How to resolve the error "java.security.UnrecoverableKeyException: Cannot recover key" when trying to enable SSL on TIBCO Data Virtualization?
Article ID: KB0070710
Updated On:
| Products | Versions |
|---|---|
| TIBCO Data Virtualization | All supported versions |
Description
This article talks about the reason why the below error is noticed in the TDV (TIBCO Data Virtualization) start-up logs after importing the correct private key and the certificates into the [TDV_Install_Dir]/conf/server/security/cis_server_keystore.jks and [TDV_Install_Dir]/conf/server/security/cis_server_truststore.jks files.
From the cs_server.log:
--------------------
ERROR [main] 2024-01-29 13:59:53.001 +0000 CompositeServer - null
java.security.UnrecoverableKeyException: Cannot recover key
at sun.security.provider.KeyProtector.recover (KeyProtector.java:304) ~[?:?]
at sun.security.provider.JavaKeyStore.engineGetKey (JavaKeyStore.java:144) ~[?:?]
at sun.security.util.KeyStoreDelegator.engineGetKey (KeyStoreDelegator.java:90) ~[?:?]
at java.security.KeyStore.getKey(KeyStore.java:1057) ~[?:?]
at com.compositesw.common.security.KeyStoreUtil.getKeys (KeyStoreUtil.java:310) ~[cscommon-080601001.jar:?]
at com.compositesw.common.security.KeyStoreUtil.isAliasInKeyStore (KeyStoreUtil.java:612) ~[cscommon-080601001.jar:?]
at com.compositesw.server.security.KeyStoreUtil.loadKeyStore (KeyStoreUtil.java:333) ~[csserver-080601001.jar:?]
at com.compositesw.server.security.KeyStoreUtil.configureKeystore (KeyStoreUtil.java:130) ~[csserver-080601001.jar:?]
at com.compositesw.server.services.CompositeServer.addHttps (CompositeServer.java:543) [csserver-080601001.jar:?]
at com.compositesw.server.services.CompositeServer.configureHttps (CompositeServer.java:485) [csserver-080601001.jar:?]
at com.compositesw.server.services.CompositeServer.startServer (CompositeServer.java:1392) [csserver-080601001.jar:?]
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:?]
at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
at com.compositesw.base.boot.ServerBoot.main(ServerBoot.java:89) [csbase.jar:?]
ERROR [main] 2024-01-29 13:59:53.002 +0000 CompositeServer – Unable to initialize HTTP/S port. SSL service is disabled.
--------------------
From the cs_server.log:
--------------------
ERROR [main] 2024-01-29 13:59:53.001 +0000 CompositeServer - null
java.security.UnrecoverableKeyException: Cannot recover key
at sun.security.provider.KeyProtector.recover (KeyProtector.java:304) ~[?:?]
at sun.security.provider.JavaKeyStore.engineGetKey (JavaKeyStore.java:144) ~[?:?]
at sun.security.util.KeyStoreDelegator.engineGetKey (KeyStoreDelegator.java:90) ~[?:?]
at java.security.KeyStore.getKey(KeyStore.java:1057) ~[?:?]
at com.compositesw.common.security.KeyStoreUtil.getKeys (KeyStoreUtil.java:310) ~[cscommon-080601001.jar:?]
at com.compositesw.common.security.KeyStoreUtil.isAliasInKeyStore (KeyStoreUtil.java:612) ~[cscommon-080601001.jar:?]
at com.compositesw.server.security.KeyStoreUtil.loadKeyStore (KeyStoreUtil.java:333) ~[csserver-080601001.jar:?]
at com.compositesw.server.security.KeyStoreUtil.configureKeystore (KeyStoreUtil.java:130) ~[csserver-080601001.jar:?]
at com.compositesw.server.services.CompositeServer.addHttps (CompositeServer.java:543) [csserver-080601001.jar:?]
at com.compositesw.server.services.CompositeServer.configureHttps (CompositeServer.java:485) [csserver-080601001.jar:?]
at com.compositesw.server.services.CompositeServer.startServer (CompositeServer.java:1392) [csserver-080601001.jar:?]
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:?]
at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
at com.compositesw.base.boot.ServerBoot.main(ServerBoot.java:89) [csbase.jar:?]
ERROR [main] 2024-01-29 13:59:53.002 +0000 CompositeServer – Unable to initialize HTTP/S port. SSL service is disabled.
--------------------
Issue/Introduction
How to resolve the error "java.security.UnrecoverableKeyException: Cannot recover key" when trying to enable SSL on TIBCO Data Virtualization?
Resolution
This error is generally noticed when the private key's password is not the same as the Keystore in which it is imported (cis_server_keystore in our case).
Below is the command to change the password of a keystore file:
------
> keytool -storepasswd -keystore /path/to/keystore
Enter keystore password: changeit
New keystore password: new-password (same as the private key)
Re-enter new keystore password: new-password (same as the private key)
-------
Steps to follow to resolve this error :
(i) Revert the changes made w.r.t to the new certificates in the cis_server_keystore.jks and cis_server_truststore.jks files and get the TDV server back up running with the older certificates (login through the TDV Studio/Web manager to confirm if the server is up)
(ii) Backup the cis_server_keystore.jks, cis_server_truststore.jks and [TDV_Install_Dir]/conf/server/server_values.xml files
(iii) Import the right certificates (along with the private key) into the cis_server_keystore.jks and cis_server_truststore.jks files
(iv) Change the password of the cis_server_keystore.jks file using the above command to match the private key's password.
(v) Navigate to the below configuration on TDV Studio and change the password to match the private key's password:
TDV Studio -> Administration -> Configuration -> Server -> Communications -> Keystore password (On Server Restart)
(vi) Restart TDV Server
(vii) Review the cs_server.log after the start-up to see if the error is resolved.
Below is the command to change the password of a keystore file:
------
> keytool -storepasswd -keystore /path/to/keystore
Enter keystore password: changeit
New keystore password: new-password (same as the private key)
Re-enter new keystore password: new-password (same as the private key)
-------
Steps to follow to resolve this error :
(i) Revert the changes made w.r.t to the new certificates in the cis_server_keystore.jks and cis_server_truststore.jks files and get the TDV server back up running with the older certificates (login through the TDV Studio/Web manager to confirm if the server is up)
(ii) Backup the cis_server_keystore.jks, cis_server_truststore.jks and [TDV_Install_Dir]/conf/server/server_values.xml files
(iii) Import the right certificates (along with the private key) into the cis_server_keystore.jks and cis_server_truststore.jks files
(iv) Change the password of the cis_server_keystore.jks file using the above command to match the private key's password.
(v) Navigate to the below configuration on TDV Studio and change the password to match the private key's password:
TDV Studio -> Administration -> Configuration -> Server -> Communications -> Keystore password (On Server Restart)
(vi) Restart TDV Server
(vii) Review the cs_server.log after the start-up to see if the error is resolved.
Feedback
Yes
No
Powered by
