Workbench produces 'Failed to initialize DATASTAGE_ASB authentication' error on startup
Issue
Starting the MCI Workbench Service produces output that appears to be healthy:
> service dm-mettleci-workbench start
Starting MettleCI Workbench ...
MettleCI Workbench: Java Executable location /bin/java
MettleCI Workbench: Java Vendor is Red
MettleCI Workbench: Java Version is 1.8
MettleCI Workbench has been started
But immediately checking the status of MCI Workbench shows that it failed to start:
> service dm-mettleci-workbench status
/opt/dm/mci/METTLE_UI.pid dead but pidfile exists
and the following Exception appears in the mci.log
:
java.lang.RuntimeException: Failed to initialize DATASTAGE_ASB authentication method, please verify configuration or change authentication method to DATASTAGE_COMPATIBILITY
at com.datamigrators.mettle.modules.datastage.DatastageAsbModule.providerAsbServiceFactory(DatastageAsbModule.java:54)
<...snip...>
Caused by: java.lang.SecurityException: The IBMJCE provider may have been tampered.
at com.ibm.crypto.provider.PBEWithMD5AndTripleDESCipher.<init>(Unknown Source)
<...snip...>
Cause
Both the DataStage Engine and MettleCI Workbench rely on a set of cryptographically signed java libraries known as IBMJCE
. Up until version 11.7.1.4 SP1, the IBMJCE
libraries packaged with DataStage where signed using the SHA-1 algorithm which is considered to be crypto-graphically weak by today’s standards..
Java OpenJDK version 1.8u362 introduced a change which disables SHA-1 Signed Java libraries. When MettleCI Workbench is using Open JDK 1.8u362 or later and attempts to load a SHA-1 Signed version of the IBMJCE
libraries, Java security settings block the loading of many required classes and the IBMJCE
libraries incorrectly reports that The IBMJCE provider may have been tampered
.
Diagnosis
Please verify that MettleCI Workbench is version 1.0-1636 or earlier and is running on Java OpenJDK version 1.8u362 or later.
Login into the DataStage engine where MettleCI Workbench has been installed, run the following command and verify output confirms that the jar has been signed with a weak algorithm that is now disabled
:
This command assumes Java OpenJDK 1.8 is on the path and Information Server has been installed in /opt/IBM/InformationServer
.
Solution
MettleCI Workbench version 1.0-1637+ detects IBMJCE
library and OpenJDK security incompatibilities and will automatically adjust its runtime security settings as needed.
If you are unable to upgrade MettleCI Workbench to version 1.0-1637 or later, apply the following manual workaround:
Log into the DataStage Engine where MettleCI Workbench is installed
Open
<OpenJDK Install Directory>/jre/lib/security/java.security
for editingFind the
jdk.certpath.disabledAlgorithms
property and remove theSHA1 usage SignedJAR & denyAfter 2019-01-01
entry (including any trailing,
character)Find the
jdk.jar.disabledAlgorithms
property and remove theSHA denyAfter 2019-01-01
entry (including any trailing,
character)Save and restart MettleCI Workbench.
NOTE
Unlike Workbench version 1.0-1637+, this manual workaround modifies the security settings for all Java application which use the same JVM as MettleCI.
As an example, the following java.security
file:
Should be modified to look like this:
© 2015-2024 Data Migrators Pty Ltd.