Problems with Identity Services

This section describes Identity server-related problems.

Starting and Stopping Services

You may need to take this step after

  • Reconfiguring parameters in parts of the configuration database

  • Changing the password or other parameters in the dxmmsssvr.ini, idmsvc.ini, runServer.sh, ssl/password.properties or bindcredentials.xml file

  • Errors

Message Broker

For the message broker, stop the services in the following sequence (use the Services utility on Windows or the following commands on UNIX):

DirX Identity Message Broker number
UNIX (Linux): install_path/etc/dmmbrk-number stop

Start the services in the following sequence:

DirX Identity Message Broker number
UNIX (Linux): install_path/etc/dmmbrk-number start

Java-based Identity Server

For the Java-based Identity Server, stop the services in the following sequence (use the Services utility on Windows or the following commands on UNIX):

DirX Identity IdS-J-domain-Sn-version
UNIX (Linux): install_path/etc/S99dmsvrj-domain-Sn stop

Start the services in the following sequence:

DirX Identity IdS-J-domain-Sn version
UNIX (Linux): install_path/etc/S99dmsvrj-domain-Sn start

C++-based Identity Server

For the C++-based Identity server, stop the services in the following sequence (use the Services utility on Windows or the following commands on UNIX):

DirX Identity IdS-C version
UNIX (Linux): install_path/etc/S99dmsvr stop

Start the services in the following sequence:

DirX Identity IdS-C version
UNIX (Linux): install_path/etc/S99dmsvr start

On Windows, check the Event Viewer to see if the startup is successful. On UNIX, check the log files to see if the startup is successful.

Startup is successful when six entries are displayed:

  • DirX Identity IdS-C information: Service started: "C:\Program Files\Atos\Identity\bin\dxmmsssvr.exe" --- PID: nnnn

  • Wed Jul 16 15:49:03 2008 dxmmsssvr.exe NOTICE_VERBOSE dxm stt dxmstatustracker.cpp 522-0 0x00001780
    STT6126: Status Tracker is running.

  • Wed Jul 16 15:49:03 2008 dxmmsssvr.exe NOTICE_VERBOSE dxm sched dxmsdrimpl.cpp 2732-0 0x00001610
    SDR6570: Scheduling is "enabled".

  • Wed Jul 16 15:49:03 2008 dxmmsssvr.exe NOTICE_VERBOSE dxm sched dxmsdrimpl.cpp 1412-0 0x00001610
    SDR6567: Scheduler is running.

Date and time information as well as process and thread IDs may differ in your case.

Warnings due to Missing Definitions within Object Descriptions

Indication:

You encounter the message:

STG617 Multiple values exist for single value property '<attributename>' of DN=cn=...

Reason:

This message provides the hint that an attribute contains multiple values but is defined as single value property in object descriptions.The service layer transports only one of the values for further processing.This warning indicates that an attribute is not defined (or not correctly defined) in object descriptions.Note that not defined attributes have the default values type="Java.lang.String" and multivalue="false".

Solution:

Specify the attribute in the appropriate object description correctly.

If you should find a system property that is not correctly defined, define this property in the Customer Extensions section but inform support about this problem.Then this issue is corrected in the next product delivery.
For the attribute dxrInheritedPrivilegeLink the central User.xml is not up to date.Update the file in your domains.Use the delivered file from DVD:/Installation/Patches/user-xml/User.xml and import it with the DirX Identity Manager into the User.xml object (path: ProvisioningDomain ConfigurationObject DescriptionsUser.xml).

C++-based Identity Server Errors

This section describes C++-based Identity server errors that can occur and the steps to take to solve the problem.

Authentication Failed

Indication:

You receive the message 'Authentication to LDAP server failed …​' when you start the DirX Identity service.

Reason:

The bind parameters are not correct.

Solution:

Check for correct parameters in the [metadir] section of the dxmmsssvr.ini file.

