TrustAnchors Cannot Be Empty

Problem

The following message appears in IBM Manta Data Lineage logs or in Configurator while validating a connection for a secured (TLS, HTTPS, or SSL) connection attempt.

java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty

More Details

In general, this relates to an issue while accessing the Java truststore when searching for a public key to validate a certificate (typically of a secured connection). This is a rather generic error message that can have multiple causes, and they need to be investigated one by one. The following problems with the truststore can generate the message above.

1. Truststore file is empty

2. Truststore file is not found

3. Password to access the truststore does not match the actual truststore password

4. Requested certificate not found in the truststore

5. Use of Oracle Java 8u241 or newer / OpenJDK 15 or newer with a certificate not issued by the proper Certificate Authority (CA); this may apply to future Java implementations as well

Solution

For issues #1–4—verify that the specified truststore file exists and that the password matches. If the truststore is not specified, the

default Java truststore is used.

For issue #5—Oracle Java 8u241 and newer / Open JDK 15 and newer have introduced new (stricter) checks that the trustAnchors are CA certificates and contain proper extensions. (See Oracle Java 8u241 Release Notes for more details.) There are two ways to resolve this problem.

1. Verify that the certificate that has been imported to your truststore meets the following requirements. (You may have to re-issue the certificate.)

   1. It has a basic constraints extension with the CA field set to true.

   2. If it includes a key usage extension, the keyCertSign bit is set.

2. A new system property named jdk.security.allowNonCaAnchor has been introduced to restore the previous behavior, if necessary. If the property is set to the empty String or true (case-insensitive), the trustAnchor certificates can be used even if they do not have proper CA extensions. This can be done by setting the environment system variable JAVA_OPTS=-Djdk.security.allowNonCaAnchor=true.

Related Articles

• IGC Lineage Troubleshooting

• Informatica PowerCenter: "The repository version is incompatible with this release of the product. A repository upgrade is required."

• Qlik Sense extraction fails with {"code":15,"parameter":"Document load aborted","message":"Request aborted"} response from the server

• Db2 Extraction Fails with Insufficient data. ERRORCODE=-4499, SQLSTATE=08001

• Db2 Extraction Fails with Execution failed due to a distribution protocol error that caused deallocation of the conversation. A DRDA Data Stream Syntax Error was detected. Reason: 0x3. ERRORCODE=-4499, SQLSTATE=58009