404 Error accessing User Interface and 'java.io.IOException: Cannot recover key' error in the aveksaServer.log file when starting RSA Identity Governance & Lifecycle
Originally Published: 2015-06-09
Article Number
Applies To
Platform/Application Server: JBoss
RSA Version/Condition: 6.9.1
O/S Version: SUSE Linux
Issue
The following error is logged to the aveksaServer.log file ($AVEKSA_HOME/jboss-4.2.2.GA/server/default/deploy/aveksa.ear/aveksa.war/log/aveksaServer.log):
06/08/2015 09:36:16.543 ERROR (main) [org.apache.coyote.http11.Http11Protocol] Error starting endpoint java.io.IOException: Cannot recover key
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:394)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:135)
at org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:497)
at org.apache.tomcat.util.net.JIoEndpoint.start(JIoEndpoint.java:514)
at org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:203)
at org.apache.catalina.connector.Connector.start(Connector.java:1146)
at org.jboss.web.tomcat.service.JBossWeb.startConnectors(JBossWeb.java:584)
at org.jboss.web.tomcat.service.JBossWeb.handleNotification(JBossWeb.java:621)
at sun.reflect.GeneratedMethodAccessor4.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:622)
at org.jboss.mx.notification.NotificationListenerProxy.invoke(NotificationListenerProxy.java:153)
at com.sun.proxy.$Proxy45.handleNotification(Unknown Source)
at org.jboss.mx.util.JBossNotificationBroadcasterSupport.handleNotification(JBossNotificationBroadcasterSupport.java:127)
at org.jboss.mx.util.JBossNotificationBroadcasterSupport.sendNotification(JBossNotificationBroadcasterSupport.java:108)
at org.jboss.system.server.ServerImpl.sendNotification(ServerImpl.java:916)
at org.jboss.system.server.ServerImpl.doStart(ServerImpl.java:497)
at org.jboss.system.server.ServerImpl.start(ServerImpl.java:362)
at org.jboss.Main.boot(Main.java:200)
at org.jboss.Main$1.run(Main.java:508)
at java.lang.Thread.run(Thread.java:701)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:394)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:135)
at org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:497)
at org.apache.tomcat.util.net.JIoEndpoint.start(JIoEndpoint.java:514)
at org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:203)
at org.apache.catalina.connector.Connector.start(Connector.java:1146)
at org.jboss.web.tomcat.service.JBossWeb.startConnectors(JBossWeb.java:584)
at org.jboss.web.tomcat.service.JBossWeb.handleNotification(JBossWeb.java:621)
at sun.reflect.GeneratedMethodAccessor4.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:622)
at org.jboss.mx.notification.NotificationListenerProxy.invoke(NotificationListenerProxy.java:153)
at com.sun.proxy.$Proxy45.handleNotification(Unknown Source)
at org.jboss.mx.util.JBossNotificationBroadcasterSupport.handleNotification(JBossNotificationBroadcasterSupport.java:127)
at org.jboss.mx.util.JBossNotificationBroadcasterSupport.sendNotification(JBossNotificationBroadcasterSupport.java:108)
at org.jboss.system.server.ServerImpl.sendNotification(ServerImpl.java:916)
at org.jboss.system.server.ServerImpl.doStart(ServerImpl.java:497)
at org.jboss.system.server.ServerImpl.start(ServerImpl.java:362)
at org.jboss.Main.boot(Main.java:200)
at org.jboss.Main$1.run(Main.java:508)
at java.lang.Thread.run(Thread.java:701)
This error occurs at the point where RSA Identity Governance & Lifecycle tries to bind to the SSL port used for RSA Identity Governance & Lifecycle browser connections.
Cause
The aveksa.keystore file for RSA hardware and soft appliances exists by default in this directory:
/home/oracle/jboss-4.2.2.GA/server/default/conf/keystore
The JBoss server.xml file on RSA hardware and soft appliances exists by default in this directory:
/home/oracle/jboss-4.2.2.GA/server/all/deploy/jboss-web.deployer
By default the aveksa.keystore password is Av3k5a15num83r0n3. The private key password for the certificate alias server is also Av3k5a15num83r0n3
Since the JBoss server.xml file does not have a private key password parameter, it requires that the password be the same.
Resolution
To test that the password in the server.xml file is correct and assuming the password in server.xml is the original default password:
- Login as either root or oracle and go to the keystore directory:
cd /home/oracle/jboss-4.2.2.GA/server/default/conf/keystore
- Run the following keytool command. Note keytool comands can be run as any user with read privilege to the files which is true for both root and oracle.
keytool -list -keystore aveksa.keystore -storepass Av3k5a15num83r0n3
- To verify that the private key password and keystore password match:
keytool -importkeystore -srckeystore aveksa.keystore -destkeystore test.p12 -deststoretype PKCS12 -srcalias server -deststorepass changeit -srcstorepass Av3k5a15num83r0n3 -srckeypass Av3k5a15num83r0n3
When executing the above command, replace the srcstorepass and srckeypass with the password you retrieved from the server.xml file that you are attempting to validate.
If the command returns without error, you will see that a test.p12 file was generated (it can be deleted).
If the command returns the error below, it means that the private key password does not match.
If the command returns the error below, it means that the private key password does not match.
Cannot recover key
- The private key password can be changed using the following command, but the original password must be known (backup the aveksa.keystore file first.)
cp aveksa.keystore aveksa.keystore.date keytool -keypasswd -alias server -keystore aveksa.keystore
- You will be prompted for the keystore password, then the existing private key password, and finally the new private key password you want to set.
Related Articles
RSA VIA L&G / IMG / Aveksa - AFX fails to start times out and this error is in the logs A WebGroup/Virtual Host to handle … Number of Views Remove Member User Groups from User Groups Number of Views Error: 'The server has not found anything matching the Request-URI' in RSA Federated Identity Manager (FIM) Number of Views '-bash: /usr/sbin/sesh: No such file or directory' error when starting RSA Identity Governance & Lifecycle Number of Views RSA Identity Governance and Lifecycle 7.2 Installation Guide Number of Views
Trending Articles
Downloading RSA Authentication Manager license files or RSA Software token seed records RSA Release Notes for RSA Authentication Manager 8.8 RSA Authentication Manager Patch Updates AFX Server remains in a 'Not running' State, afx status shows 'timed out waiting for AFX applications to start' and mule_e… Quick Setup Guide - Passwordless Authentication in Windows MFA Agent for Active Directory
Don't see what you're looking for?
