Error: Invalid spaceKey on retrieving a related space config.

Configuring to consume over SSL or with client certificates

If you want to consume web services over SSL or with client certificates, you must add the Java keystore options in the arserver.config(arserverd.conf) file.

For one way SSL, add the following Java keystore options in the arserver.config(arserverd.conf) file:

jvm.option.XX=-Djavax.net.ssl.trustStore=<pathToKEYSTORE> 
jvm.option.XX+1=-Djavax.net.ssl.trustStorePassword=<password> 
jvm.option.XX+2=-Djavax.net.ssl.keyStoreType=<keystore Type>

For example:

jvm.option.XX=-Djavax.net.ssl.trustStore=/opt/jdk1.8.0_112/jre/lib/security/cacerts
jvm.option.XX+1=-Djavax.net.ssl.trustStorePassword=****
jvm.option.XX+2=-Djavax.net.ssl.trustStoreType=JKS

 Refer to the following example if you are not using Java Cacerts for the AR System Server process.

jvm.option.XX=-Djavax.net.ssl.trustStore=/opt/bmc/arsystem/conf/certificates.p12
jvm.option.XX+1=-Djavax.net.ssl.trustStorePassword=**** 
jvm.option.XX+2=-Djavax.net.ssl.trustStoreType=pkcs12

If you want to use similar certificates for other processes such as JAVA Plug-in server or Carte server, update the armonitor.conf file. Refer to the following example for Java Plug-in server:

/usr/java/default/jre/bin/java -Djavax.net.ssl.keyStore=/opt/bmc/arsystem/conf/certificates.jks -Djavax.net.ssl.keyStorePassword=*** -Djavax.net.ssl.keyStoreType=pkcs12 -Djavax.net.ssl.trustStore=/opt/bmc/arsystem/conf/certificates.p12 -Djavax.net.ssl.trustStorePassword=*** -Djavax.net.ssl.trustStoreType=pkcs12 -Xmx512m -classpath /opt/bmc/arsystem/pluginsvr:/opt/bmc/arsystem/pluginsvr/arpluginsvr91_build001.jar:/opt/bmc/arsystem/approval/bin/armaskingImpl91_build001.jar:/opt/bmc/arsystem/api/lib/arcmnapp91_build001.jar com.bmc.arsys.pluginsvr.ARPluginServerMain -x onbmc-s -i /opt/bmc/arsystem -alias javapluginserver

Refer to the following example for the developerstudio.ini file:

-vmargs
-Djavax.net.ssl.trustStore=/opt/bmc/arsystem/conf/certificates.p12
-Djavax.net.ssl.trustStorePassword=****
-Djavax.net.ssl.trustStoreType=pkcs12


For two way SSL, add the following Java keystore options in the arserver.config(arserverd.conf) file:

jvm.option.XX=-Djavax.net.ssl.keyStore=<path to keyStoreType file>
jvm.option.XX+1=-Djavax.net.ssl.keyStorePassword=*****
jvm.option.XX+2=-Djavax.net.ssl.trustStore=<pathToTrustStore>  
jvm.option.XX+3=-Djavax.net.ssl.trustStorePassword=<password> 
jvm.option.XX+4=-Djavax.net.ssl.keyStoreType=<keyStore Type>
jvm.option.XX+5=-Djavax.net.ssl.trustStoreType=<TrustStore Type>

For example:

jvm.option.XX=-Djavax.net.ssl.keyStore=/opt/bmc/arsystem/conf/certificates.jks
jvm.option.XX+1=-Djavax.net.ssl.keyStorePassword=*****
jvm.option.XX+2=-Djavax.net.ssl.trustStore=/opt/bmc/arsystem/conf/certificates.p12
jvm.option.XX+3=-Djavax.net.ssl.trustStorePassword=****
jvm.option.XX+4=-Djavax.net.ssl.keyStoreType=JKS
jvm.option.XX+5=-Djavax.net.ssl.trustStoreType=pkcs12

Note

You must start the jvm.option.XX sequence after last jvm.option in the arserver.config(arserverd.conf) file.

If the arserver.config(arserverd.config) file has jvm.option.19 as last jvm option, add the jvm options starting from jvm.option.20.

