000036403 - 'WFLYDM0085: The alias specified 'server' does not exist in the KeyStore' error in RSA Identity Governance & Lifecycle

Document created by RSA Customer Support Employee on Jan 15, 2019Last modified by RSA Customer Support Employee on Feb 1, 2020
Version 3Show Document
  • Comment0
  • View in full screen mode

Article Content

Article Number000036403
Applies ToRSA Product Set: RSA Identity Governance & Lifecycle
RSA Product/Service Type: Appliance
RSA Version/Condition: 7.1.0, 7.1.1
 
IssueWhen attempting to install RSA Identity Governance & Lifecycle version 7.1.0 or 7.1.1, the installation fails.

The /tmp/aveksa-install.log file contains the following error:


Repackage aveksa.ear to /tmp/repackaged_ear_dir
Deploying aveksa.ear...
{"WFLYCTL0062: Composite operation failed and was rolled back. Steps that failed:" => {"Operation step-2" => 
{"WFLYCTL0180: Services with missing/unavailable dependencies" => undefined}}}
Failed to deploy aveksa.ear
Step failed! See /tmp/aveksa-install.log for more information. 
<EOF>


If this is an upgrade, these messages may also be see in the  /tmp/aveksa-install.log:  


...
Creating new keystore directory /home/oracle/keystore
...
Existing aveksa.keystore found under /home/oracle/jboss-4.2.2.GA/server/default/conf/keystore
Moving aveksa.keystore to the new keystore directory: /home/oracle/keystore
...
[Tue May 22 18:15:26 EDT 2018] Configuring SSL Certificates completed
...


The $AVEKSA_HOME/wildfly/standalone/log/server.log contains the following errors:


2018-05-22 18:18:15,097 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread)
 WFLYCTL0013: Operation ("add") failed - address: ([
("core-service" => "management"),
("security-realm" => "AveksaRealm")
]) - failure description:
{ "WFLYCTL0080: Failed services" => {"jboss.server.controller.management.security_realm.AveksaRealm.key-manager" => 
"org.jboss.msc.service.StartException in service jboss.server.controller.management.security_realm.AveksaRealm.key-manager: Failed to start service
Caused by: java.lang.IllegalStateException: org.jboss.msc.service.StartException in anonymous service: 
WFLYDM0085: The alias specified 'server' does not exist in the KeyStore, valid aliases are {alias-list}
Caused by: org.jboss.msc.service.StartException in anonymous service: 
WFLYDM0085: The alias specified 'server' does not exist in the KeyStore, valid aliases are {alias-list}"},
"WFLYCTL0412: Required services that are not installed:" => ["jboss.server.controller.management.security_realm.AveksaRealm.key-manager"],
"WFLYCTL0180: Services with missing/unavailable dependencies" => undefined 
}


 
CauseThe root cause of the failure is this error in the $AVEKSA_HOME/wildfly/standalone/log/server.log file:
 
WFLYDM0085: The alias specified 'server' does not exist in the KeyStore


This error indicates that the server certificate (chain) with the private key for alias server was not found in the $AVEKSA_HOME/keystore/aveksa.keystore file when the install process attempted to deploy the aveksa.ear.
The alias 'server' is the private key for the aveksa server. 

The $AVEKSA_HOME/keystore/aveksa.keystore file should contain one entry called server that should be owned by aveksa. For example:
 


# pwd
/home/oracle/keystore

#  keytool -list -v -storepass Av3k5a15num83r0n3 -keystore aveksa.keystore 

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: server
Creation date: Mar 2, 2015
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=ACM, OU=Aveksa, O=Aveksa, L=Waltham, ST=Massachusetts, C=US
Issuer: CN=ACM, OU=Aveksa, O=Aveksa, L=Waltham, ST=Massachusetts, C=US
Serial number: 54f4946a
Valid from: Mon Mar 02 11:48:42 EST 2015 until: Thu Jun 12 12:48:42 EDT 2064
Certificate fingerprints:
         MD5:  DF:D2:91:7E:12:95:3A:89:6E:1B:7E:F1:B3:10:E5:A0
         SHA1: 8E:F8:3C:68:1A:39:0F:57:F6:B0:6D:37:AB:F0:28:E9:FE:45:10:79          
         Signature algorithm name: SHA256withRSA          
         Version: 3




The use cases where this may occur are:



  • In the earlier version prior to the upgrade, the aveksa.keystore and/or the WildFly configuration file had an alias different from server.
  • When installing 7.1, you are attempting to implement an alias different from server.

Please note that the RSA Identity Governance and Lifecycle 7.1 Installation Guide does suggest that the alias can be changed from server but this is not the case.

ResolutionMake sure that the $AVEKSA_HOME/keystore/aveksa.keystore and the $AVEKSA_HOME/wildfly/standalone/configuration/aveksa-standalone-full.xml (WildFly configuration file) each contain the alias name server.
 
  1. $AVEKSA_HOME/keystore/aveksa.keystore  
 

As the root user check the alias name in the aveksa.keystore file.



cd $AVEKSA_HOME/keystore
keytool -list -v -storepass Av3k5a15num83r0n3 -keystore aveksa.keystore


  The output should have the following:  



Alias name: server


If there is any other value for the alias name, it needs to be changed to server.  
 


To change the alias name in aveksa.keystore:


  1. Backup the existing keystore:



# mv aveksa.keystore aveksa.keystore.bak



  1. Use the keytool option -changealias to change the existing entry, where the following is the extract of the help for this option



-changealias [-v] [-protected] -alias <alias> -destalias <destalias>
             [-keypass <keypass>]
             [-keystore <keystore>] [-storepass <storepass>]
             [-storetype <storetype>] [-providername <name>]
             [-providerclass <provider_class_name> [-providerarg <arg>]] ...
             [-providerpath <pathlist>]

Move an existing keystore entry from the specified alias to a new alias, destalias. If no destination alias is provided, 
the command will prompt for one. If the original entry is protected with an entry password, the password can be supplied 
via the "-keypass" option. If no key password is provided, the storepass (if given) will be attempted first. 
If that attempt fails, the user will be prompted for a password.


An example of changing an alias back to server is as follows. In this example, the alias name that caused the error is server711:




# keytool -changealias -alias server711 -destalias server -storepass Av3k5a15num83r0n3 -keystore aveksa.keystore

 

  1. $AVEKSA_HOME/wildfly/standalone/configuration/aveksa-standalone-full.xml  


  1. As the root user check the alias name in the aveksa-standalone-full.xml file


cd $AVEKSA_HOME/wildfly/standalone/configuration
vi aveksa-standalone-full.xml


  1. Look for the keystore path. It should look similar to this:


<keystore path="/home/oracle/keystore/aveksa.keystore" keystore-password="Av3k5a15num83r0n3" alias="server" key-password="Av3k5a15num83r0n3"/>

 

The path should have the following:  



alias="server"


If there is any other value for the alias name, it needs to be changed to server.  
 


  1. If needed, edit aveksa-standalone-full.xml, change the alias name to server, and save the file.

 

  1. Run the installation again.
NotesFurther information for the keytool utility can be found on the Oracle Java keytool - Key and Certificate Management Tool page.

Attachments

    Outcomes