Document toolboxDocument toolbox

Workbench produces 'Failed to initialize DATASTAGE_ASB authentication' error on startup

Owned by Barry Squire
Last updated: Nov 08, 2023 by John McKeever
3 min read

Issue

Starting the MCI Workbench Service produces output that appears to be healthy:

> service dm-mettleci-workbench start Starting MettleCI Workbench ... MettleCI Workbench: Java Executable location /bin/java MettleCI Workbench: Java Vendor is Red MettleCI Workbench: Java Version is 1.8 MettleCI Workbench has been started

But immediately checking the status of MCI Workbench shows that it failed to start:

> service dm-mettleci-workbench status /opt/dm/mci/METTLE_UI.pid dead but pidfile exists

and the following Exception appears in the mci.log:

java.lang.RuntimeException: Failed to initialize DATASTAGE_ASB authentication method, please verify configuration or change authentication method to DATASTAGE_COMPATIBILITY at com.datamigrators.mettle.modules.datastage.DatastageAsbModule.providerAsbServiceFactory(DatastageAsbModule.java:54) <...snip...> Caused by: java.lang.SecurityException: The IBMJCE provider may have been tampered. at com.ibm.crypto.provider.PBEWithMD5AndTripleDESCipher.<init>(Unknown Source) <...snip...>

Cause

Both the DataStage Engine and MettleCI Workbench rely on a set of cryptographically signed java libraries known as IBMJCE. Up until version 11.7.1.4 SP1, the IBMJCE libraries packaged with DataStage where signed using the SHA-1 algorithm which is considered to be crypto-graphically weak by today’s standards..

Java OpenJDK version 1.8u362 introduced a change which disables SHA-1 Signed Java libraries. When MettleCI Workbench is using Open JDK 1.8u362 or later and attempts to load a SHA-1 Signed version of the IBMJCE libraries, Java security settings block the loading of many required classes and the IBMJCE libraries incorrectly reports that The IBMJCE provider may have been tampered.

Diagnosis

Please verify that MettleCI Workbench is version 1.0-1636 or earlier and is running on Java OpenJDK version 1.8u362 or later.

Login into the DataStage engine where MettleCI Workbench has been installed, run the following command and verify output confirms that the jar has been signed with a weak algorithm that is now disabled:

This command assumes Java OpenJDK 1.8 is on the path and Information Server has been installed in /opt/IBM/InformationServer.

Solution

MettleCI Workbench version 1.0-1637+ detects IBMJCE library and OpenJDK security incompatibilities and will automatically adjust its runtime security settings as needed.

If you are unable to upgrade MettleCI Workbench to version 1.0-1637 or later, apply the following manual workaround:

  1. Log into the DataStage Engine where MettleCI Workbench is installed

  2. Open <OpenJDK Install Directory>/jre/lib/security/java.security for editing

  3. Find the jdk.certpath.disabledAlgorithms property and remove the SHA1 usage SignedJAR & denyAfter 2019-01-01 entry (including any trailing , character)

  4. Find the jdk.jar.disabledAlgorithms property and remove the SHA denyAfter 2019-01-01 entry (including any trailing , character)

  5. Save and restart MettleCI Workbench.

NOTE
Unlike Workbench version 1.0-1637+, this manual workaround modifies the security settings for all Java application which use the same JVM as MettleCI.

As an example, the following java.security file:

Should be modified to look like this:

© 2015-2024 Data Migrators Pty Ltd.