Can’t Connect to LDAP Server

Indication:

You receive the message 'Can’t Connect to LDAP Server' when you start the DirX Identity service.

Reason:

The DirX Identity server is unable to connect to the LDAP server.

Solution:

  1. Check to see whether the LDAP server of the directory service is running.

  2. Check for the correct server name and port number in the dxmmsssvr.ini file.

Can’t Extract Serial Number from keyOwnerPSE

Indication:

DirX Identity Service does not start. Error message:

Can’t extract serial number from keyOwnerPSE=string

Reason:

You used a dirxgenpse tool from a previous version of DirX Identity / DirXmetahub to generate a new key in the environment of the current DirX Identity version. This generates a corrupted certificate.

Solution:

Use the dirxgenpse tool from the current version of the DirX Identity DVD to generate new certificates.

Can’t Retrieve ATS Server Data

Indication:

You receive the message 'Can’t retrieve ATS server data' when you start the DirX Identity service.

Reason:

The DirX Identity server did not find the correct object in the DirX Identity configuration database.

Solution:

Check to see if the dnServerName entry in the dxmmsssvr.ini file is correct.

Configuring a Maximum of More than 128 Threads Fails

Indication:

You have successfully configured more than 128 threads for the server, using the DirX Identity Manager. Nevertheless, the server fails in starting workflows when this thread limit is reached. The log file shows warnings like:

99 VThread-Info: ProcessSize=0, NoActiveThreads=128
         -- ERROR    util     cthread.cpp      268         52:08:511
"MSS2008: Failure to start a thread (internal error).".

Reason:

Regardless of your configuration, the environment variable DIRX_MAX_THREAD specifies the maximum number of threads as a hard limit for the server. The default value is 128. The maximum possible value is 512.

Solution:

Set the environment variable in your system environment. For Windows platforms, the related computer must be rebooted.

For Unix platforms, a central profile or the file install_path*/.dirxmetarc* is an appropriate location. The following lines should be present for defining a maximum of 512:

DIRX_MAX_THREADS=512
export DIRX_MAX_THREADS

CryptoException: Export keys expired!

Indication:

An agent reports the error:

WAR(STG700): com.siemens.dirxcommon.crypto.CryptoException: Export keys expired!

Reason:

The transfer of the crypto keys to the agent failed due to a timeout. The agent startup was too slow.

Solution:

The default timeout value is 10 seconds. Set a higher value at the corresponding C++-based server object in the connectivity configuration (tab AgtSvr Configuration).

DirX Identity Service Does Not Start Correctly

Indication:

DirX Identity Service does not start correctly.

Reason:

This problem could be caused by previous errors when the DirX Identity service could not be started successfully.

Solution:

Stop all services and then restart them.

Transferring File Fails (File Service)

Indication:

Transferring a file greater than 1 MB fails.

Reason:

Running the file service with ActiveMQ only supports files with a size up to 1 MB per default configuration.

Solution:

Increase the configuration parameter Buffer Size for all related C++-based Server instances in the Expert ViewConfigurationDirX Identity ServersC Servers. The parameter can be found on the AgtSvr Configuration tab in the section Fileservice.

The file service is used to transfer files between C++-based Server instances as well as for viewing status files from another machine via the DirX Identity Manager.

High Load during Restart

Indication:

The C++-based Identity Server is under high load after a restart.

Reason:

When the watchdog restarts the server, heavy load of the computer can be the result. The reason is that all workflows where the deviation in the schedule is not yet over, start in parallel. If you handle large amounts of data, be sure that your computer has enough workspace to handle all the processes in parallel or set the deviations to avoid overlapping of workflow starts.

Solution:

For correct setup of non-conflicting schedules see also the section workflow rules in the documentation.

Internal Windows NT Error

Indication:

Message: Internal Windows NT error (during start of DirX Identity Service)

Reason:

May be caused by previous errors when the DirX Identity service could not be started successfully.

