search cancel

How to check if keystore is using a seperate password for PRIVATEKEY VS KEYSTORE: java.security.UnrecoverableKeyException: Cannot recover key

book

Article ID: 202953

calendar_today

Updated On:

Products

CA Cloud Test Mobile CA Application Test Service Virtualization

Issue/Introduction

When validating the SASL-Scarm using SSL connection we get an error 

initializing Key Store
Error: Error accessing key null + in keystore: Cannot recover key


============================================================================
| Exception: 
============================================================================
| Message:     Error accessing key null + in keystore: Cannot recover key
----------------------------------------------------------------------------
| Trapped Exception: Cannot recover key
| Trapped Message:   java.security.UnrecoverableKeyException: Cannot recover key
----------------------------------------------------------------------------
STACK TRACE
java.security.UnrecoverableKeyException: Cannot recover key
 at sun.security.provider.KeyProtector.recover(Unknown Source)
 at sun.security.provider.JavaKeyStore.engineGetKey(Unknown Source)
 at sun.security.provider.JavaKeyStore$JKS.engineGetKey(Unknown Source)
 at sun.security.provider.KeyStoreDelegator.engineGetKey(Unknown Source)
 at sun.security.provider.JavaKeyStore$DualFormatJKS.engineGetKey(Unknown Source)
 at java.security.KeyStore.getKey(Unknown Source)
 at sun.security.ssl.SunX509KeyManagerImpl.<init>(Unknown Source)
 at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(Unknown Source)
 at javax.net.ssl.KeyManagerFactory.init(Unknown Source)

 

Environment

All supported DevTest releases.

Cause

The keystore had different passwords for PRIVATEKEY and KEYSTORE which is not currently supported.

Please run the command below and check if you see 2 entries similar to the one shown below.
(A trustedcertentry and a PrivateKeyEntry)

C:\Program Files\CA\DevTest>.\jre\bin\keytool.exe -keystore D:\CA\DevTest_10.5\certs\dev.kafka.truststore.jks -storepass <enter keystore password> -listKeystore type: jks


Keystore provider: SUNYour keystore contains 2 entriesroot, Feb 3, 2020, trustedCertEntry,
Certificate fingerprint (SHA1): 66:F7:ED:8A:05:C5:F6:93:28:83:A6:B8:28:DC:6A:9F:1A:67:6A:93
jetty, Feb 3, 2020, PrivateKeyEntry,
Certificate fingerprint (SHA1): F5:30:09:E1:D0:A3:DA:2C:2D:A8:BC:BA:CD:47:42:AE:B7:D3:5B:9D

Resolution

Change the Keystore to use the same password for the PRIVATEKEY and the KEYSTORE