New Jboss Instance for EJBCA OCSP

  • Javier Arjona Sanchez

    I have "default" instance for EJBCA CA and work fine. In this instance in file jboss-log4j.xml I have new appender EJBCA_FILE for category "org.ejbca" to write all logs in my custom file ejbca.log and this work fine too.

    Later I have created a new instance "default2", I have changed default ports in bindings-jboss-beans.xml file and in jboss-log4j.xml I have the same separation for server.log and for ejbca.log (in this case with TRACE activate for category "org.ejbca").

    I have configured new EJBCA project to be OCSP server (, ports in, productionmode in,, etc.). I have changed "jboss.config" to "default2" in bin/jboss.xml.

    I do "ant clean build" in new EJBCA project and later copy va-dist/ejbca.ear to /usr/local/jboss/server/default2/deploy/

    I start server "default2" with /usr/local/jboss/bin/ -c default2 and start all ok

    But when finish to start I see two errors:

    1) ERROR [SigningEntityContainer] No valid keys. Key directory /usr/local/jboss/server/default/deploy/keys. No P11 defined. --> The directory is wrong because isn't "default" but "default2"

    2) In this file /usr/local/jboss/server/default2/log/ejbca.log not write trace logs

    Then, I think that I'm missing a step to say to EJBCA the new instance name "default2"


  • Javier Arjona Sanchez

    Sorry when I said I do "ant clean build" ..... is wrong. I wanted to say "and clean va-ear" ....

    Last edit: Javier Arjona Sanchez 2013-12-05
  • Tomas Gustavsson

    The directory /usr/local/jboss/server/default/deploy/keys is configured in OCSP properties. The logging is a pura JBoss configuration, and I have o idea why your JBoss settings do not seem to work unfortunately.

  • Javier Arjona Sanchez

    Hi Tomas,
    In property file I have default value for "ocsp.keys.dir". Then I d'ont understand why appear /usr/local/jboss/server/default/deploy/keys instead of /usr/local/jboss/server/default2/deploy/keys


  • Tomas Gustavsson

    Sounds more like your server is actually runnning the default and not default2?

  • Javier Arjona Sanchez

    The server I think running correctly in instance "default2"

    11:51:49,143 INFO [ServerImpl] Starting JBoss (Microcontainer)...
    11:51:49,148 INFO [ServerImpl] Release ID: JBoss [The Oracle] 5.1.0.GA (build: SVNTag=JBoss_5_1_0_GA date=200905221634)
    11:51:49,150 INFO [ServerImpl] Bootstrap URL: null
    11:51:49,151 INFO [ServerImpl] Home Dir: /usr/local/jboss
    11:51:49,152 INFO [ServerImpl] Home URL: file:/usr/local/jboss/
    11:51:49,153 INFO [ServerImpl] Library URL: file:/usr/local/jboss/lib/
    11:51:49,156 INFO [ServerImpl] Patch URL: null
    11:51:49,157 INFO [ServerImpl] Common Base URL: file:/usr/local/jboss/common/
    11:51:49,158 INFO [ServerImpl] Common Library URL: file:/usr/local/jboss/common/lib/
    11:51:49,158 INFO [ServerImpl] Server Name: default2
    11:51:49,159 INFO [ServerImpl] Server Base Dir: /usr/local/jboss/server
    11:51:49,160 INFO [ServerImpl] Server Base URL: file:/usr/local/jboss/server/
    11:51:49,161 INFO [ServerImpl] Server Config URL: file:/usr/local/jboss/server/default2/conf/
    11:51:49,162 INFO [ServerImpl] Server Home Dir: /usr/local/jboss/server/default2
    11:51:49,162 INFO [ServerImpl] Server Home URL: file:/usr/local/jboss/server/default2/
    11:51:49,163 INFO [ServerImpl] Server Data Dir: /usr/local/jboss/server/default2/data
    11:51:49,164 INFO [ServerImpl] Server Library URL: file:/usr/local/jboss/server/default2/lib/
    11:51:49,165 INFO [ServerImpl] Server Log Dir: /usr/local/jboss/server/default2/log
    11:51:49,166 INFO [ServerImpl] Server Native Dir: /usr/local/jboss/server/default2/tmp/native
    11:51:49,166 INFO [ServerImpl] Server Temp Dir: /usr/local/jboss/server/default2/tmp
    11:51:49,167 INFO [ServerImpl] Server Temp Deploy Dir: /usr/local/jboss/server/default2/tmp/deploy
    11:51:53,550 INFO [ServerImpl] Starting Microcontainer, bootstrapURL=file:/usr/local/jboss/server/default2/conf/bootstrap.xml
    11:51:57,020 INFO [VFSCacheFactory] Initializing VFSCache [org.jboss.virtual.plugins.cache.CombinedVFSCache]
    11:51:57,036 INFO [VFSCacheFactory] Using VFSCache [CombinedVFSCache[real-cache: null]]
    11:51:58,737 INFO [CopyMechanism] VFS temp dir: /usr/local/jboss/server/default2/tmp
    11:51:58,740 INFO [ZipEntryContext] VFS force nested jars copy-mode is enabled.