Solution:

Stop all services and then restart it.

Service does not start with encryption enabled

Indication:

DirX Identity Service does not start correctly when encryption is enabled.

Reason:

The encryption settings in the dxmmsssvr.ini file do not match with the settings in the configuration database.

Solution:

Check the settings in the Configuration object (configuration database) with the settings in the dxmmsssvr.ini file. Encryption must be set to 1 and the password must be either requested interactively or via an extra password file.

No Statistics with Compression Mode

Indication:

No statistics are displayed for a workflow

Reason 1:

If the compression mode setting for a workflow is different from "Detailed" in the workflow entry or "None" in the central configuration object (which is the default) the statistics info for the workflow status object is not available. It is only available for the activity status objects.

Reason 2:

The agent does not feed the statistics interface.

Solution 1:

Use another compression level.

Solution 2:

No solution available.

Service Not Available

Indication:

You cannot find the DirX Identity 7.xXxx service in your services list.

Reason:

You may have provided wrong values during the installation procedure.

Solution:

  1. Perform StartRun…​

  2. Enter cmd and click OK.

  3. Enter dxmsvr.exe -install.

  4. Perform StartControl Panel.

  5. Double-click Services.

  6. Double-click DirX Identity 7.xXxx.

  7. Set This Account and enter the values according to your requirements.

  8. Select Automatic and then click OK.

  9. If the service does not start immediately, perform Start.

Service Stops Directly after Start

Indication:

The DirX Identity service stops directly after start. This is indicated by the message:

MSS 2261: DirX Identity Server exited without errors.

Reason:

This happens mainly when you use the Windows 2000 service restart feature.

The stop message of the stop sequence is displayed after the new start messages of the server.

Solution:

No action necessary.

SHM9550

Indication:

Workflow executions fail. ProcessInfo and/or trace files show error message:
SHM9550: timeout to get semaphore (in dxmGetShm)

Reason:

The C++-based Identity Server is in operation with Encryption mode different from NONE, and heavy system load causes some workflows to fail with said error message.

Solution:

Increment the KeyGet timeout of the related C++-based server, using the DirX Identity Manager (expert view: Configuration/DirX Identity Servers/C++-based Servers/<server object>

The C++-based Server Does Not Run Properly Due to a Hostname Change

Indication:

If your C++-based Server does not run properly - for example, the status tracker does not run or the ATS Messaging Server is not found - it might be due to a change of the machine name where the main C++-based Server runs and a subsequent configuration of the C++-based Server with the Configuration Wizard.

Reason:

If your local machine name changed since the last run of the Configuration Wizard or if your DNS service, for example, calculates a fully-qualified local hostname instead of a short name previously, a new run of the Configuration Wizard with the C++-based Server step selected will result in the creation of a secondary C++-based Server object in the ConfDB regarded as the active one on this machine.

Solution:

Perform the following steps to make the server run properly again (provided that you want it to run as the main server):

  1. Go to the Expert View, right-click the root object Connectivity Configuration Data and go to the DataView.
    On the Attributes tab click edit and change the dxmSpecificAttribute: delete the value PrimaryServerC or set it to an empty string.This will prevent the Configuration Wizard in the next run from interpreting the new hostname to become a secondary C++-based Server.If no value for an old primary server exists, it will regard the next configured one as the primary and will overwrite the main objects with the new hostname as display name and as dxmAddress in the system object.

  2. Run the Configuration Wizard with only the C++-based Server option selected again and set the hostname in the System Step to your new machine name (or set local.host=your_new_machine_name in install_path\configuration.ini before running the Configuration wizard to get suggested already the correct name in the system step).

  3. After this process, the main C++-based Server with the correct hostname is the active one again.You can delete the secondary C++-based Server object and its linked service and system objects in the ConfDB if you want, but it will do no harm if you leave it.

This issue is solved in DirX Identity V8.0C.

