This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SecurID® Governance & Lifecycle Knowledge Base

Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID Governance & Lifecycle experts.

404 Error accessing User Interface and 'java.io.IOException: Cannot recover key' error in the aveksaServer.log file when starting RSA Identity Governance & Lifecycle

Article Number

000030469

Applies To

RSA Product Set: RSA Identity Governance & Lifecycle 
Platform/Application Server: JBoss
RSA Version/Condition: 6.9.1
O/S Version: SUSE Linux
 

Issue

After an application restart, the RSA Identity Governance & Lifecycle user interface is unavailable.

The following error is logged to the aveksaServer.log file ($AVEKSA_HOME/jboss-4.2.2.GA/server/default/deploy/aveksa.ear/aveksa.war/log/aveksaServer.log😞
 
06/08/2015 09:36:16.543 ERROR (main) [org.apache.coyote.http11.Http11Protocol] Error starting endpoint java.io.IOException: Cannot recover key     
  at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:394)     
  at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:135)     
  at org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:497)     
  at org.apache.tomcat.util.net.JIoEndpoint.start(JIoEndpoint.java:514)     
  at org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:203)     
​​​​​​​  at org.apache.catalina.connector.Connector.start(Connector.java:1146)     
​​​​​​​  at org.jboss.web.tomcat.service.JBossWeb.startConnectors(JBossWeb.java:584)     
​​​​​​​  at org.jboss.web.tomcat.service.JBossWeb.handleNotification(JBossWeb.java:621)     
​​​​​​​  at sun.reflect.GeneratedMethodAccessor4.invoke(Unknown Source)     
​​​​​​​  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)     
​​​​​​​  at java.lang.reflect.Method.invoke(Method.java:622)     
​​​​​​​  at org.jboss.mx.notification.NotificationListenerProxy.invoke(NotificationListenerProxy.java:153)     
​​​​​​​  at com.sun.proxy.$Proxy45.handleNotification(Unknown Source)     
​​​​​​​  at org.jboss.mx.util.JBossNotificationBroadcasterSupport.handleNotification(JBossNotificationBroadcasterSupport.java:127) 
  at org.jboss.mx.util.JBossNotificationBroadcasterSupport.sendNotification(JBossNotificationBroadcasterSupport.java:108)
  at org.jboss.system.server.ServerImpl.sendNotification(ServerImpl.java:916)     
  at org.jboss.system.server.ServerImpl.doStart(ServerImpl.java:497)     
  at org.jboss.system.server.ServerImpl.start(ServerImpl.java:362)     
  at org.jboss.Main.boot(Main.java:200)     
  at org.jboss.Main$1.run(Main.java:508)     
  at java.lang.Thread.run(Thread.java:701)

This error occurs at the point where RSA Identity Governance & Lifecycle tries to bind to the SSL port used for RSA Identity Governance & Lifecycle browser connections.
 

Cause

This error occurs when the aveksa.keystore has a different password for the keystore than the private key passphrase, or the JBoss server.xml file contains an incorrect password that does not match the aveksa.keystore password.

The aveksa.keystore file for RSA hardware and soft appliances exists by default in this directory: 
/home/oracle/jboss-4.2.2.GA/server/default/conf/keystore

The JBoss server.xml file on RSA hardware and soft appliances exists by default in this directory: 
/home/oracle/jboss-4.2.2.GA/server/all/deploy/jboss-web.deployer

By default the aveksa.keystore password is Av3k5a15num83r0n3. The private key password for the certificate alias server is also Av3k5a15num83r0n3

Since the JBoss server.xml file does not have a private key password parameter, it requires that the password be the same.
 

Resolution

The java keytool utility can be used to verify and/or change the passwords to be the same. The server.xml file should be checked to make sure that it has the appropriate password that was validated with the keytool utility.

To test that the password in the server.xml file is correct and assuming the password in server.xml is the original default password:
  1. Login as either root or oracle and go to the keystore directory:
cd /home/oracle/jboss-4.2.2.GA/server/default/conf/keystore
  1. Run the following keytool command. Note keytool comands can be run as any user with read privilege to the files which is true for both root and oracle.
keytool -list -keystore aveksa.keystore -storepass Av3k5a15num83r0n3
  1. To verify that the private key password and keystore password match:
keytool -importkeystore -srckeystore aveksa.keystore -destkeystore test.p12 
-deststoretype PKCS12 -srcalias server -deststorepass changeit 
-srcstorepass Av3k5a15num83r0n3 -srckeypass Av3k5a15num83r0n3
When executing the above command, replace the srcstorepass and srckeypass with the password you retrieved from the server.xml file that you are attempting to validate.
 
If the command returns without error, you will see that a test.p12 file was generated (it can be deleted).
If the command returns the error below, it means that the private key password does not match.
Cannot recover key
  1. The private key password can be changed using the following command, but the original password must be known (backup the aveksa.keystore file first.)
cp aveksa.keystore aveksa.keystore.date
keytool -keypasswd -alias server -keystore aveksa.keystore
  1. You will be prompted for the keystore password, then the existing private key password, and finally the new private key password you want to set.

 
Tags (72)
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2020-12-12 09:36 AM
Updated by:
Administrator Administrator

Related Content

© 2022 RSA Security LLC or its affiliates. All rights reserved.