seeing “adding exports for Java 17” when logging into the IIQ console? Is this something we should be concerned about?

15

“adding exports for Java 17” is normal and nothing to be concerned about. If you want to know more, research Java Modules.

16

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.