Java-based Identity Server Errors

This section describes Java-based Identity server errors that can occur and the steps to take to solve the problem.

Cannot Claim Ownership Problem

Indication:

The warning message "Cannot claim ownership" occurs in rare cases on slow machines in the Java-based Server logs.

Reason:

Concurrent processes in the Java-based Server can compete for some time for a specific LDAP object. After some configurable time, a warning is logged and the thread stops working on this task.

Solution:

Set the workflowtaskreadtimeout value in your Java-based Server object to a higher value. Perform the following steps:

  1. Start the Dirx Identity Manager and log into the Connectivity view group.

  2. Navigate to ConfigurationDirX Identity ServersJava Serversyour server.

  3. Enable the Design mode (one of the icons in the Manager’s tool bar).

  4. Click the Configuration tab and then Edit.

  5. Search for the word workflowtaskreadtimeout.

  6. Change the value from 60 to a higher value (use for example 300).

  7. Save the configuration.

  8. Check whether the problem is gone. If not, use a higher value.

Class Loading Problems

Indication:

Messages indicate that class loading fails.

Reason:

The file location has changed for

  • Your own Java mappings, user hooks, connector filters for real-time workflows

  • Custom connectors used in real-time workflows

Solution:

Perform the following steps to solve the problem:

  • Stop the Java-based Server.

  • Drop your custom extensions (jar files) in

    install_path\ids-j-domain-Sn\confdb\jobs\framework\lib

    and move the jar files to

    install_path\ids-j-domain-Sn\confdb\common\lib

  • Start the Java-based Server.

Class Loading Problems due to Customer-specific Job Deployment

Indication:

Messages indicate that class loading fails.

Reason:

The deployment process for customer-specific jobs has been changed.

Solution:

Perform the following steps to solve the problem:

  • Stop the Java-based Server.

  • Check the DirX Identity Migration Guide for changes made to job deployment. Follow the instructions described in the section "Class Loading in the IdS-J Server (for Customer-specific Request Workflow Job Implementations)".

  • Start the Java-based Server.

Corrupted Repository Files

Indication:

Messages indicate that repository files are corrupted.

Reason:

Repository files may be corrupted.

Solution:

Perform the following steps to solve the problem:

  • Stop the Java-based Server.

  • Back up the appropriate repository folder or all folders if you are unsure which folder is affected.

  • Delete the appropriate repository folder or all folders.

  • Start the Java-based Server.

  • Inform DirX technical support about the problem and send a copy of the saved folders.

Escalation not entered for Request Workflows

Indication:

You have configured an escalation in your request workflow, but it is never entered. You find messages like the following ones in the IdS-J log or warning file:

04.08.2009 09:53:00.941 [Thread-3] [ ] *** WARNUNG ***
Called from com.siemens.idm.server.config.nodes.IDMRequestActivityConfigImpl.insertEscalations()
insertEscalation in Activity Approval by Privilege Managers of workflow 4-Eye Approval :
escalations ignored: no node escalations found

Reason:

Some of the default request workflows (especially the 4-Eye Approval) are not aware of escalations. The XML-description stored in the dxmContent attribute has no node <escalations>. Therefore, the IdS-J server cannot load the escalations. If you have copied one of these workflows the problem also occurs in your copy.

Solution:

Select the definition of people activities within your workflow in the Identity Manager. Go to the Data View and save the dxmContent attribute to a file. Insert a line

<escalations/>

Take care that <escalations/> is a child of <activity>!

