000030469 - ACM - Error 404 thrown after restart "Cannot recover key" is in the aveksaServer.log for binding SSL port.

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000030469
Applies ToRSA Product Set: RSA Via Lifecycle and Governance
RSA Product Set: RSA Identity Management and Governance
RSA Product Set: Aveksa Access Certification Manager
RSA Version/Condition: 6.9.1
Platform (Other): SUSE Linux
IssueAfter restarting the Access Certification Manager product the server is unavailable for browser connections and does not become accessible.  In the aveskaServer.log is the error Cannot recover key when it tries to bind the SSL port used for the Administration GUI.

This is an example of the Java stack trace from the aveksaServer.log:
06/08/2015 09:36:16.543 ERROR (main) [org.apache.coyote.http11.Http11Protocol] Error starting endpoint
java.io.IOException: Cannot recover key
    at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:394)
    at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:135)
    at org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:497)
    at org.apache.tomcat.util.net.JIoEndpoint.start(JIoEndpoint.java:514)
    at org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:203)
    at org.apache.catalina.connector.Connector.start(Connector.java:1146)
    at org.jboss.web.tomcat.service.JBossWeb.startConnectors(JBossWeb.java:584)
    at org.jboss.web.tomcat.service.JBossWeb.handleNotification(JBossWeb.java:621)
    at sun.reflect.GeneratedMethodAccessor4.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:622)
    at org.jboss.mx.notification.NotificationListenerProxy.invoke(NotificationListenerProxy.java:153)
    at com.sun.proxy.$Proxy45.handleNotification(Unknown Source)
    at org.jboss.mx.util.JBossNotificationBroadcasterSupport.handleNotification(JBossNotificationBroadcasterSupport.java:127)
    at org.jboss.mx.util.JBossNotificationBroadcasterSupport.sendNotification(JBossNotificationBroadcasterSupport.java:108)
    at org.jboss.system.server.ServerImpl.sendNotification(ServerImpl.java:916)
    at org.jboss.system.server.ServerImpl.doStart(ServerImpl.java:497)
    at org.jboss.system.server.ServerImpl.start(ServerImpl.java:362)
    at org.jboss.Main.boot(Main.java:200)
    at org.jboss.Main$1.run(Main.java:508)
    at java.lang.Thread.run(Thread.java:701)
CauseThis error can be caused by the aveksa.keystore having a different password for the keystore than the private key passphrase, or the JBOSS server.xml contains an incorrect password that does not match.
The aveksa.keystore file for RSA hardware and soft appliances exists by default in this directory:
JBOSS server.xml on RSA hardware and soft appliances exists by default in this directory:
By default the aveksa.keystore password is Av3k5a15num83r0n3.
The private key password for the certificate alias 'server' is also Av3k5a15num83r0n3
Since JBOSS server.xml does not have a private key password parameter it requires that the password is the same.

ResolutionJava keytool can be used to verify and/or change the passwords to be in sync.
The server.xml should be checked to make sure it has the appropriate passwords that were validated with keytool.

To test that the password in the server.xml is correct, assuming the server.xml has the default you could run this command from within
These commands can be run as any user with read privilege to the files which is true for root and oracle:
keytool -list -keystore aveksa.keystore -storepass Av3k5a15num83r0n3
To verify that the private key password and keystore password match:

keytool -importkeystore -srckeystore aveksa.keystore -destkeystore test.p12 -deststoretype PKCS12 -srcalias server -deststorepass changeit -srcstorepass Av3k5a15num83r0n3 -srckeypass Av3k5a15num83r0n3
Replace the srcstorepass and srckeypass with the password you retrieved from your server.xml that you are attempting to validate.
If the command returns without error, you will see that a test.p12 file was generated (it can be deleted).
If the command returns the error Cannot recover key, this means that the private key password does not match.
The private key password can be changed using this command, but you have to know the original password (make a backup of aveksa.keystore file first please):
cp aveksa.keystore aveksa.keystore.date
keytool -keypasswd -alias server -keystore aveksa.keystore
You will be prompted for the keystore password, then the existing private key password, and finally the new private key password you want to set.