This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SecurID® Governance & Lifecycle Knowledge Base

Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID Governance & Lifecycle experts.

'WFLYDM0085: The alias specified 'server' does not exist in the KeyStore' error in RSA Identity Governance & Lifecycle

Article Number

000036403

Applies To

RSA Product Set: RSA Identity Governance & Lifecycle
RSA Product/Service Type: Appliance
RSA Version/Condition: 7.1.0, 7.1.1
 

Issue

When attempting to install RSA Identity Governance & Lifecycle version 7.1.0 or 7.1.1, the installation fails.

The /tmp/aveksa-install.log file contains the following error: 
Repackage aveksa.ear to /tmp/repackaged_ear_dir
Deploying aveksa.ear...
{"WFLYCTL0062: Composite operation failed and was rolled back. Steps that failed:" => {"Operation step-2" => 
{"WFLYCTL0180: Services with missing/unavailable dependencies" => undefined}}}
Failed to deploy aveksa.ear
Step failed! See /tmp/aveksa-install.log for more information. 
<EOF>

If this is an upgrade, these messages may also be see in the  /tmp/aveksa-install.log:   
...
Creating new keystore directory /home/oracle/keystore
...
Existing aveksa.keystore found under /home/oracle/jboss-4.2.2.GA/server/default/conf/keystore
Moving aveksa.keystore to the new keystore directory: /home/oracle/keystore
...
[Tue May 22 18:15:26 EDT 2018] Configuring SSL Certificates completed
...

The $AVEKSA_HOME/wildfly/standalone/log/server.log contains the following errors: 
2018-05-22 18:18:15,097 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread)
 WFLYCTL0013: Operation ("add") failed - address: ([
("core-service" => "management"),
("security-realm" => "AveksaRealm")
]) - failure description:
{ "WFLYCTL0080: Failed services" => {"jboss.server.controller.management.security_realm.AveksaRealm.key-manager" => 
"org.jboss.msc.service.StartException in service jboss.server.controller.management.security_realm.AveksaRealm.key-manager: Failed to start service
Caused by: java.lang.IllegalStateException: org.jboss.msc.service.StartException in anonymous service: 
WFLYDM0085: The alias specified 'server' does not exist in the KeyStore, valid aliases are {alias-list}
Caused by: org.jboss.msc.service.StartException in anonymous service: 
WFLYDM0085: The alias specified 'server' does not exist in the KeyStore, valid aliases are {alias-list}"},
"WFLYCTL0412: Required services that are not installed:" => ["jboss.server.controller.management.security_realm.AveksaRealm.key-manager"],
"WFLYCTL0180: Services with missing/unavailable dependencies" => undefined 
}

 

Cause

The root cause of the failure is this error in the $AVEKSA_HOME/wildfly/standalone/log/server.log file:
 
WFLYDM0085: The alias specified 'server' does not exist in the KeyStore

This error indicates that the server certificate (chain) with the private key for alias server was not found in the $AVEKSA_HOME/keystore/aveksa.keystore file when the install process attempted to deploy the aveksa.ear.
The alias 'server' is the private key for the aveksa server. 

The $AVEKSA_HOME/keystore/aveksa.keystore file should contain one entry called server that should be owned by aveksa. For example:
  
# pwd
/home/oracle/keystore

#  keytool -list -v -storepass Av3k5a15num83r0n3 -keystore aveksa.keystore 

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: server
Creation date: Mar 2, 2015
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=ACM, OU=Aveksa, O=Aveksa, L=Waltham, ST=Massachusetts, C=US
Issuer: CN=ACM, OU=Aveksa, O=Aveksa, L=Waltham, ST=Massachusetts, C=US
Serial number: 54f4946a
Valid from: Mon Mar 02 11:48:42 EST 2015 until: Thu Jun 12 12:48:42 EDT 2064
Certificate fingerprints:
         MD5:  DF:D2:91:7E:12:95:3A:89:6E:1B:7E:F1:B3:10:E5:A0
         SHA1: 8E:F8:3C:68:1A:39:0F:57:F6:B0:6D:37:AB:F0:28:E9:FE:45:10:79          
         Signature algorithm name: SHA256withRSA          
         Version: 3


The use cases where this may occur are:

  • In the earlier version prior to the upgrade, the aveksa.keystore and/or the WildFly configuration file had an alias different from server.
  • When installing 7.1, you are attempting to implement an alias different from server.

Please note that the RSA Identity Governance and Lifecycle 7.1 Installation Guide does suggest that the alias can be changed from server but this is not the case.

Resolution

Make sure that the $AVEKSA_HOME/keystore/aveksa.keystore and the $AVEKSA_HOME/wildfly/standalone/configuration/aveksa-standalone-full.xml (WildFly configuration file) each contain the alias name server.
 
  1. $AVEKSA_HOME/keystore/aveksa.keystore  
 
As the root user check the alias name in the aveksa.keystore file.
cd $AVEKSA_HOME/keystore
keytool -list -v -storepass Av3k5a15num83r0n3 -keystore aveksa.keystore
  The output should have the following:  
Alias name: server
If there is any other value for the alias name, it needs to be changed to server.  
 
To change the alias name in aveksa.keystore:
  1. Backup the existing keystore:
# mv aveksa.keystore aveksa.keystore.bak
  1. Use the keytool option -changealias to change the existing entry, where the following is the extract of the help for this option
-changealias [-v] [-protected] -alias <alias> -destalias <destalias>
             [-keypass <keypass>]
             [-keystore <keystore>] [-storepass <storepass>]
             [-storetype <storetype>] [-providername <name>]
             [-providerclass <provider_class_name> [-providerarg <arg>]] ...
             [-providerpath <pathlist>]

Move an existing keystore entry from the specified alias to a new alias, destalias. If no destination alias is provided, 
the command will prompt for one. If the original entry is protected with an entry password, the password can be supplied 
via the "-keypass" option. If no key password is provided, the storepass (if given) will be attempted first. 
If that attempt fails, the user will be prompted for a password.
An example of changing an alias back to server is as follows. In this example, the alias name that caused the error is server711:
# keytool -changealias -alias server711 -destalias server -storepass Av3k5a15num83r0n3 -keystore aveksa.keystore
 
  1. $AVEKSA_HOME/wildfly/standalone/configuration/aveksa-standalone-full.xml  
  1. As the root user check the alias name in the aveksa-standalone-full.xml file
cd $AVEKSA_HOME/wildfly/standalone/configuration
vi aveksa-standalone-full.xml
  1. Look for the keystore path. It should look similar to this:
<keystore path="/home/oracle/keystore/aveksa.keystore" keystore-password="Av3k5a15num83r0n3" alias="server" key-password="Av3k5a15num83r0n3"/>
 
The path should have the following:  
alias="server"
If there is any other value for the alias name, it needs to be changed to server.  
 
  1. If needed, edit aveksa-standalone-full.xml, change the alias name to server, and save the file.
 
  1. Run the installation again.

Notes

Further information for the keytool utility can be found on the Oracle Java keytool - Key and Certificate Management Tool page.
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2020-12-12 12:08 PM
Updated by:
Administrator Administrator

Related Content

© 2023 RSA Security LLC or its affiliates. All rights reserved.