Jira integrated with OKTA fails to start after upgrading

Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.

Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

Jira fails to start following an upgrade attempt, due to specific plugins being unable to start up.

Environment

Jira Server / Data Center integrated with OKTA Authenticator

Diagnosis

Stack traces of both catalina.out and atlassian-jira.log show errors like these, where we can see the system plugins will not load:

   ****************
    Jira starting...
    ****************
    
localhost-startStop-1 ERROR      [o.a.c.c.C.[Catalina].[localhost].[/]] Exception starting filter [trustedapps]
java.lang.RuntimeException: Could not load security config 'seraph-config.xml': Unable to load authenticator class 'com.atlassian.jira.authenticator.okta.OktaJiraAuthenticator30': com.atlassian.jira.authenticator.okta.OktaJiraAuthenticator30 : java.lang.ClassNotFoundException: com.atlassian.jira.authenticator.okta.OktaJiraAuthenticator30
....
Caused by: com.atlassian.seraph.config.ConfigurationException: Unable to load authenticator class 'com.atlassian.jira.authenticator.okta.OktaJiraAuthenticator30': com.atlassian.jira.authenticator.okta.OktaJiraAuthenticator30 : java.lang.ClassNotFoundException: com.atlassian.jira.authenticator.okta.OktaJiraAuthenticator30

1
2

SEVERE [localhost-startStop-1] org.apache.catalina.core.StandardContext.startInternal One or more Filters failed to start. Full details will be found in the appropriate container log file
SEVERE [localhost-startStop-1] org.apache.catalina.core.StandardContext.startInternal Context [] startup failed due to previous errors

localhost-startStop-1 ERROR [o.o.c.xml.config.XMLConfigurator] Cannot create instance of org.opensaml.xmlsec.signature.impl.SignatureMarshaller
java.lang.NoClassDefFoundError: org/apache/xml/security/exceptions/XMLSecurityException
at java.base/java.lang.Class.getDeclaredConstructors0(Native Method)
at java.base/java.lang.Class.privateGetDeclaredConstructors(Unknown Source)
at java.base/java.lang.Class.getConstructor0(Unknown Source)
at java.base/java.lang.Class.getConstructor(Unknown Source)
at org.opensaml.core.xml.config.XMLConfigurator.createClassInstance(XMLConfigurator.java:313)
at org.opensaml.core.xml.config.XMLConfigurator.initializeObjectProviders(XMLConfigurator.java:244)
at org.opensaml.core.xml.config.XMLConfigurator.load(XMLConfigurator.java:204)
at org.opensaml.core.xml.config.XMLConfigurator.load(XMLConfigurator.java:188)
at org.opensaml.core.xml.config.XMLConfigurator.load(XMLConfigurator.java:162)
at org.opensaml.core.xml.config.AbstractXMLObjectProviderInitializer.init(AbstractXMLObjectProviderInitializer.java:54)
at org.opensaml.core.config.InitializationService.initialize(InitializationService.java:56)
at com.okta.saml.OSGiSafeSAMLValidator.<init>(OSGiSafeSAMLValidator.java:25)
at com.okta.saml.util.OktaAuthPeer.init(OktaAuthPeer.java:55)
at com.okta.saml.util.OktaAuthPeer.<init>(OktaAuthPeer.java:43)

