Jira integrated with OKTA fails to start after upgraging to 8.22.2

アトラシアン ナレッジベース

このページの内容

関連コンテンツ

  • 関連コンテンツがありません

お困りですか?

アトラシアン コミュニティをご利用ください。

コミュニティに質問

プラットフォームについて: サーバーと Data Center のみ。この記事は、サーバーおよび Data Center プラットフォームのアトラシアン製品にのみ適用されます。

     

要約

In attempt to upgrade Jira, it fails right after the system plugins starts to load.

環境

Jira Server / Data Center integrated with OKTA Authenticator

診断

On the stack trace on both catalina.out and atlassian-jira.log we can obverse errors like these stopping the system plugins from loading:

   ****************
    Jira starting...
    ****************
    
localhost-startStop-1 ERROR      [o.a.c.c.C.[Catalina].[localhost].[/]] Exception starting filter [trustedapps]
java.lang.RuntimeException: Could not load security config 'seraph-config.xml': Unable to load authenticator class 'com.atlassian.jira.authenticator.okta.OktaJiraAuthenticator30': com.atlassian.jira.authenticator.okta.OktaJiraAuthenticator30 : java.lang.ClassNotFoundException: com.atlassian.jira.authenticator.okta.OktaJiraAuthenticator30
....
Caused by: com.atlassian.seraph.config.ConfigurationException: Unable to load authenticator class 'com.atlassian.jira.authenticator.okta.OktaJiraAuthenticator30': com.atlassian.jira.authenticator.okta.OktaJiraAuthenticator30 : java.lang.ClassNotFoundException: com.atlassian.jira.authenticator.okta.OktaJiraAuthenticator30
SEVERE [localhost-startStop-1] org.apache.catalina.core.StandardContext.startInternal One or more Filters failed to start. Full details will be found in the appropriate container log file
SEVERE [localhost-startStop-1] org.apache.catalina.core.StandardContext.startInternal Context [] startup failed due to previous errors
localhost-startStop-1 ERROR [o.o.c.xml.config.XMLConfigurator] Cannot create instance of org.opensaml.xmlsec.signature.impl.SignatureMarshaller
java.lang.NoClassDefFoundError: org/apache/xml/security/exceptions/XMLSecurityException
at java.base/java.lang.Class.getDeclaredConstructors0(Native Method)
at java.base/java.lang.Class.privateGetDeclaredConstructors(Unknown Source)
at java.base/java.lang.Class.getConstructor0(Unknown Source)
at java.base/java.lang.Class.getConstructor(Unknown Source)
at org.opensaml.core.xml.config.XMLConfigurator.createClassInstance(XMLConfigurator.java:313)
at org.opensaml.core.xml.config.XMLConfigurator.initializeObjectProviders(XMLConfigurator.java:244)
at org.opensaml.core.xml.config.XMLConfigurator.load(XMLConfigurator.java:204)
at org.opensaml.core.xml.config.XMLConfigurator.load(XMLConfigurator.java:188)
at org.opensaml.core.xml.config.XMLConfigurator.load(XMLConfigurator.java:162)
at org.opensaml.core.xml.config.AbstractXMLObjectProviderInitializer.init(AbstractXMLObjectProviderInitializer.java:54)
at org.opensaml.core.config.InitializationService.initialize(InitializationService.java:56)
at com.okta.saml.OSGiSafeSAMLValidator.<init>(OSGiSafeSAMLValidator.java:25)
at com.okta.saml.util.OktaAuthPeer.init(OktaAuthPeer.java:55)
at com.okta.saml.util.OktaAuthPeer.<init>(OktaAuthPeer.java:43)
      ___ Starting the JIRA Plugin System _________________

