tracker issue : CF-4198542

select a category, or use search below
(searches all categories and all time range)

Unable to initialise Security service, Client Storage service, and WatchService service

| View in Tracker

Status/Resolution/Reason: Closed/Withdrawn/NotABug

Reporter/Name(from Bugbase): ANDREW LORIEN / ANDREW LORIEN ()

Created: 04/20/2017

Components: Installation/Config

Versions: 10.0

Failure Type: Others

Found In Build/Fixed In Build: 10,0,22,301868 /

Priority/Frequency: Normal /

Locale/System: / Linux

Vote Count: 0

Problem Description:
When testing Java update (Java SE Development Kit 8u131) on our CF 10 server, I was not able to load CF admin and had the following errors:
- Unable to initialise Security service
- Unable to initialise Client Storage service
- Unable to initialise WatchService service

The detailed error can be found in the attachment (exception.log). I also attach the server log.

Steps to Reproduce:
Set java home to java.home=/usr/java/jdk1.8.0_131/jre/ then restart CF instance.

CF Version 10,0,22,301868
OS: Red Hat Enterprise Linux Server release 6.8

Issue doesn't exist when /usr/java/jdk1.8.0_121/jre is used.

Actual Result:

Expected Result:

Any Workarounds:


  1. April 20, 2017 00:00:00: exception.log
  2. April 20, 2017 00:00:00: server.log


Issues are likely to be related to Error constructing implementation (algorithm: FIPS186PRNG, provider: JsafeJCE, class: com.rsa.jsafe.provider.JSA_FIPS186PRNGXChangeNoticeGeneral) java.lang.SecurityException: JsafeJCE provider self-integrity check failed at com.rsa.jsafe.provider.JsafeJCE.c(Unknown Source) at com.rsa.jsafe.provider.JsafeJCE.b(Unknown Source) at com.rsa.jsafe.provider.JSA_FIPS186PRNGX.<init>(Unknown Source) at com.rsa.jsafe.provider.JSA_FIPS186PRNGXChangeNoticeGeneral.<init>(Unknown Source)
Comment by ANDREW L.
908 | April 20, 2017 04:50:29 AM GMT
Further research that we did seems to confirm that JsafeJCE is likely to be the problem. In the following post we found the following statement "Oracle JRE will no longer trust MD5-signed code by default" "Beginning with the April 2017 Critical Patch Update, JAR files signed using MD5 will no longer be considered as signed by the Oracle JRE. Affected MD5-signed JAR files will no longer be considered trusted and as a result will not be able to run by default, such as in the case of Java applets, or Java Web Start applications." Running the following command "jarsigner -verify -verbose /opt/coldfusion10/cfusion/lib/jsafeJCEFIPS.jar" shows the following result: ============================================================================ - Signed by "CN=RSA Security Inc., OU=Java Software Code Signing, O=Sun Microsystems Inc" Digest algorithm: SHA1 Signature algorithm: MD5withRSA (weak), 1024-bit key WARNING: The jar will be treated as unsigned, because it is signed with a weak algorithm that is now disabled by the security property: jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024 ============================================================================ The jar file is treated as unsigned, because it is signed with a weak algorithm that is now disabled Can Adobe let us know if this will be fixed soon or whether there is a workaround? This is quite urgent for us. Thanks
Comment by ANDREW L.
909 | April 21, 2017 12:30:03 AM GMT
Hi Andrew, Is this resolved or are you still facing the issue. Regards, Manas
Comment by Manas M.
910 | May 25, 2017 10:57:37 AM GMT