404 Error accessing User Interface and 'java.io.IOException: Cannot recover key' error in the aveksaServer.log file when starting RSA Identity Governance & Lifecycle
Originally Published: 2015-06-09
Article Number
Applies To
Platform/Application Server: JBoss
RSA Version/Condition: 6.9.1
O/S Version: SUSE Linux
Issue
The following error is logged to the aveksaServer.log file ($AVEKSA_HOME/jboss-4.2.2.GA/server/default/deploy/aveksa.ear/aveksa.war/log/aveksaServer.log):
06/08/2015 09:36:16.543 ERROR (main) [org.apache.coyote.http11.Http11Protocol] Error starting endpoint java.io.IOException: Cannot recover key
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:394)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:135)
at org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:497)
at org.apache.tomcat.util.net.JIoEndpoint.start(JIoEndpoint.java:514)
at org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:203)
at org.apache.catalina.connector.Connector.start(Connector.java:1146)
at org.jboss.web.tomcat.service.JBossWeb.startConnectors(JBossWeb.java:584)
at org.jboss.web.tomcat.service.JBossWeb.handleNotification(JBossWeb.java:621)
at sun.reflect.GeneratedMethodAccessor4.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:622)
at org.jboss.mx.notification.NotificationListenerProxy.invoke(NotificationListenerProxy.java:153)
at com.sun.proxy.$Proxy45.handleNotification(Unknown Source)
at org.jboss.mx.util.JBossNotificationBroadcasterSupport.handleNotification(JBossNotificationBroadcasterSupport.java:127)
at org.jboss.mx.util.JBossNotificationBroadcasterSupport.sendNotification(JBossNotificationBroadcasterSupport.java:108)
at org.jboss.system.server.ServerImpl.sendNotification(ServerImpl.java:916)
at org.jboss.system.server.ServerImpl.doStart(ServerImpl.java:497)
at org.jboss.system.server.ServerImpl.start(ServerImpl.java:362)
at org.jboss.Main.boot(Main.java:200)
at org.jboss.Main$1.run(Main.java:508)
at java.lang.Thread.run(Thread.java:701)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:394)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:135)
at org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:497)
at org.apache.tomcat.util.net.JIoEndpoint.start(JIoEndpoint.java:514)
at org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:203)
at org.apache.catalina.connector.Connector.start(Connector.java:1146)
at org.jboss.web.tomcat.service.JBossWeb.startConnectors(JBossWeb.java:584)
at org.jboss.web.tomcat.service.JBossWeb.handleNotification(JBossWeb.java:621)
at sun.reflect.GeneratedMethodAccessor4.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:622)
at org.jboss.mx.notification.NotificationListenerProxy.invoke(NotificationListenerProxy.java:153)
at com.sun.proxy.$Proxy45.handleNotification(Unknown Source)
at org.jboss.mx.util.JBossNotificationBroadcasterSupport.handleNotification(JBossNotificationBroadcasterSupport.java:127)
at org.jboss.mx.util.JBossNotificationBroadcasterSupport.sendNotification(JBossNotificationBroadcasterSupport.java:108)
at org.jboss.system.server.ServerImpl.sendNotification(ServerImpl.java:916)
at org.jboss.system.server.ServerImpl.doStart(ServerImpl.java:497)
at org.jboss.system.server.ServerImpl.start(ServerImpl.java:362)
at org.jboss.Main.boot(Main.java:200)
at org.jboss.Main$1.run(Main.java:508)
at java.lang.Thread.run(Thread.java:701)
This error occurs at the point where RSA Identity Governance & Lifecycle tries to bind to the SSL port used for RSA Identity Governance & Lifecycle browser connections.
Cause
The aveksa.keystore file for RSA hardware and soft appliances exists by default in this directory:
/home/oracle/jboss-4.2.2.GA/server/default/conf/keystore
The JBoss server.xml file on RSA hardware and soft appliances exists by default in this directory:
/home/oracle/jboss-4.2.2.GA/server/all/deploy/jboss-web.deployer
By default the aveksa.keystore password is Av3k5a15num83r0n3. The private key password for the certificate alias server is also Av3k5a15num83r0n3
Since the JBoss server.xml file does not have a private key password parameter, it requires that the password be the same.
Resolution
To test that the password in the server.xml file is correct and assuming the password in server.xml is the original default password:
- Login as either root or oracle and go to the keystore directory:
cd /home/oracle/jboss-4.2.2.GA/server/default/conf/keystore
- Run the following keytool command. Note keytool comands can be run as any user with read privilege to the files which is true for both root and oracle.
keytool -list -keystore aveksa.keystore -storepass Av3k5a15num83r0n3
- To verify that the private key password and keystore password match:
keytool -importkeystore -srckeystore aveksa.keystore -destkeystore test.p12 -deststoretype PKCS12 -srcalias server -deststorepass changeit -srcstorepass Av3k5a15num83r0n3 -srckeypass Av3k5a15num83r0n3
When executing the above command, replace the srcstorepass and srckeypass with the password you retrieved from the server.xml file that you are attempting to validate.
If the command returns without error, you will see that a test.p12 file was generated (it can be deleted).
If the command returns the error below, it means that the private key password does not match.
If the command returns the error below, it means that the private key password does not match.
Cannot recover key
- The private key password can be changed using the following command, but the original password must be known (backup the aveksa.keystore file first.)
cp aveksa.keystore aveksa.keystore.date keytool -keypasswd -alias server -keystore aveksa.keystore
- You will be prompted for the keystore password, then the existing private key password, and finally the new private key password you want to set.
Related Articles
Recover from an Incorrect Gateway Number of Views RSA Governance & Lifecycle Recipes: Dashboard - Deployment Overview - Part 2 Number of Views How to recover the Application and AFX after an unexpected database failure in RSA Identity Governance & Lifecycle Number of Views Is there is a Backup and Disaster Recover for RSA File Security Manager? Number of Views Console logging to Dell 250 appliance gives error 404 error using Internet Explorer 11 Number of Views
Trending Articles
RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA Release Notes for RSA Authentication Manager 8.8 RSA Authentication Manager 8.9 Release Notes (January 2026) Supported On-Demand Authentication (ODA) SMS providers for use with RSA Authentication Manager 8.x Deploying RSA Authenticator 6.2.2 for Windows Using DISM
Don't see what you're looking for?