Example

<?xml version="1.0" encoding="UTF-8"?>
<activity basicType="${DN4ID(THIS)@dxmType}" name="${DN4ID(THIS)@dxmDisplayName}" subType="${DN4ID(THIS)@dxmActivityType}">
<retrylimit>2</retrylimit>
<description>#{Request Workflows/Assignment... </description>
<condition>only-one-may-decide</condition>
<execution>parallel</execution>
<job/>
<findParticipants type="accessPolicy">
 ...
</findParticipants>
<escalations/>
<participantsFilter>
 <class>com.siemens.idm.requestworkflow.jobs.ParticipantFilterJob</class>
 <filterclass/>
</participantsFilter>
<participantsConstraint>
 ...
</participantsConstraint>
<startcondition></startcondition>
<timeout type="static">P0Y0M1DT0H0M0S</timeout>
<sign>true</sign>
<title>#{../_Nationalization.ApprovalByPrivilegeManagers_title}</title>
</activity>

Import the corrected File via the Data View. Restart the Java-based Server or reload its configuration.

The warning should no longer appear in the warning / log files.

Java-based Server Does Not Stop on UNIX

Indication:

Stopping the Java-based Server using the command of the form S99dmsvrj-* stop fails with an error message of the form:

Exception in thread "main" java.rmi.RemoteException: HTTP transport error: java.io.IOException: HTTPS hostname wrong: should be hostname; nested exception is:
HTTP transport error: java.io.IOException: HTTPS hostname wrong: should be hostname

ERROR: DirX Identity Java-based Server not deactivated (ex:1).

Reason:

The hostname which has been used during creation of the certificate does not match the expected host name according to the message above. The expected host name is hostname, as quoted in the error message. This inconsistency may also be a problem for SSL communication with other DirX Identity components.

Solution:

Stop all DirX Identity services. Create all the related key stores so that the host name is specified exactly as quoted in the exception (namely hostname) and try again.

Java-based Server Processing Stopped after Re-Boot

Indication:

After a re-boot, the Java-based Server stopped processing.

Reason:

After reboot, the Java-based Server tries to read the LDAP configuration in a loop. If this fails for the pre-configured time (about 5 minutes), the Java-based Server does not work because the configuration could not be loaded.

Solution:

Increase the timeout and repeat values in the file install_path/ids-j-domain-Sn/bin/bindcredentials.xml to values that are sufficient for your environment and restart the Java-based Server.

java.io.EOFException

Indication:

You encounter the following message in the Java-based Server logs:

IDSJADP007 The JMS messaging system of adaptor one_of_the_configured_adaptors reported the exception javax.jms.JMSException (root cause is java.io.EOFException)

Reason:

The C++-based server is not available.

Solution:

Check the availability of the C++-based server. If the C++-based server is running and the problem still persists, restart the C++-based server and the Java-based server.

No Automatic Restart of the Server after Crash on Linux

Indication:

After a crash on Linux, the Java-based Server is not re-started automatically.

Reason:

On Window platforms the Java-based Server is automatically re-started after a crash. The native mechanisms on these platforms are used to perform the restart. On Linux platforms, there is currently no native operating system support to perform this task.

Solution:

You need to build your own watchdog; for example, by using third-party tools.

Repository Exceptions for Duplicate Workflows

Indication:

The log files of the Java-based Server contain warnings of the following form:

-------------------------------------------------------------------------------
06.02.2007 09:44:09 local-24 [  ] *** WARNING ***
Called from com.siemens.idm.server.adaptor.jms.AbstractJMSEventAdaptor.wakeup()
IDSJADP005 Adaptor 'PasswordChangeListener' attempted to delete msg (identified by [segment=1, id=0, expired=false]) from the repository but failed
-------------------------------------------------------------------------------

com.siemens.idm.jini.persistence.EntryNotFoundException: Entry for [segment=1, id=0, expired=false] doesn't exist in segment 1
...

The number of these warnings increases during productive operation of the server.

Reason:

Multiple password or real-time synchronization workflows are active for one topic. The server stores password change and real-time events in an internal repository. After processing such a message, each workflow tries to delete it from the repository. Only one of them succeeds in deleting the message while the others will fail.

