000030469 - 404 Error accessing User Interface and 'java.io.IOException: Cannot recover key' error in the aveksaServer.log file when starting RSA Identity Governance & Lifecycle

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support on Jul 27, 2020
Version 6Show Document
  • View in full screen mode

Article Content

Article Number000030469
Applies ToRSA Product Set: RSA Identity Governance & Lifecycle 
Platform/Application Server: JBoss
RSA Version/Condition: 6.9.1
O/S Version: SUSE Linux
IssueAfter an application restart, the RSA Identity Governance & Lifecycle user interface is unavailable.

The following error is logged to the aveksaServer.log file ($AVEKSA_HOME/jboss-4.2.2.GA/server/default/deploy/aveksa.ear/aveksa.war/log/aveksaServer.log):
06/08/2015 09:36:16.543 ERROR (main) [org.apache.coyote.http11.Http11Protocol] Error starting endpoint java.io.IOException: Cannot recover key     
  at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:394)     
  at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:135)     
  at org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:497)     
  at org.apache.tomcat.util.net.JIoEndpoint.start(JIoEndpoint.java:514)     
  at org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:203)     
  at org.apache.catalina.connector.Connector.start(Connector.java:1146)     
  at org.jboss.web.tomcat.service.JBossWeb.startConnectors(JBossWeb.java:584)     
  at org.jboss.web.tomcat.service.JBossWeb.handleNotification(JBossWeb.java:621)     
  at sun.reflect.GeneratedMethodAccessor4.invoke(Unknown Source)     
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)     
  at java.lang.reflect.Method.invoke(Method.java:622)     
  at org.jboss.mx.notification.NotificationListenerProxy.invoke(NotificationListenerProxy.java:153)     
  at com.sun.proxy.$Proxy45.handleNotification(Unknown Source)     
  at org.jboss.mx.util.JBossNotificationBroadcasterSupport.handleNotification(JBossNotificationBroadcasterSupport.java:127) 
  at org.jboss.mx.util.JBossNotificationBroadcasterSupport.sendNotification(JBossNotificationBroadcasterSupport.java:108)
  at org.jboss.system.server.ServerImpl.sendNotification(ServerImpl.java:916)     
  at org.jboss.system.server.ServerImpl.doStart(ServerImpl.java:497)     
  at org.jboss.system.server.ServerImpl.start(ServerImpl.java:362)     
  at org.jboss.Main.boot(Main.java:200)     
  at org.jboss.Main$1.run(Main.java:508)     
  at java.lang.Thread.run(Thread.java:701)

This error occurs at the point where RSA Identity Governance & Lifecycle tries to bind to the SSL port used for RSA Identity Governance & Lifecycle browser connections.
CauseThis error occurs when the aveksa.keystore has a different password for the keystore than the private key passphrase, or the JBoss server.xml file contains an incorrect password that does not match the aveksa.keystore password.

The aveksa.keystore file for RSA hardware and soft appliances exists by default in this directory:


The JBoss server.xml file on RSA hardware and soft appliances exists by default in this directory:


By default the aveksa.keystore password is Av3k5a15num83r0n3. The private key password for the certificate alias server is also Av3k5a15num83r0n3

Since the JBoss server.xml file does not have a private key password parameter, it requires that the password be the same.

ResolutionThe java keytool utility can be used to verify and/or change the passwords to be the same. The server.xml file should be checked to make sure that it has the appropriate password that was validated with the keytool utility.

To test that the password in the server.xml file is correct and assuming the password in server.xml is the original default password:
  1. Login as either root or oracle and go to the keystore directory:

cd /home/oracle/jboss-4.2.2.GA/server/default/conf/keystore

  1. Run the following keytool command. Note keytool comands can be run as any user with read privilege to the files which is true for both root and oracle.

keytool -list -keystore aveksa.keystore -storepass Av3k5a15num83r0n3

  1. To verify that the private key password and keystore password match:

keytool -importkeystore -srckeystore aveksa.keystore -destkeystore test.p12
-deststoretype PKCS12 -srcalias server -deststorepass changeit
-srcstorepass Av3k5a15num83r0n3 -srckeypass Av3k5a15num83r0n3

When executing the above command, replace the srcstorepass and srckeypass with the password you retrieved from the server.xml file that you are attempting to validate.

If the command returns without error, you will see that a test.p12 file was generated (it can be deleted).
If the command returns the error below, it means that the private key password does not match.

Cannot recover key

  1. The private key password can be changed using the following command, but the original password must be known (backup the aveksa.keystore file first.)

cp aveksa.keystore aveksa.keystore.date
keytool -keypasswd -alias server -keystore aveksa.keystore

  1. You will be prompted for the keystore password, then the existing private key password, and finally the new private key password you want to set.