000036952 - After updating the certificates for RSA Identity Governance & Lifecycle, WildFly reports error: JBAS015299: The KeyStore /home/oracle/keystore/aveksa.keystore does not contain any keys.

Document created by RSA Customer Support Employee on Dec 7, 2018
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000036952
Applies ToRSA Product Set: Identity Governance & Lifecycle
RSA Product/Service Type: Appliance
RSA Version/Condition: 7.0.0 and above
IssueAfter replacing the certificates for the RSA Identity Governance and Lifecycle application, it fails to start.

On examination, the following error is found in the WildFly log file: server.log.

2018-11-12 12:13:01,200 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-1) MSC000001: Failed to start service jboss.server.controller.management.security_realm.AveksaRealm.key-manager: org.jboss.msc.service.StartException in service jboss.server.controller.management.security_realm.AveksaRealm.key-manager:
JBAS015299: The KeyStore /home/oracle/keystore/aveksa.keystore does not contain any keys.

When the /home/oracle/keystore/aveksa.keystore file is examined, the following results are returned.

# keytool -list -alias server -keystore aveksa.keystore
Enter keystore password:
server, Nov 7, 2018, trustedCertEntry,

NOTE: The recommended password for the aveksa.keystore is: Av3k5a15num83r0n3
CauseThe "server" alias in the aveksa.keystore is not of Entry type: PrivateKeyEntry.
This is why WildFly reports that the file does not contain any keys.

This can occur if the "server" alias is replaced by a certificate.
Certificates are of Entry type: trustedCertEntry
ResolutionWork through all the steps from article 000030130 - How to replace the server certificate used for the RSA Identity Governance & Lifecycle appliance web administration interface
This is because the Private Key entry in the aveksa.keystore is missing and needs to be re-generated.

Step 2 from article 30130 is as follows.

keytool -genkeypair -keysize 2048 -alias server -keyalg RSA -keystore my.keystore -dname "CN=rsa-img.rsa.com" -ext san=dns:rsa-img.rsa.com,dns:rsa-img

This creates a new keystore file, with the "server" alias that is of Entry type: PrivateKeyEntry
NotesPlease note that in this situation, no entries will be added to the aveksaServer.log, because the application is yet to start.