Solution:

Check the configuration for active password synchronization workflows. Avoid configuring multiple active workflows for the same topic. Reload the workflow configuration of the Java-based Server using either the Identity Manager or the Identity Web Admin.

Running Java-based Agents with SSL to the LDAP Server

Indication:

You have set up the LDAP server for the provisioning store with SSL. Running Java-based DirX Identity agent (for example PolicyAgent) with SSL fails. The trace includes the following error message:

ERR(STG000): Unexpected exception: 'netscape.ldap.LDAPException: JSSESocketFactory.makeSocket host:636, sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target (91); Connection to LDAP-Server not possible'.
WAR(STG700): netscape.ldap.LDAPException: JSSESocketFactory.makeSocket host:636, sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target (91); Connection to LDAP-Server not possible

Reason:

The suitable LDAP server certificate is not in the trust store of the Java runtime environment of the Policy Agent (dxi_java_home/lib/security/cacerts).

Solution:

Import the suitable certificate into the trust store of the Java runtime environment, as described in the Connectivity Administration Guide, chapter "Managing the Connectivity System", section "Setting Up the Java-based Server for SSL to the Connectivity Configuration", subsection "Managing Keys".

UNIX: Problem Stopping Java-based Identity Server Running with SSL

Indication:

Stopping DirX Identity using the command of the form S99dmsvrj-* stop fails with an error message of the form:

Exception in thread "main" java.rmi.RemoteException: HTTP transport error: java.io.IOException: HTTPS hostname wrong: should be <hostname>; nested exception is:
HTTP transport error: java.io.IOException: HTTPS hostname wrong: should be <wlf-vm01-rhel.myCompany.de>
...
ERROR: DirX Identity Java-based Server not deactivated (ex:1).

Reason:

The hostname which has been used while creating the certificate does not match the expected host name according to the message above. The expected host name is hostname, as quoted in the error message. This inconsistency may also be a problem for SSL-communication with other DirX Identity components.

Solution:

Stop all DirX Identity services. Create all related key stores so that the host name is specified exactly as quoted in the exception message (namely hostname) and try again.

Unable to Run More than One Java-based Server per Domain

Indication:

You are unable to run more than one Java-based server per domain.

Reason:

Using multiple domains, each with one or more assigned Java-based servers, SSL and SSO are not yet supported by the configurator and no documentation is provided yet.

Solution:

You can configure one Java-based server in a DirX Identity installation for SSL and you can use any of the provided SSO configurations for Web Center.

"No Ldap Entry available for" Messages During Startup

Indication:

You get messages like the following during startup of the Java-based server:

---------------------------------------------------------------
09.05.2016 00:22:31.428 [Thread-1] [  ] *** WARNING ***
Called from com.siemens.idm.server.resource.ldap.ResVariable.getAttrVal()
 no Ldap Entry available for dxmSpecificAttributes(mapmailaddress)
---------------------------------------------------------------
09.05.2016 00:22:31.444 [Thread-1] [  ] *** WARNING ***
Called from com.siemens.idm.server.resource.ldap.ResVariable.getAttrVal()
 no Ldap Entry available for dxmService-DN

Reason:

In the workflow definitions some fields cannot be filled. DN links or LDAP attributes are empty.

Solution:

Perform the following steps:

  1. Stop Java-based server.

  2. Backup the file ids-j-*/confdb/server/local/logger.properties and add a line
    com.siemens.idm.server.resource.ldap=FINEST

  3. Start the Java-based server.

  4. Check the file server*00000.txt for warnings like the one above. Search backwards from such a warning for the string "mapPath: in:". The workflow path follows this string. Check the workflow attributes and links.

