'WFLYDM0085: The alias specified 'server' does not exist in the KeyStore' error in RSA Identity Governance & Lifecycle
Originally Published: 2018-05-30
Article Number
Applies To
RSA Product/Service Type: Appliance
RSA Version/Condition: 7.1.0, 7.1.1
Issue
The /tmp/aveksa-install.log file contains the following error:
Repackage aveksa.ear to /tmp/repackaged_ear_dir
Deploying aveksa.ear...
{"WFLYCTL0062: Composite operation failed and was rolled back. Steps that failed:" => {"Operation step-2" =>
{"WFLYCTL0180: Services with missing/unavailable dependencies" => undefined}}}
Failed to deploy aveksa.ear
Step failed! See /tmp/aveksa-install.log for more information.
<EOF>
If this is an upgrade, these messages may also be see in the /tmp/aveksa-install.log:
... Creating new keystore directory /home/oracle/keystore ... Existing aveksa.keystore found under /home/oracle/jboss-4.2.2.GA/server/default/conf/keystore Moving aveksa.keystore to the new keystore directory: /home/oracle/keystore ... [Tue May 22 18:15:26 EDT 2018] Configuring SSL Certificates completed ...
The $AVEKSA_HOME/wildfly/standalone/log/server.log contains the following errors:
2018-05-22 18:18:15,097 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([ ("core-service" => "management"), ("security-realm" => "AveksaRealm") ]) - failure description: { "WFLYCTL0080: Failed services" => {"jboss.server.controller.management.security_realm.AveksaRealm.key-manager" => "org.jboss.msc.service.StartException in service jboss.server.controller.management.security_realm.AveksaRealm.key-manager: Failed to start service Caused by: java.lang.IllegalStateException: org.jboss.msc.service.StartException in anonymous service: WFLYDM0085: The alias specified 'server' does not exist in the KeyStore, valid aliases are {alias-list} Caused by: org.jboss.msc.service.StartException in anonymous service: WFLYDM0085: The alias specified 'server' does not exist in the KeyStore, valid aliases are {alias-list}"}, "WFLYCTL0412: Required services that are not installed:" => ["jboss.server.controller.management.security_realm.AveksaRealm.key-manager"], "WFLYCTL0180: Services with missing/unavailable dependencies" => undefined }
Cause
WFLYDM0085: The alias specified 'server' does not exist in the KeyStore
This error indicates that the server certificate (chain) with the private key for alias server was not found in the $AVEKSA_HOME/keystore/aveksa.keystore file when the install process attempted to deploy the aveksa.ear.
The alias 'server' is the private key for the aveksa server.
The $AVEKSA_HOME/keystore/aveksa.keystore file should contain one entry called server that should be owned by aveksa. For example:
# pwd /home/oracle/keystore # keytool -list -v -storepass Av3k5a15num83r0n3 -keystore aveksa.keystore Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry Alias name: server Creation date: Mar 2, 2015 Entry type: PrivateKeyEntry Certificate chain length: 1 Certificate[1]: Owner: CN=ACM, OU=Aveksa, O=Aveksa, L=Waltham, ST=Massachusetts, C=US Issuer: CN=ACM, OU=Aveksa, O=Aveksa, L=Waltham, ST=Massachusetts, C=US Serial number: 54f4946a Valid from: Mon Mar 02 11:48:42 EST 2015 until: Thu Jun 12 12:48:42 EDT 2064 Certificate fingerprints: MD5: DF:D2:91:7E:12:95:3A:89:6E:1B:7E:F1:B3:10:E5:A0 SHA1: 8E:F8:3C:68:1A:39:0F:57:F6:B0:6D:37:AB:F0:28:E9:FE:45:10:79 Signature algorithm name: SHA256withRSA Version: 3
The use cases where this may occur are:
- In the earlier version prior to the upgrade, the aveksa.keystore and/or the WildFly configuration file had an alias different from server.
- When installing 7.1, you are attempting to implement an alias different from server.
Please note that the RSA Identity Governance and Lifecycle 7.1 Installation Guide does suggest that the alias can be changed from server but this is not the case.
Resolution
- $AVEKSA_HOME/keystore/aveksa.keystore
As the root user check the alias name in the aveksa.keystore file.
cd $AVEKSA_HOME/keystore keytool -list -v -storepass Av3k5a15num83r0n3 -keystore aveksa.keystore
The output should have the following:
Alias name: server
If there is any other value for the alias name, it needs to be changed to server.
To change the alias name in aveksa.keystore:
- Backup the existing keystore:
# mv aveksa.keystore aveksa.keystore.bak
- Use the keytool option -changealias to change the existing entry, where the following is the extract of the help for this option
-changealias [-v] [-protected] -alias <alias> -destalias <destalias> [-keypass <keypass>] [-keystore <keystore>] [-storepass <storepass>] [-storetype <storetype>] [-providername <name>] [-providerclass <provider_class_name> [-providerarg <arg>]] ... [-providerpath <pathlist>] Move an existing keystore entry from the specified alias to a new alias, destalias. If no destination alias is provided, the command will prompt for one. If the original entry is protected with an entry password, the password can be supplied via the "-keypass" option. If no key password is provided, the storepass (if given) will be attempted first. If that attempt fails, the user will be prompted for a password.
An example of changing an alias back to server is as follows. In this example, the alias name that caused the error is server711:
# keytool -changealias -alias server711 -destalias server -storepass Av3k5a15num83r0n3 -keystore aveksa.keystore
- $AVEKSA_HOME/wildfly/standalone/configuration/aveksa-standalone-full.xml
- As the root user check the alias name in the aveksa-standalone-full.xml file
cd $AVEKSA_HOME/wildfly/standalone/configuration vi aveksa-standalone-full.xml
- Look for the keystore path. It should look similar to this:
<keystore path="/home/oracle/keystore/aveksa.keystore" keystore-password="Av3k5a15num83r0n3" alias="server" key-password="Av3k5a15num83r0n3"/>
The path should have the following:
alias="server"
If there is any other value for the alias name, it needs to be changed to server.
- If needed, edit aveksa-standalone-full.xml, change the alias name to server, and save the file.
- Run the installation again.
Notes
Related Articles
Is SHA-256 supported on RSA_CM with a HSM via P11? Number of Views ACE RADIUS Server not responding Number of Views Using Vault instead of cleartext password in WildFly configuration file in RSA Identity Governance & Lifecycle Number of Views How do supervisors view a report result that is specific to their subordinates in RSA Via Lifecycle and Governance Number of Views RSA Governance & Lifecycle 8.0.0 Advanced Dashboards Risk Engine Setup Guide Number of Views
Trending Articles
Passwordless Authentication in Windows MFA Agent for Active Directory – Quick Setup Guide RSA Authentication Manager 8.9 Release Notes (January 2026) RSA Authentication Manager Upgrade Process RSA Authentication Manager 8.7 SP2 Setup and Configuration Guide An example of SSO using SAML and ADFS with RSA Identity Management and Governance 6.9.x
Don't see what you're looking for?