The following sample code illustrates jvm.option example:

jvm.option.1=-javaagent:../lib/spring-instrument-4.1.9.RELEASE.jar
jvm.option.2=-Djavax.xml.transform.TransformerFactory=org.apache.xalan.processor.TransformerFactoryImpl
jvm.option.3=-Dlogback.configurationFile=file:../conf/logback_server.xml
jvm.option.4=-Xss2M
jvm.option.5=-XX:MetaspaceSize=256M
jvm.option.6=-XX:MaxMetaspaceSize=512M
jvm.option.7=-Dcom.sun.management.jmxremote
jvm.option.8=-Dcom.bmc.arsys.boot.flavor=server
jvm.option.9=-XX:OnOutOfMemoryError=./kill-server
jvm.option.10=-Djetty.home=../jetty
jvm.option.11=-Dorg.eclipse.equinox.http.jetty.autostart=false
jvm.option.12=-XX:ErrorFile=file:../db/arserverjvmcrash_PID%p.log
jvm.option.13=-XX:+HeapDumpOnOutOfMemoryError
jvm.option.14=-XX:HeapDumpPath=../Logs
jvm.option.15=-XX:+UseCompressedOops
jvm.option.16=-XX:+UseConcMarkSweepGC
jvm.option.17=-XX:+UseParNewGC
jvm.option.18=-XX:NewRatio=2

For SSL support, you must you must add the jvm options starting from 19 (any other number in the sequence is not initiated on the actual service) as shown in the following example code snippet:

jvm.option.19=-Djavax.net.ssl.keyStore=/opt/bmc/arsystem/conf/certificates.jks
jvm.option.20=-Djavax.net.ssl.keyStorePassword=*****
jvm.option.21=-Djavax.net.ssl.trustStore=/opt/bmc/arsystem/conf/certificates.p12
jvm.option.22=-Djavax.net.ssl.trustStorePassword=****
jvm.option.23=-Djavax.net.ssl.keyStoreType=JKS
jvm.option.24=-Djavax.net.ssl.trustStoreType=pkcs12

 Restart the AR System Server after all the configurations are done.

Related topics

Configuring to consume over SSL or with client certificates

Configuring the REST API

Configuring the Mid Tier web server for SSL certificate

Accessing WSDL or web services over https

Was this page helpful? Yes No Submitting... Thank you

Comments

  1. Andreas Mitterdorfer

    This information seems to be incorrect as web service plugin is not in java plugin server anymore.Please see my comment in https://docs.bmc.com/docs/display/public/ars91/Configuring+AR+System+server+for+a+proxy+server

     

    Nov 02, 2015 09:54
    1. Poonam Morti

      Hi Andreas,

      I am verifying the details with the SME and will update the topic.

      Thanks,

      Poonam

      Nov 05, 2015 11:41
    1. Poonam Morti

      Hi Andreas,

      I have updated the topic.

      Thanks,

      Poonam

      Nov 19, 2015 01:25
  2. Michael Franke

    Hi Poonam,

    the name of the option for the keystore containing the certificat  should be -Djavax.net.ssl.trustStore=<pathToPfxFile> instead of -Djavax.net.ssl.keyStore

    The name for the configuration (at least on linux) is arserverd.conf and not .arserverd.config.

    Regards Michael

    Aug 11, 2016 01:08
  3. Ariel Manka

    This document has issues. Michael already pointed out the fact that keyStore is not correct and trustStore should be used instead. Apart from that, nowhere in the literature was I able to find usage of keyStore or trustStore with reference to a PFX file. Everything I read says, that it should be path to the key store file .jks. Moving on, keyStoreType would be JKS nor PKCS12.

    When trustStore attribute contains reference to .p12 file, server throws an error on attempt to call web service:

    ARERR [9130] Error encountered while executing a Web Service : java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty

    This confirms my previous suspicion about the pathToPFXFile. Path has to point to the keystore file not to the pfx certificate.

    Bottom line is that in order to consume web services over SSL you have to:

    a) import pfx/p12 certificate to your keystore

    b) set the configuration in arververd.conf as follows:

    jvm.option.20=-Djavax.net.ssl.trustStore=<pathToKEYSTORE>
    jvm.option.21=-Djavax.net.ssl.keyStorePassword=<password>
    jvm.option.22=-Djavax.net.ssl.keyStoreType=<keystore>

    i.e.

    jvm.option.20=-Djavax.net.ssl.trustStore=/home/remedy/cert.jks
    jvm.option.21=-Djavax.net.ssl.keyStorePassword=badpassword
    jvm.option.22=-Djavax.net.ssl.keyStoreType=JKS

    c) optionally, define user and password in your Web Service call for basic authentication.

    Regards,

    Ariel

    Oct 17, 2016 05:38
  4. Tzachi Shaiovitch

    Hi,

    it seems that the document is incorrect and misleading.

    I am running 9.1 SP2 on linux server with following settings and this set up is working.

