404 Error accessing User Interface and 'java.io.IOException: Cannot recover key' error in the aveksaServer.log file when starting RSA Identity Governance & Lifecycle
Originally Published: 2015-06-09
Article Number
Applies To
Platform/Application Server: JBoss
RSA Version/Condition: 6.9.1
O/S Version: SUSE Linux
Issue
The following error is logged to the aveksaServer.log file ($AVEKSA_HOME/jboss-4.2.2.GA/server/default/deploy/aveksa.ear/aveksa.war/log/aveksaServer.log):
06/08/2015 09:36:16.543 ERROR (main) [org.apache.coyote.http11.Http11Protocol] Error starting endpoint java.io.IOException: Cannot recover key
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:394)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:135)
at org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:497)
at org.apache.tomcat.util.net.JIoEndpoint.start(JIoEndpoint.java:514)
at org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:203)
at org.apache.catalina.connector.Connector.start(Connector.java:1146)
at org.jboss.web.tomcat.service.JBossWeb.startConnectors(JBossWeb.java:584)
at org.jboss.web.tomcat.service.JBossWeb.handleNotification(JBossWeb.java:621)
at sun.reflect.GeneratedMethodAccessor4.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:622)
at org.jboss.mx.notification.NotificationListenerProxy.invoke(NotificationListenerProxy.java:153)
at com.sun.proxy.$Proxy45.handleNotification(Unknown Source)
at org.jboss.mx.util.JBossNotificationBroadcasterSupport.handleNotification(JBossNotificationBroadcasterSupport.java:127)
at org.jboss.mx.util.JBossNotificationBroadcasterSupport.sendNotification(JBossNotificationBroadcasterSupport.java:108)
at org.jboss.system.server.ServerImpl.sendNotification(ServerImpl.java:916)
at org.jboss.system.server.ServerImpl.doStart(ServerImpl.java:497)
at org.jboss.system.server.ServerImpl.start(ServerImpl.java:362)
at org.jboss.Main.boot(Main.java:200)
at org.jboss.Main$1.run(Main.java:508)
at java.lang.Thread.run(Thread.java:701)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:394)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:135)
at org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:497)
at org.apache.tomcat.util.net.JIoEndpoint.start(JIoEndpoint.java:514)
at org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:203)
at org.apache.catalina.connector.Connector.start(Connector.java:1146)
at org.jboss.web.tomcat.service.JBossWeb.startConnectors(JBossWeb.java:584)
at org.jboss.web.tomcat.service.JBossWeb.handleNotification(JBossWeb.java:621)
at sun.reflect.GeneratedMethodAccessor4.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:622)
at org.jboss.mx.notification.NotificationListenerProxy.invoke(NotificationListenerProxy.java:153)
at com.sun.proxy.$Proxy45.handleNotification(Unknown Source)
at org.jboss.mx.util.JBossNotificationBroadcasterSupport.handleNotification(JBossNotificationBroadcasterSupport.java:127)
at org.jboss.mx.util.JBossNotificationBroadcasterSupport.sendNotification(JBossNotificationBroadcasterSupport.java:108)
at org.jboss.system.server.ServerImpl.sendNotification(ServerImpl.java:916)
at org.jboss.system.server.ServerImpl.doStart(ServerImpl.java:497)
at org.jboss.system.server.ServerImpl.start(ServerImpl.java:362)
at org.jboss.Main.boot(Main.java:200)
at org.jboss.Main$1.run(Main.java:508)
at java.lang.Thread.run(Thread.java:701)
This error occurs at the point where RSA Identity Governance & Lifecycle tries to bind to the SSL port used for RSA Identity Governance & Lifecycle browser connections.
Cause
The aveksa.keystore file for RSA hardware and soft appliances exists by default in this directory:
/home/oracle/jboss-4.2.2.GA/server/default/conf/keystore
The JBoss server.xml file on RSA hardware and soft appliances exists by default in this directory:
/home/oracle/jboss-4.2.2.GA/server/all/deploy/jboss-web.deployer
By default the aveksa.keystore password is Av3k5a15num83r0n3. The private key password for the certificate alias server is also Av3k5a15num83r0n3
Since the JBoss server.xml file does not have a private key password parameter, it requires that the password be the same.
Resolution
To test that the password in the server.xml file is correct and assuming the password in server.xml is the original default password:
- Login as either root or oracle and go to the keystore directory:
cd /home/oracle/jboss-4.2.2.GA/server/default/conf/keystore
- Run the following keytool command. Note keytool comands can be run as any user with read privilege to the files which is true for both root and oracle.
keytool -list -keystore aveksa.keystore -storepass Av3k5a15num83r0n3
- To verify that the private key password and keystore password match:
keytool -importkeystore -srckeystore aveksa.keystore -destkeystore test.p12 -deststoretype PKCS12 -srcalias server -deststorepass changeit -srcstorepass Av3k5a15num83r0n3 -srckeypass Av3k5a15num83r0n3
When executing the above command, replace the srcstorepass and srckeypass with the password you retrieved from the server.xml file that you are attempting to validate.
If the command returns without error, you will see that a test.p12 file was generated (it can be deleted).
If the command returns the error below, it means that the private key password does not match.
If the command returns the error below, it means that the private key password does not match.
Cannot recover key
- The private key password can be changed using the following command, but the original password must be known (backup the aveksa.keystore file first.)
cp aveksa.keystore aveksa.keystore.date keytool -keypasswd -alias server -keystore aveksa.keystore
- You will be prompted for the keystore password, then the existing private key password, and finally the new private key password you want to set.
Related Articles
RSA VIA L&G / IMG / Aveksa - AFX fails to start times out and this error is in the logs A WebGroup/Virtual Host to handle … Number of Views Console logging to Dell 250 appliance gives error 404 error using Internet Explorer 11 Number of Views How to recover from incorrectly uploading a DER encoded public SSL certificate to the SecurID Access Administration Console Number of Views Error: '404 Not Found' in RSA Federated Identity Manager (FIM) 2.0 when user redirected to Relying Party with the artifact Number of Views Recover from an Incorrect Gateway Number of Views
Trending Articles
RSA Authentication Manager Upgrade Process RSA Release Notes for RSA Authentication Manager 8.8 RSA RADIUS Server service failed to start in the RSA Authentication Manager 8.1 Operations Console Microsoft Entra ID External MFA - Relying Party Configuration Using OIDC - RSA Ready Implementation Guide RSA Release Notes: Cloud Access Service and RSA Authenticators
Don't see what you're looking for?
