Jira integrated with OKTA fails to start after upgraging to 8.22.2

Atlassian Knowledge Base

On this page

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform Notice: Server and Data Center Only. This article only applies to Atlassian products on the server and data center platforms.

     

Summary

In attempt to upgrade Jira, it fails right after the system plugins starts to load.

Environment

Jira Server / Data Center integrated with OKTA Authenticator

Diagnosis

On the stack trace on both catalina.out and atlassian-jira.log we can obverse errors like these stopping the system plugins from loading:

   ****************
    Jira starting...
    ****************
    
localhost-startStop-1 ERROR      [o.a.c.c.C.[Catalina].[localhost].[/]] Exception starting filter [trustedapps]
java.lang.RuntimeException: Could not load security config 'seraph-config.xml': Unable to load authenticator class 'com.atlassian.jira.authenticator.okta.OktaJiraAuthenticator30': com.atlassian.jira.authenticator.okta.OktaJiraAuthenticator30 : java.lang.ClassNotFoundException: com.atlassian.jira.authenticator.okta.OktaJiraAuthenticator30
....
Caused by: com.atlassian.seraph.config.ConfigurationException: Unable to load authenticator class 'com.atlassian.jira.authenticator.okta.OktaJiraAuthenticator30': com.atlassian.jira.authenticator.okta.OktaJiraAuthenticator30 : java.lang.ClassNotFoundException: com.atlassian.jira.authenticator.okta.OktaJiraAuthenticator30
SEVERE [localhost-startStop-1] org.apache.catalina.core.StandardContext.startInternal One or more Filters failed to start. Full details will be found in the appropriate container log file
SEVERE [localhost-startStop-1] org.apache.catalina.core.StandardContext.startInternal Context [] startup failed due to previous errors
localhost-startStop-1 ERROR [o.o.c.xml.config.XMLConfigurator] Cannot create instance of org.opensaml.xmlsec.signature.impl.SignatureMarshaller
java.lang.NoClassDefFoundError: org/apache/xml/security/exceptions/XMLSecurityException
at java.base/java.lang.Class.getDeclaredConstructors0(Native Method)
at java.base/java.lang.Class.privateGetDeclaredConstructors(Unknown Source)
at java.base/java.lang.Class.getConstructor0(Unknown Source)
at java.base/java.lang.Class.getConstructor(Unknown Source)
at org.opensaml.core.xml.config.XMLConfigurator.createClassInstance(XMLConfigurator.java:313)
at org.opensaml.core.xml.config.XMLConfigurator.initializeObjectProviders(XMLConfigurator.java:244)
at org.opensaml.core.xml.config.XMLConfigurator.load(XMLConfigurator.java:204)
at org.opensaml.core.xml.config.XMLConfigurator.load(XMLConfigurator.java:188)
at org.opensaml.core.xml.config.XMLConfigurator.load(XMLConfigurator.java:162)
at org.opensaml.core.xml.config.AbstractXMLObjectProviderInitializer.init(AbstractXMLObjectProviderInitializer.java:54)
at org.opensaml.core.config.InitializationService.initialize(InitializationService.java:56)
at com.okta.saml.OSGiSafeSAMLValidator.<init>(OSGiSafeSAMLValidator.java:25)
at com.okta.saml.util.OktaAuthPeer.init(OktaAuthPeer.java:55)
at com.okta.saml.util.OktaAuthPeer.<init>(OktaAuthPeer.java:43)
      ___ Starting the JIRA Plugin System _________________