    1-way-ssl it should be as follow: [consuming external service over https]:

     

    jvm.option.XX=-Djavax.net.ssl.trustStore=/opt/jdk1.8.0_112/jre/lib/security/cacerts

    jvm.option.XX+1=-Djavax.net.ssl.trustStorePassword=****

    jvm.option.XX+2=-Djavax.net.ssl.keyStoreType=JKS

     

    for 2-way-ssl:

     

    jvm.option.XX=-Djavax.net.ssl.keyStore=[Path_to jks file]

    jvm.option.XX+1=-Djavax.net.ssl.keyStorePassword=*****

    jvm.option.XX+2=-Djavax.net.ssl.trustStore=[Path_to_trust_store] for example : /opt/jdk1.8.0_112/jre/lib/security/cacerts

    jvm.option.XX+3=-Djavax.net.ssl.trustStorePassword=****

    jvm.option.XX+4=-Djavax.net.ssl.keyStoreType=JKS

     

     

    it is important to mention that the jvm.option.XX sequence must be after the last jvm.option that comes OOTB.

    For example for 9.1 SP2 jvm.option looks as follow:

     

    jvm.option.1=-javaagent:../lib/spring-instrument-4.1.9.RELEASE.jar

    jvm.option.2=-Djavax.xml.transform.TransformerFactory=org.apache.xalan.processor.TransformerFactoryImpl

    jvm.option.3=-Dlogback.configurationFile=file:../conf/logback_server.xml

    jvm.option.4=-Xss2M

    jvm.option.5=-XX:MetaspaceSize=256M

    jvm.option.6=-XX:MaxMetaspaceSize=512M

    jvm.option.7=-Dcom.sun.management.jmxremote

    jvm.option.8=-Dcom.bmc.arsys.boot.flavor=server

    jvm.option.9=-XX:OnOutOfMemoryError=./kill-server

    jvm.option.10=-Djetty.home=../jetty

    jvm.option.11=-Dorg.eclipse.equinox.http.jetty.autostart=false

    jvm.option.12=-XX:ErrorFile=file:../db/arserverjvmcrash_PID%p.log

    jvm.option.13=-XX:+HeapDumpOnOutOfMemoryError

    jvm.option.14=-XX:HeapDumpPath=../Logs

    jvm.option.15=-XX:+UseCompressedOops

    jvm.option.16=-XX:+UseConcMarkSweepGC

    jvm.option.17=-XX:+UseParNewGC

    jvm.option.18=-XX:NewRatio=2

     

    in our case for ssl support the jvm.option should continue from 19 any other number in the sequence will not be initiated on the actual service jvm.option.19=-Djavax.net.ssl.keyStore=[Path_to jks file]

    jvm.option.19+1=-Djavax.net.ssl.keyStorePassword=*****

    jvm.option.19+2=-Djavax.net.ssl.trustStore=[Path_to_trust_store] for example : /opt/jdk1.8.0_112/jre/lib/security/cacerts

    jvm.option.19+3=-Djavax.net.ssl.trustStorePassword=****

    jvm.option.19+4=-Djavax.net.ssl.keyStoreType=JKS

    Jan 23, 2017 09:55
  5. Axel Kluener

    You wrote

    "You MUST start the jvm.option.XX sequence after last jvm.option in the arserver.config(arserverd.conf) file.

    If the arserver.config(arserverd.config) file has jvm.option.19 as last jvm option, you SHOULD add the jvm options starting from jvm.option.20."

    What is it now ? Is it "must" or is it "should" ? You pulled of the feat to contradict yourself in the same paragraph.

    It might be a good idea to have an article reviewed by a peer to avoid these kinds of mistakes. This is IT-Documentation 101.

    Sep 20, 2018 07:16
    1. Anagha Deshpande

      Hello Axel,

      Apologies for the inconvenience.

      I have corrected the topic.

      Regards,

      Anagha

      Oct 03, 2018 11:01
  6. Axel Kluener

    In this article you put text in a colored box additionally marked by a yellow exclamation mark icon and the cue "Note". Why ? What does that mean ? What's the difference beween text NOT framed in a colored box and text framed by a colored box.

    e.g. Where is the difference regarding the text

    "If you want to consume web services over SSL or with client certificates, you must add the Java keystore options in the arserver.config(arserverd.conf) file."

    and the text

    "You must start the jvm.option.XX sequence after last jvm.option in the arserver.config(arserverd.conf) file."

    ?

    Sep 20, 2018 07:27
    1. Anagha Deshpande

      Hello Axel,

      Thank you for raising this concern.

      The intention behind adding notes is to highlight some important point that the reader should not miss.

      Regards,

      Anagha

      Oct 03, 2018 11:10