404 Error accessing User Interface and 'java.io.IOException: Cannot recover key' error in the aveksaServer.log file when starting RSA Identity Governance & Lifecycle
Originally Published: 2015-06-09
Article Number
Applies To
Platform/Application Server: JBoss
RSA Version/Condition: 6.9.1
O/S Version: SUSE Linux
Issue
The following error is logged to the aveksaServer.log file ($AVEKSA_HOME/jboss-4.2.2.GA/server/default/deploy/aveksa.ear/aveksa.war/log/aveksaServer.log):
06/08/2015 09:36:16.543 ERROR (main) [org.apache.coyote.http11.Http11Protocol] Error starting endpoint java.io.IOException: Cannot recover key
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:394)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:135)
at org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:497)
at org.apache.tomcat.util.net.JIoEndpoint.start(JIoEndpoint.java:514)
at org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:203)
at org.apache.catalina.connector.Connector.start(Connector.java:1146)
at org.jboss.web.tomcat.service.JBossWeb.startConnectors(JBossWeb.java:584)
at org.jboss.web.tomcat.service.JBossWeb.handleNotification(JBossWeb.java:621)
at sun.reflect.GeneratedMethodAccessor4.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:622)
at org.jboss.mx.notification.NotificationListenerProxy.invoke(NotificationListenerProxy.java:153)
at com.sun.proxy.$Proxy45.handleNotification(Unknown Source)
at org.jboss.mx.util.JBossNotificationBroadcasterSupport.handleNotification(JBossNotificationBroadcasterSupport.java:127)
at org.jboss.mx.util.JBossNotificationBroadcasterSupport.sendNotification(JBossNotificationBroadcasterSupport.java:108)
at org.jboss.system.server.ServerImpl.sendNotification(ServerImpl.java:916)
at org.jboss.system.server.ServerImpl.doStart(ServerImpl.java:497)
at org.jboss.system.server.ServerImpl.start(ServerImpl.java:362)
at org.jboss.Main.boot(Main.java:200)
at org.jboss.Main$1.run(Main.java:508)
at java.lang.Thread.run(Thread.java:701)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:394)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:135)
at org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:497)
at org.apache.tomcat.util.net.JIoEndpoint.start(JIoEndpoint.java:514)
at org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:203)
at org.apache.catalina.connector.Connector.start(Connector.java:1146)
at org.jboss.web.tomcat.service.JBossWeb.startConnectors(JBossWeb.java:584)
at org.jboss.web.tomcat.service.JBossWeb.handleNotification(JBossWeb.java:621)
at sun.reflect.GeneratedMethodAccessor4.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:622)
at org.jboss.mx.notification.NotificationListenerProxy.invoke(NotificationListenerProxy.java:153)
at com.sun.proxy.$Proxy45.handleNotification(Unknown Source)
at org.jboss.mx.util.JBossNotificationBroadcasterSupport.handleNotification(JBossNotificationBroadcasterSupport.java:127)
at org.jboss.mx.util.JBossNotificationBroadcasterSupport.sendNotification(JBossNotificationBroadcasterSupport.java:108)
at org.jboss.system.server.ServerImpl.sendNotification(ServerImpl.java:916)
at org.jboss.system.server.ServerImpl.doStart(ServerImpl.java:497)
at org.jboss.system.server.ServerImpl.start(ServerImpl.java:362)
at org.jboss.Main.boot(Main.java:200)
at org.jboss.Main$1.run(Main.java:508)
at java.lang.Thread.run(Thread.java:701)
This error occurs at the point where RSA Identity Governance & Lifecycle tries to bind to the SSL port used for RSA Identity Governance & Lifecycle browser connections.
Cause
The aveksa.keystore file for RSA hardware and soft appliances exists by default in this directory:
/home/oracle/jboss-4.2.2.GA/server/default/conf/keystore
The JBoss server.xml file on RSA hardware and soft appliances exists by default in this directory:
/home/oracle/jboss-4.2.2.GA/server/all/deploy/jboss-web.deployer
By default the aveksa.keystore password is Av3k5a15num83r0n3. The private key password for the certificate alias server is also Av3k5a15num83r0n3
Since the JBoss server.xml file does not have a private key password parameter, it requires that the password be the same.
Resolution
To test that the password in the server.xml file is correct and assuming the password in server.xml is the original default password:
- Login as either root or oracle and go to the keystore directory:
cd /home/oracle/jboss-4.2.2.GA/server/default/conf/keystore
- Run the following keytool command. Note keytool comands can be run as any user with read privilege to the files which is true for both root and oracle.
keytool -list -keystore aveksa.keystore -storepass Av3k5a15num83r0n3
- To verify that the private key password and keystore password match:
keytool -importkeystore -srckeystore aveksa.keystore -destkeystore test.p12 -deststoretype PKCS12 -srcalias server -deststorepass changeit -srcstorepass Av3k5a15num83r0n3 -srckeypass Av3k5a15num83r0n3
When executing the above command, replace the srcstorepass and srckeypass with the password you retrieved from the server.xml file that you are attempting to validate.
If the command returns without error, you will see that a test.p12 file was generated (it can be deleted).
If the command returns the error below, it means that the private key password does not match.
If the command returns the error below, it means that the private key password does not match.
Cannot recover key
- The private key password can be changed using the following command, but the original password must be known (backup the aveksa.keystore file first.)
cp aveksa.keystore aveksa.keystore.date keytool -keypasswd -alias server -keystore aveksa.keystore
- You will be prompted for the keystore password, then the existing private key password, and finally the new private key password you want to set.
Related Articles
Error: '404 Not Found' in RSA Federated Identity Manager (FIM) 2.0 when user redirected to Relying Party with the artifact Number of Views Error encountered in Relying Party servlet: (404)Not Found' appears in web browser when using RSA Federated Identity Manag… Number of Views RSA VIA L&G / IMG / Aveksa - AFX fails to start times out and this error is in the logs A WebGroup/Virtual Host to handle … Number of Views Downloading the Client Keystore for the AFX Server results in an HTTP 404 error in RSA Identity Governance & Lifecycle Number of Views After an application restart on WebSphere, the browser displays a 404 error when accessing the user interface in RSA Ident… Number of Views
Trending Articles
RSA SecurID software token .sdtid file fails to import into RSA SecurID Software Token 5.0 for Windows Configuring a Checkpoint firewall to work with SecurID RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA Authentication Manager Patch Updates Unable to login to RSA Authentication Manager Security Console as super admin
Don't see what you're looking for?