JIRA-Bootstrap ERROR      [c.a.jira.upgrade.PluginSystemLauncher] A fatal error occured during initialisation. JIRA has been locked.
com.atlassian.jira.InfrastructureException: Error occurred while starting Plugin Manager. null
        at com.atlassian.jira.component.pico.ComponentManager$PluginSystem.earlyStartup(ComponentManager.java:675)
        at com.atlassian.jira.component.pico.ComponentManager.earlyStartPluginSystem(ComponentManager.java:237)
        at com.atlassian.jira.upgrade.PluginSystemLauncher.start(PluginSystemLauncher.java:45)
        at com.atlassian.jira.startup.DefaultJiraLauncher.lambda$postDbLaunch$2(DefaultJiraLauncher.java:143)
        at com.atlassian.jira.config.database.DatabaseConfigurationManagerImpl.doNowOrEnqueue(DatabaseConfigurationManagerImpl.java:307)
        at com.atlassian.jira.config.database.DatabaseConfigurationManagerImpl.doNowOrWhenDatabaseActivated(DatabaseConfigurationManagerImpl.java:202)
        at com.atlassian.jira.startup.DefaultJiraLauncher.postDbLaunch(DefaultJiraLauncher.java:135)
        at com.atlassian.jira.startup.DefaultJiraLauncher.lambda$start$0(DefaultJiraLauncher.java:102)
        at com.atlassian.jira.util.devspeed.JiraDevSpeedTimer.run(JiraDevSpeedTimer.java:31)
        at com.atlassian.jira.startup.DefaultJiraLauncher.start(DefaultJiraLauncher.java:100)
        at com.atlassian.jira.startup.LauncherContextListener.initSlowStuff(LauncherContextListener.java:154)
        at java.base/java.lang.Thread.run(Unknown Source)
Caused by: java.lang.NullPointerException
        at com.atlassian.plugin.osgi.container.felix.FelixOsgiContainerManager.addBundleListener(FelixOsgiContainerManager.java:455)
        at com.atlassian.plugin.osgi.factory.OsgiBundlePlugin.installInternal(OsgiBundlePlugin.java:224)
        at com.atlassian.plugin.impl.AbstractPlugin.install(AbstractPlugin.java:378)
        at com.atlassian.plugin.manager.DefaultPluginManager.lambda$addPlugins$22(DefaultPluginManager.java:1177)
        at com.atlassian.plugin.manager.PluginTransactionContext.wrap(PluginTransactionContext.java:63)
        at com.atlassian.jira.plugin.JiraPluginManager.addPlugins(JiraPluginManager.java:157)
        at com.atlassian.plugin.manager.DefaultPluginManager.lambda$earlyStartup$5(DefaultPluginManager.java:593)
        at com.atlassian.plugin.manager.PluginTransactionContext.wrap(PluginTransactionContext.java:63)
        at com.atlassian.plugin.manager.DefaultPluginManager.earlyStartup(DefaultPluginManager.java:528)
        at com.atlassian.jira.plugin.JiraPluginManager.earlyStartup(JiraPluginManager.java:119)
        at com.atlassian.jira.component.pico.ComponentManager$PluginSystem.earlyStartup(ComponentManager.java:668)

原因

Jira 8.22.2 has been removed the following unused package below from Jira build, as well as removed the xmlsec jar file from the 8.22.2 distribution, due to this, Okta's code can not find it. Since Okta were using a library that used to be provided with Jira core, and the library was removed on 8.22.2, Jira will to start. The best practice is that Okta shouldn't be using any library from Jira core for their custom authenticator.

            <dependency>
                <groupId>org.apache.santuario</groupId>
                <artifactId>xmlsec</artifactId>
                <version>1.5.6</version>
            </dependency>

回避策

While Okta doesn't provide a resolution, the steps below seems to temporarily resolve the issue for the most of the Jira instances.

Note that this isn't a path recommended nor supported by Atlassian, but it is something that may work and unlock from this problem.

  1. Download the library xmlsec-2.3.0.jar file.
    • You may get it from javalibs or any other source you prefer.
  2. Upload the xmlsec-2.3.0.jar file to your Jira server on the below location.
    <jira-install>/atlassian-jira/WEB-INF/lib
  3. Restart Jira instance. You may remove the custom library once Okta provides a fix to the issue.

Disabling Okta authenticator for testing

Since the Jira upgrade removes local customizations, Jira does start up with the original seraph-config.xml file, where the Okta authenticator needs to be configured.

Due to this, you may disable the Okta authenticator by commenting these lines below at the seraph-config.xml file located at JIRA_INSTALL/atlassian-jira/WEB-INF/classes/seraph-config.xml

  1. Stop Jira
  2. Comment these lines below at the seraph-config.xml file located at JIRA_INSTALL/atlassian-jira/WEB-INF/classes/seraph-config.xml.
  3. Restart Jira.
    <!--
         <authenticator class="com.atlassian.jira.authenticator.okta.OktaJiraAuthenticator30">
             <init-param>
                      <param-name>okta.config.file</param-name>
                      <param-value>/data/jira/jira-latest/conf/okta-config-jira.xml</param-value>
             </init-param>
         </authenticator>
    -->



最終更新日 2022 年 5 月 2 日

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する

関連コンテンツ

  • 関連コンテンツがありません
Powered by Confluence and Scroll Viewport.