000036403 - WFLYDM0085 The alias specified 'server' does not exist in the KeyStore in RSA Identity Governance & Lifecycle

Document created by RSA Customer Support Employee on Jan 15, 2019
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000036403
Applies ToRSA Product Set: RSA Identity Governance & Lifecycle
RSA Product/Service Type: Appliance
RSA Version/Condition: 7.1
Platform: Linux
Platform (Other): WildFly application server
 
IssueWhen attempting to install RSA Identity Governance & Lifecycle version 7.1, and additionally, an alias other than "server" has been, or is being, implemented in the aveksa.keystore, then the following error may be reported in the aveksa-install.log file, and the installation will stop.
 
Repackage aveksa.ear to /tmp/repackaged_ear_dir
Deploying aveksa.ear...
{"WFLYCTL0062: Composite operation failed and was rolled back. Steps that failed:" => {"Operation step-2" => {"WFLYCTL0180: Services with missing/unavailable dependencies" => undefined}}}
Failed to deploy aveksa.ear
Step failed! See /tmp/aveksa-install.log for more information.

<EOF>


The root cause error is located in the WildFly server.log file.
 
2018-05-22 18:18:15,097 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([
("core-service" => "management"),
("security-realm" => "AveksaRealm")
]) - failure description:
{ "WFLYCTL0080: Failed services" => {"jboss.server.controller.management.security_realm.AveksaRealm.key-manager" => "org.jboss.msc.service.StartException in service jboss.server.controller.management.security_realm.AveksaRealm.key-manager: Failed to start service
Caused by: java.lang.IllegalStateException: org.jboss.msc.service.StartException in anonymous service: WFLYDM0085: The alias specified 'server' does not exist in the KeyStore, valid aliases are {alias-list}
Caused by: org.jboss.msc.service.StartException in anonymous service: WFLYDM0085: The alias specified 'server' does not exist in the KeyStore, valid aliases are {alias-list}"},
"WFLYCTL0412: Required services that are not installed:" => ["jboss.server.controller.management.security_realm.AveksaRealm.key-manager"],
"WFLYCTL0180: Services with missing/unavailable dependencies" => undefined

}


The use cases where this may occur are;



  • In the earlier version, the aveksa.keystore had an alias different to "server."
  • When installing 7.1, you are attempting to implement an alias different than "server."

 



Additional


These messages occur in the aveksa-install.log, when an existing RSA Identity Governance and Lifecycle implementation is being upgraded.
 
...
Creating new keystore directory /home/oracle/keystore
...
Existing aveksa.keystore found under /home/oracle/jboss-4.2.2.GA/server/default/conf/keystore
Moving aveksa.keystore to the new keystore directory: /home/oracle/keystore
...
[Tue May 22 18:15:26 EDT 2018] Configuring SSL Certificates completed
...
CauseThe server certificate (chain) with the private key for alias "serve," was not found in the aveksa.keystore file, when the install process attempted to deploy the aveksa.ear.
The alias "server" is the private key for the Aveksa server.


Additional




  • For 6.9.1 


             The default location of aveksa.keystore on a JBoss appliance is: $HOME/jboss-4.2.2.GA/server/default/conf/keystore.


  • For 7.0 and above 


             The default location of aveksa.keystore on a WildFly appliance is: /home/oracle/keystore.

The aveksa.keystore file should contain 1 entry called "server," that should be owned by Aveksa.
 
# pwd
/home/oracle/jboss-4.2.2.GA/server/default/conf/keystore

#  keytool -list -v -storepass Av3k5a15num83r0n3 -keystore aveksa.keystore

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: server
Creation date: Mar 2, 2015
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=ACM, OU=Aveksa, O=Aveksa, L=Waltham, ST=Massachusetts, C=US
Issuer: CN=ACM, OU=Aveksa, O=Aveksa, L=Waltham, ST=Massachusetts, C=US
Serial number: 54f4946a
Valid from: Mon Mar 02 11:48:42 EST 2015 until: Thu Jun 12 12:48:42 EDT 2064
Certificate fingerprints:
         MD5:  DF:D2:91:7E:12:95:3A:89:6E:1B:7E:F1:B3:10:E5:A0
         SHA1: 8E:F8:3C:68:1A:39:0F:57:F6:B0:6D:37:AB:F0:28:E9:FE:45:10:79          
         Signature algorithm name: SHA256withRSA          
         Version: 3


Please note that the RSA Identity Governance and Lifecycle 7.1 Installation Guide does suggest that the alias can be changed from "server."  However, this may be an issue with the documentation, and is currently being examined by RSA Development.

Resolution

Make sure that the aveksa.keystore contains the alias "server."



  1. If upgrading, make sure the the old RSA Identity Governance & Lifecycle software installation contains the correct alias, and run the upgrade again.
  2. If making changes to the aveksa.keystore, please take a backup first.

# mv aveksa.keystore aveksa.keystore.bak


  1. To change the alias in the avkesa.keystore, use the keytool option -changealias to change the existing entry, where the following is the extract of the help for this option

-changealias [-v] [-protected] -alias <alias> -destalias <destalias>
             [-keypass <keypass>]
             [-keystore <keystore>] [-storepass <storepass>]
             [-storetype <storetype>] [-providername <name>]
             [-providerclass <provider_class_name> [-providerarg <arg>]] ...
             [-providerpath <pathlist>]

Move an existing keystore entry from the specified alias to a new alias, destalias. If no destination alias is provided, the command will prompt for one. If the original entry is protected with an entry password, the password can be supplied via the "-keypass" option. If no key password is provided, the storepass (if given) will be attempted first. If that attempt fails, the user will be prompted for a password.


  1. An example of changing an alias back to "server" is as follows.  In this example, the alias that caused the error is server691:

# keytool -changealias -alias server691 -destalias server -storepass Av3k5a15num83r0n3 -keystore aveksa.keystore
NotesFurther information for the keytool utility can be found on the Oracle Java keytool - Key and Certificate Management Tool page.

Attachments

    Outcomes