      ___ Starting the JIRA Plugin System _________________

JIRA-Bootstrap ERROR      [c.a.jira.upgrade.PluginSystemLauncher] A fatal error occured during initialisation. JIRA has been locked.
com.atlassian.jira.InfrastructureException: Error occurred while starting Plugin Manager. null
        at com.atlassian.jira.component.pico.ComponentManager$PluginSystem.earlyStartup(ComponentManager.java:675)
        at com.atlassian.jira.component.pico.ComponentManager.earlyStartPluginSystem(ComponentManager.java:237)
        at com.atlassian.jira.upgrade.PluginSystemLauncher.start(PluginSystemLauncher.java:45)
        at com.atlassian.jira.startup.DefaultJiraLauncher.lambda$postDbLaunch$2(DefaultJiraLauncher.java:143)
        at com.atlassian.jira.config.database.DatabaseConfigurationManagerImpl.doNowOrEnqueue(DatabaseConfigurationManagerImpl.java:307)
        at com.atlassian.jira.config.database.DatabaseConfigurationManagerImpl.doNowOrWhenDatabaseActivated(DatabaseConfigurationManagerImpl.java:202)
        at com.atlassian.jira.startup.DefaultJiraLauncher.postDbLaunch(DefaultJiraLauncher.java:135)
        at com.atlassian.jira.startup.DefaultJiraLauncher.lambda$start$0(DefaultJiraLauncher.java:102)
        at com.atlassian.jira.util.devspeed.JiraDevSpeedTimer.run(JiraDevSpeedTimer.java:31)
        at com.atlassian.jira.startup.DefaultJiraLauncher.start(DefaultJiraLauncher.java:100)
        at com.atlassian.jira.startup.LauncherContextListener.initSlowStuff(LauncherContextListener.java:154)
        at java.base/java.lang.Thread.run(Unknown Source)
Caused by: java.lang.NullPointerException
        at com.atlassian.plugin.osgi.container.felix.FelixOsgiContainerManager.addBundleListener(FelixOsgiContainerManager.java:455)
        at com.atlassian.plugin.osgi.factory.OsgiBundlePlugin.installInternal(OsgiBundlePlugin.java:224)
        at com.atlassian.plugin.impl.AbstractPlugin.install(AbstractPlugin.java:378)
        at com.atlassian.plugin.manager.DefaultPluginManager.lambda$addPlugins$22(DefaultPluginManager.java:1177)
        at com.atlassian.plugin.manager.PluginTransactionContext.wrap(PluginTransactionContext.java:63)
        at com.atlassian.jira.plugin.JiraPluginManager.addPlugins(JiraPluginManager.java:157)
        at com.atlassian.plugin.manager.DefaultPluginManager.lambda$earlyStartup$5(DefaultPluginManager.java:593)
        at com.atlassian.plugin.manager.PluginTransactionContext.wrap(PluginTransactionContext.java:63)
        at com.atlassian.plugin.manager.DefaultPluginManager.earlyStartup(DefaultPluginManager.java:528)
        at com.atlassian.jira.plugin.JiraPluginManager.earlyStartup(JiraPluginManager.java:119)
        at com.atlassian.jira.component.pico.ComponentManager$PluginSystem.earlyStartup(ComponentManager.java:668)

Cause 1

Package org.apache.santuario has been removed from Jira 8.20.15, 8.22.2 and 9.0 build, as well as removed the xmlsecjar file from the 8.20.15, 8.22.2 and 9.0 distribution. Since Okta was using this library that used to be provided with Jira, Jira will fail to start. The best practice is that Okta should not be using any library from Jira Core for their custom authenticator.

            <dependency>
                <groupId>org.apache.santuario</groupId>
                <artifactId>xmlsec</artifactId>
                <version>1.5.6</version>
            </dependency>

Cause 2

Starting from version 3.2.2 of the Okta Authenticator plugin, Okta began compiling their plugin against Java 11 instead of Java 8, resulting in the problem Cannot install plugin due to Java error: has been compiled by a more recent version of the Java Runtime if Okta Authenticator is upgraded to 3.2.2 on a Jira instance running Java 8.

Solution 1

Download the latest version of the Okta Authenticator plugin, as this is reportedly fixed in version 3.1.9. Check Okta Jira Authenticator Version History for more details. Then replace the Okta plugin JAR and restart Jira.

Solution 2

Upgrade from Java 8 to Java 11, as described in the knowledge base article How to change the Java version used by Jira.

Workaround 1

If the solution is not possible or doesn't work, the steps below seems to temporarily resolve the issue for most of the Jira instances.

Note that this isn't a path supported by Atlassian, but it is something that may resolve this problem.

Download the library xmlsec-2.3.0.jar file.
- You can get it from jar-downloads or any other source you prefer.
Upload the xmlsec-2.3.0.jar file to your Jira server on the below location.<jira-install>/atlassian-jira/WEB-INF/lib
Restart Jira instance. You may remove the custom library once Okta provides a fix to the issue.

Disabling Okta authenticator for testing

Since the Jira upgrade removes local customizations, Jira starts up with the original seraph-config.xml file, where the Okta authenticator is yet to be configured.

Due to this, you may disable the Okta authenticator by commenting these lines below at the seraph-config.xml file located at JIRA_INSTALL/atlassian-jira/WEB-INF/classes/seraph-config.xml

Stop Jira
Comment these lines below at the seraph-config.xml file located at JIRA_INSTALL/atlassian-jira/WEB-INF/classes/seraph-config.xml.
Start Jira.

    <!--
         <authenticator class="com.atlassian.jira.authenticator.okta.OktaJiraAuthenticator30">
             <init-param>
                      <param-name>okta.config.file</param-name>
                      <param-value>/data/jira/jira-latest/conf/okta-config-jira.xml</param-value>
             </init-param>
         </authenticator>
    -->

Contact Okta Support

We strongly recommend opening a ticket with Okta Support team if the problem remains.

Updated on April 8, 2025

Was this helpful?

It wasn't accurateIt wasn't clearIt wasn't relevant

Atlassian Support