IBM Support

WebSphere Application Server is not starting after upgrading to v8.5.5.21, v9.0.5.10 or later with error java.lang.SecurityException: Jurisdiction policy files are not signed by trusted signers!

How To


Summary

After you install fix pack 8.5.5.21 or 9.0.5.10, the JDK is getting upgraded to JDK 8 SR7 or JDK 7 SR11.

You downloaded and installed the unrestricted policy files at your JDK folder sometime ago.
That previous version of the unrestricted policy files is not compatible with the new JDK versions so starting the server you see error messages as the following ones:

Caused by: java.lang.SecurityException: Cannot set up certs for trusted CAs
at javax.crypto.b.(Unknown Source)
at java.lang.J9VMInternals.initializeImpl(Native Method)
at java.lang.J9VMInternals.initialize(J9VMInternals.java:235)
... 63 more
Caused by: java.lang.SecurityException: Jurisdiction policy files are not signed by trusted signers!

Steps

Starting with Java 8 SR5 FP10 and Java 7 SR10 FP20, the unrestricted policy files are delivered with the JDK so you don't have to download them and install them, as you can read at
To bypass this issue, you have to use the new policy files delivered with the new JDK.
  • Check there are no policy files at folder WASINSTALLROOT/AppServer/java*/jre/lib/security/. (No US_export_policy.jar and local_policy.jar files in that folder). If you see those files, you must delete them.
  • Search in the  WASINSTALLROOT/AppServer/java*/jre/lib/security/java.security file that property crypto.policy has not been set or if set, set to crypto.policy=unlimited
That way you use the policy files delivered with the new JDK and problem will be fixed.
If that doesn't fix the issue, it could be that the unrestricted policy files location got customized.
It can be done using the com.ibm.security.jurisdictionPolicyDir JVM custom property.
In that case, for fixing the issue, follow next steps:
  1. Follow the instructions at Disabling WebSphere administrative security when admin console is not accessible
  2. After that, you will be able to start the server and access the WebSphere admin console.
  3. Click Servers > Server Types, and WebSphere application servers > server_name. Then, under Server Infrastructure, click Java and process management > Process definition > Java virtual machine.
  4. Scroll down to generic JVM arguments and remove the com.ibm.security.jurisdictionPolicyDir property.
  5. If you can't find it in the generic JVM arguments, click Custom properties and check for com.ibm.security.jurisdictionPolicyDir property there. Remove it.
  6. Re-enable the global security in the admin console
  7. Restart the server
Problem will be fixed after that.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"ARM Category":[{"code":"a8m50000000CdWJAA0","label":"WebSphere Application Server traditional-All Platforms-\u003ESystem Management-\u003ETraditional WAS-\u003EStart\/Stop"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
24 March 2022

UID

ibm16561619