    Now, I have tested doing "ant clean va-deploy" and now in log show:

    ERROR [SigningEntityContainer] No valid keys. Key directory /aplicaciones/ejbcaOCSP/keys. No P11 defined.

    But now, I don't understand nothing :-|. Where do you define this "/aplicaciones/ejbcaOCSP/"?? I I have:

    "/aplicaciones/ejbcaOCSP/" directory is where I have Project EJBCA with OCSP configuration files

    Then, the correctly path when EJBCA should look for keys should be /usr/local/jboss/server/default2/deploy/keys

    On the other hand I still see the logs from EJBCA OCSP. Now I have jboss-log4.xml (from jboss minimal instance) and I have appended:

    <category name="org.ejbca">
    <priority value="DEBUG"/>

    <category name="org.cesecore">
    <priority value="DEBUG"/>


  • Javier Arjona Sanchez

    Hi Tomas,
    Now I receive this error:

    Unable to load key file /aplicaciones/ejbcaOCSP/keys/<myP12>.p12. Exception: error constructing MAC: java.lang.SecurityException: JCE cannot authenticate the provider BC

    This error show in this line of SigningEntityContainer class in function loadFromSWKeyStore() inside the catch( IOException e ):

    keyStore.load(new FileInputStream(fileName), storePassword.toCharArray());

    In file build.xml in target va-ear include bcmail-jdk${java.ver}-145.jar and bcprov-jdk${java.ver}-145.jar but not bctsp-jdk${java.ver}-145.jar

    Is it correct? Which is the problem?


  • Javier Arjona Sanchez

    I have correclty jars in lib paths

    -bash-3.2# ls -l /usr/local/jboss/server/default/lib/bc*
    -rw------- 1 root root 236604 jul 23 09:58 /usr/local/jboss/server/default/lib/bcmail-jdk16-145.jar
    -rw------- 1 root root 1719483 jul 23 09:58 /usr/local/jboss/server/default/lib/bcprov-jdk16-145.jar
    -rw------- 1 root root 25427 jul 23 09:58 /usr/local/jboss/server/default/lib/bctsp-jdk16-145.jar
    -bash-3.2# ls -l /usr/local/jboss/server/default2/lib/bc*
    -rw-r--r-- 1 root root 236604 jul 23 09:58 /usr/local/jboss/server/default2/lib/bcmail-jdk16-145.jar
    -rw-r--r-- 1 root root 1719483 jul 23 09:58 /usr/local/jboss/server/default2/lib/bcprov-jdk16-145.jar
    -rw-r--r-- 1 root root 25427 jul 23 09:58 /usr/local/jboss/server/default2/lib/bctsp-jdk16-145.jar

    Then I don't understand the problema :-(

    Last edit: Javier Arjona Sanchez 2013-12-05
  • Tomas Gustavsson

    The error is clear. Running Oracle JDK and not being able to verify the provider. Why you are getting it when running with a default2 instance I do not know. I never do run different instances. I do know that others have run with different instances, but I have never tested.
    So perhaps someone else can help?

  • Javier Arjona Sanchez

    Hi Tomas,
    I found this link

    He has same problem with two instances Jboss

    I add security.provider.10=org.bouncycastle.jce.provider.BouncyCastleProvider to /usr/local/jdk/jre/lib/security/ for test, but my problem is the same. I don't understand :'(

    And I still have the problem that the logs from EJBCA are not displayed.

    How can I print in execution time the log configuration file in Java code for a package org.ejbca.*? I can write this code Java in, for example, loadFromSWKeyStore() and recompìle. Is only to show the file path to understand anything more

    Thanks you very much Tomas


  • Javier Arjona Sanchez

    Hi Tomas,
    I found my problem. If I start second instance from /aplicaciones, when OCSP read "ocsp.keys.dir" property, OSCP append /aplicaciones/keys and to try search keys in this directory. It I start in /aplicaciones/ejbcaOCSP, then OCSP search in /aplicaciones/ejbcaOCSP/keys and if I start second instance in /tmp, then OCSP search in /tmp/keys.

    Then, I think that this is a problem in OCSP EJBCA, because, "ocsp.keys.dir" with value "./keys" (default value) should be relative always to the server instance, for example in my case /usr/local/jboss/server/default2/

    Could you say me anything about this, please?


  • Tomas Gustavsson

    EJBCA has no control of the relativiety of paths. By definition relative means relative to where you start the program, in this case JBoss.

    Because of this we always recommend to use absolute paths.


    PrimeKey Solutions offers commercial EJBCA and SignServer support subscriptions and training courses. Please see or contact for more information.


Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

JavaScript is required for this form.

No, thanks