ZWEL0169E: Failed to create certificate
o-salviano opened this issue · comments
We are trying to configure and bring up a Zowe instance in our environment for a Proof of Concept. For several reasons we are using what is already installed and configured in our environment to speed up the process.
During the certificate initialization phase (we are using scenario 1, for self-signed certificates) we encountered the error below (for security reasons I changed the LPAR name, username, domain, IP address in the logs).
- Those are the versions of some the pre-requisites:
SRV1:/u/username:->java -version
java version "1.8.0_381"
Java(TM) SE Runtime Environment (build 8.0.8.10 - pmz6480sr8fp10-20230703_02(SR8 FP10))
IBM J9 VM (build 2.9, JRE 1.8.0 z/OS s390x-64-Bit Compressed References 20230628_53798 (JIT enabled, AOT enabled)
OpenJ9 - a962f72
OMR - 40dbd2d
IBM - 696e9df)
JCL - 20230630_01 based on Oracle jdk8u381-b09
SRV1:/u/username:->javac -version
javac 1.8.0
SRV1:/u/username:->node --version
v16.20.1
SRV1:/u/username:->npm --version
8.19.4
SRV1:/u/username:->zwe version
Zowe v2.10.0
- Those are the current environment variables:
SRV1:/u/username:->env
_CXX_LIBDIRS=/lib /usr/lib
MAIL=/usr/mail/USERNAME
PATH=/SRV101/_PRDS/NJS/v16/IBM/node-v16.20.1-os390-s390x-202307241558/bin:/SRV101/usr/lpp/java/J8.0_64/bin:/SRV101/_PRDS/PYT/v3.9/pyz/bin:/SRV101/_PRDS/ZOWE/v1/bin:/_PRDS/PYT/v3.9/pyz/bin:/usr/lpp/java/J8.0_64/bin:/bin:/usr/sbin:/usr/lpp/ZosExtensions/bin:.:.
_TAG_REDIR_IN=TXT
_CXX_WORK_UNIT=3390
_CXX_INCDIRS=/usr/include /usr/lpp/ioclib/include
SSH_CLIENT=192.168.100.11 54501 22
_BPXK_AUTOCVT=ON
SHELL=/bin/sh
_CC_LIBDIRS=/lib /usr/lib
_C89_SLIB_PREFIX=SYS1
_C89_CLIB_PREFIX=SYS1
SSH_TTY=/dev/ttyp0001
npm_config_nodedir=/SRV101/_PRDS/NJS/v16/IBM/node-v16.20.1-os390-s390x-202307241558
_CXX_PLIB_PREFIX=SYS1
_CC_WORK_UNIT=3390
_CC_INCDIRS=/usr/include /usr/lpp/ioclib/include
PS1=$SYSID:${PWD}:->
_CEE_RUNOPTS= FILETAG(AUTOCVT,AUTOTAG) POSIX(ON)
_CC_PLIB_PREFIX=SYS1
_BPX_SPAWN_SCRIPT=YES
_=/bin/env
CLASSPATH=/usr/lpp/WebSphere/AppServer/lib/jsdk.jar:/usr/lpp/WebSphere/AppServer/lib/jst.jar:/usr/lpp/WebSphere/AppServer/lib/x509v1.jar:/usr/lpp/WebSphere/AppServer/lib/ibmwebas.jar
LOGNAME=USERNAME
STEPLIB=none
LANG=C
LIBPATH=/lib:/usr/lib
_TAG_REDIR_OUT=TXT
_CXX_SLIB_PREFIX=SYS1
_CXX_CLIB_PREFIX=SYS1
_C89_LIBDIRS=/lib /usr/lib
USER=USERNAME
TERM=xterm
_BPX_SHAREAS=YES
_C89_WORK_UNIT=3390
_C89_INCDIRS=/usr/include /usr/lpp/ioclib/include
HOME=/u/USERNAME
NODE_SMF89_SUPPRESS_WARNING=1
_CC_SLIB_PREFIX=SYS1
_CC_CLIB_PREFIX=SYS1
_C89_PLIB_PREFIX=SYS1
SSH_CONNECTION=192.168.100.11 54501 192.168.100.30 22
JAVA_HOME=/usr/lpp/java/J8.0_64
TZ=MST7MDT
_TAG_REDIR_ERR=TXT
MANPATH=/usr/man/%L:/bin/man/%L:/usr/lpp/tcpip/man/%L:/usr/lpp/ZosExtensions/man/%L:/usr/lpp/eim/man/%L:/usr/lpp/dfs/global/man/%L:/usr/lpp/Printsrv/man/%L:/usr/lpp/ihsa_zos/man/%L
NLSPATH=/usr/lib/nls/msg/%L/%N
npm_config_zoslib_include_dir=/SRV101/_PRDS/NJS/v16/IBM/node-v16.20.1-os390-s390x-202307241558/include/node/zoslib
- This is the Certificate part of zowe.yaml that we are using:
certificate:
type: PKCS12
pkcs12:
directory: /global/zowe/keystore
lock: true
name: localhost
# password: password
caAlias: local_ca
# caPassword: local_ca_password
# dname:
# caCommonName: ""
# commonName: ""
# orgUnit: ""
# org: ""
# locality: ""
# state: ""
# country: ""
validity: 3650
san:
- domain.subdomain
- 192.168.100.30
- And these are the messages we've got while running the Certificate initialization phase:
SRV1:/u/username:->zwe init certificate -c ./zowe.yaml
-------------------------------------------------------------------------------
>> Creating certificate authority "local_ca"
>>>> Generate PKCS12 format local CA with alias local_ca:
>> Certificate authority local_ca is created successfully.
-------------------------------------------------------------------------------
>> Export keystore /global/zowe/keystore/local_ca/local_ca.keystore.p12
>>>> List content of keystore "/global/zowe/keystore/local_ca/local_ca.keystore.p12":
>>>> Export certificate "local_ca" to PEM format
>> Keystore /global/zowe/keystore/local_ca/local_ca.keystore.p12 is exported successfully.
-------------------------------------------------------------------------------
>> Creating certificate "localhost"
>>>> Generate certificate "localhost" in the keystore localhost:
>>>> Generate CSR for the certificate "localhost" in the keystore "localhost":
>>>> Sign the CSR using the Certificate Authority "local_ca":
* Exit code: 1
* Output:
keytool error (likely untranslated): java.lang.IllegalArgumentException: java.util.Vector incompatible with [Ljava.lang.Object;
Error ZWEL0169E: Failed to create certificate "localhost".
Is there anything we can do to resolve this block on certificate initialization? Also, any suggestions for education on the subject (certificates, PKCS12 and KeyRing) for those who are starting to deal with the subject in a not very intuitive way?
This is a keytool bug introduced in Java 8.0.8.10. It was fixed in 8.0.8.15.
See IBM apar: https://www.ibm.com/support/pages/apar/IJ48749
Upgrading or downgrading Java will fix your issue
Thanks a lot @js665999
We'll proceed with the Java upgrade.
Have a nice week.
Just a quick update: the Java update worked perfectly, thanks again.