JIRA-Bootstrap ERROR      [c.a.jira.upgrade.PluginSystemLauncher] A fatal error occured during initialisation. JIRA has been locked.
com.atlassian.jira.InfrastructureException: Error occurred while starting Plugin Manager. null
        at com.atlassian.jira.component.pico.ComponentManager$PluginSystem.earlyStartup(ComponentManager.java:675)
        at com.atlassian.jira.component.pico.ComponentManager.earlyStartPluginSystem(ComponentManager.java:237)
        at com.atlassian.jira.upgrade.PluginSystemLauncher.start(PluginSystemLauncher.java:45)
        at com.atlassian.jira.startup.DefaultJiraLauncher.lambda$postDbLaunch$2(DefaultJiraLauncher.java:143)
        at com.atlassian.jira.config.database.DatabaseConfigurationManagerImpl.doNowOrEnqueue(DatabaseConfigurationManagerImpl.java:307)
        at com.atlassian.jira.config.database.DatabaseConfigurationManagerImpl.doNowOrWhenDatabaseActivated(DatabaseConfigurationManagerImpl.java:202)
        at com.atlassian.jira.startup.DefaultJiraLauncher.postDbLaunch(DefaultJiraLauncher.java:135)
        at com.atlassian.jira.startup.DefaultJiraLauncher.lambda$start$0(DefaultJiraLauncher.java:102)
        at com.atlassian.jira.util.devspeed.JiraDevSpeedTimer.run(JiraDevSpeedTimer.java:31)
        at com.atlassian.jira.startup.DefaultJiraLauncher.start(DefaultJiraLauncher.java:100)
        at com.atlassian.jira.startup.LauncherContextListener.initSlowStuff(LauncherContextListener.java:154)
        at java.base/java.lang.Thread.run(Unknown Source)
Caused by: java.lang.NullPointerException
        at com.atlassian.plugin.osgi.container.felix.FelixOsgiContainerManager.addBundleListener(FelixOsgiContainerManager.java:455)
        at com.atlassian.plugin.osgi.factory.OsgiBundlePlugin.installInternal(OsgiBundlePlugin.java:224)
        at com.atlassian.plugin.impl.AbstractPlugin.install(AbstractPlugin.java:378)
        at com.atlassian.plugin.manager.DefaultPluginManager.lambda$addPlugins$22(DefaultPluginManager.java:1177)
        at com.atlassian.plugin.manager.PluginTransactionContext.wrap(PluginTransactionContext.java:63)
        at com.atlassian.jira.plugin.JiraPluginManager.addPlugins(JiraPluginManager.java:157)
        at com.atlassian.plugin.manager.DefaultPluginManager.lambda$earlyStartup$5(DefaultPluginManager.java:593)
        at com.atlassian.plugin.manager.PluginTransactionContext.wrap(PluginTransactionContext.java:63)
        at com.atlassian.plugin.manager.DefaultPluginManager.earlyStartup(DefaultPluginManager.java:528)
        at com.atlassian.jira.plugin.JiraPluginManager.earlyStartup(JiraPluginManager.java:119)
        at com.atlassian.jira.component.pico.ComponentManager$PluginSystem.earlyStartup(ComponentManager.java:668)

Cause

Jira 8.22.2 has been removed the following unused package below from Jira build, as well as removed the xmlsec jar file from the 8.22.2 distribution, due to this, Okta's code can not find it. Since Okta were using a library that used to be provided with Jira core, and the library was removed on 8.22.2, Jira will to start. The best practice is that Okta shouldn't be using any library from Jira core for their custom authenticator.

            <dependency>
                <groupId>org.apache.santuario</groupId>
                <artifactId>xmlsec</artifactId>
                <version>1.5.6</version>
            </dependency>

Workaround

While Okta doesn't provide a resolution, the steps below seems to temporarily resolve the issue for the most of the Jira instances.

Note that this isn't a path recommended nor supported by Atlassian, but it is something that may work and unlock from this problem.

  1. Download the library xmlsec-2.3.0.jar file.
    • You may get it from javalibs or any other source you prefer.
  2. Upload the xmlsec-2.3.0.jar file to your Jira server on the below location.
    <jira-install>/atlassian-jira/WEB-INF/lib
    
  3. Restart Jira instance. You may remove the custom library once Okta provides a fix to the issue.

Disabling Okta authenticator for testing

Since the Jira upgrade removes local customizations, Jira does start up with the original seraph-config.xml file, where the Okta authenticator needs to be configured.

Due to this, you may disable the Okta authenticator by commenting these lines below at the seraph-config.xml file located at JIRA_INSTALL/atlassian-jira/WEB-INF/classes/seraph-config.xml

  1. Stop Jira
  2. Comment these lines below at the seraph-config.xml file located at JIRA_INSTALL/atlassian-jira/WEB-INF/classes/seraph-config.xml.
  3. Restart Jira.
    <!--
         <authenticator class="com.atlassian.jira.authenticator.okta.OktaJiraAuthenticator30">
             <init-param>
                      <param-name>okta.config.file</param-name>
                      <param-value>/data/jira/jira-latest/conf/okta-config-jira.xml</param-value>
             </init-param>
         </authenticator>
    -->



Last modified on May 2, 2022

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.