  5. Restore the logger.properties file.

ActiveMQ Warning about Missing Certificates

Indication:

The wrapper.log file of the Tanuki Java service wrapper contains a warning about a certificate issue:

STATUS | wrapper  | 2020/12/02 16:55:25 | --> Wrapper Started as Service
STATUS | wrapper  | 2020/12/02 16:55:25 | Java Service Wrapper Standard Edition 64-bit 3.5.37
STATUS | wrapper  | 2020/12/02 16:55:25 |   Copyright (C) 1999-2018 Tanuki Software, Ltd. All Rights Reserved.
STATUS | wrapper  | 2020/12/02 16:55:25 |     http://wrapper.tanukisoftware.com
STATUS | wrapper  | 2020/12/02 16:55:25 |   Licensed to Atos IT Solutions and Services GmbH for DirX Identity
STATUS | wrapper  | 2020/12/02 16:55:25 |
WARN   | wrapper  | 2020/12/02 16:55:25 | A signature was found in "D:\Programme\Atos\DirXIdentity\messagebroker\bin\service\windows_x86_64\wrapper.exe", but checksum failed: (Errorcode: 0x800b010a) Eine Zertifikatkette zu einer vertrauenswürdigen Stammzertifizierungsstelle konnte nicht aufgebaut werden. (0x800b010a)
WARN   | wrapper  | 2020/12/02 16:55:25 |   Signer Certificate:
WARN   | wrapper  | 2020/12/02 16:55:25 |     Serial Number:
WARN   | wrapper  | 2020/12/02 16:55:25 |       00 90 4d 8f d1 f3 86 8a ad 5f 17 e8 93 41 c3 08 f2
WARN   | wrapper  | 2020/12/02 16:55:25 |     Issuer Name: COMODO RSA Code Signing CA
WARN   | wrapper  | 2020/12/02 16:55:25 |     Subject Name: Tanuki Software Ltd.
WARN   | wrapper  | 2020/12/02 16:55:25 |   TimeStamp Certificate:
WARN   | wrapper  | 2020/12/02 16:55:25 |     Serial Number:
WARN   | wrapper  | 2020/12/02 16:55:25 |       16 88 f0 39 25 5e 63 8e 69 14 39 07 e6 33 0b
WARN   | wrapper  | 2020/12/02 16:55:25 |     Issuer Name: UTN-USERFirst-Object
WARN   | wrapper  | 2020/12/02 16:55:25 |     Subject Name: COMODO SHA-1 Time Stamping Signer
WARN   | wrapper  | 2020/12/02 16:55:25 |     Date of TimeStamp : 2018/12/14 13:30:25The error is not directly related to the Wrapper's signature, therefore continue...
STATUS | wrapper  | 2020/12/02 16:55:26 | Launching a JVM...

Reason:

The executable wrapper.exe is signed but the verification of the signed executable cannot be done because root certificates for the Tanuki Software are missing.

Solution:

Install the necessary root certificates for the Tanuki Software.

Find information on the Tanuki Software website (https://wrapper.tanukisoftware.com/doc/english/troubleshooting.html#9):

Cross-signed certificates issued by AddTrust External CA Root (addtrustexternalcaroot.crt, comodorsaaddtrustca.crt and comodorsacodesigningca.crt) are suitable for all versions of the Wrapper, and more compatible with legacy devices using old versions of the Windows:

https://support.comodo.com/index.php?/Default/Knowledgebase/Article/View/985/108/code-signing-sha-2

Using 'mmc' or 'certmgr.msc', you can confirm the following installation:

"AddTrust External CA Root" should be installed under "Trusted Root Certificate Authorities\Certificates"

"COMODO RSA Certification Authority" and "COMODO RSA Code Signing" should be installed under "Intermediate Certification Authorities\Certificates". Make sure that their signature hash algorithms match the version of the Wrapper you are using (sh384 or sha-2 for Wrapper 3.5.28 and above, and sha-1 for earlier versions). This can be checked by double-clicking on the certificate and opening the 'Details' tab. You may also check that these certificates are enabled in the properties window accessible from the context menu.

"UTN-USERFirst-Object" should be installed under "Third Parties Root Certification Authorities\Certificates".