After making changes to use SSL for port 8443, OneClick client will not launch, and the tomcat log reports a series of exceptions in the log file

Feb 16, 2022 4:26:09 PM org.apache.catalina.util.LifecycleBase handleSubClassException
SEVERE: Failed to initialize component [Connector[HTTP/1.1-8443]]
org.apache.catalina.LifecycleException: Protocol handler initialization failed
  at org.apache.catalina.connector.Connector.initInternal(Connector.java:1049)
  at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
  at org.apache.catalina.core.StandardService.initInternal(StandardService.java:556)
  at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
  at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1042)
  at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
  at org.apache.catalina.startup.Catalina.load(Catalina.java:724)
  at org.apache.catalina.startup.Catalina.load(Catalina.java:746)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
  at java.lang.reflect.Method.invoke(Method.java:498)
  at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:305)
  at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:475)
Caused by: java.lang.IllegalArgumentException: Cannot recover key
  at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:99)
  at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71)
  at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:231)
  at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1208)
  at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1221)
  at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:603)
  at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:80)
  at org.apache.catalina.connector.Connector.initInternal(Connector.java:1046)
 ... 13 more
Caused by: java.security.UnrecoverableKeyException: Cannot recover key
  at sun.security.provider.KeyProtector.recover(KeyProtector.java:315)
  at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:143)
  at sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java:57)
  at sun.security.provider.KeyStoreDelegator.engineGetKey(KeyStoreDelegator.java:96)
  at sun.security.provider.JavaKeyStore$DualFormatJKS.engineGetKey(JavaKeyStore.java:71)
  at java.security.KeyStore.getKey(KeyStore.java:1023)
  at org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:352)
  at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:245)
  at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:97)
 ... 20 more

The error "Cannot recover key" indicates that the password specified for the keystore is incorrect or that the certificate contains a different password than the keystore.

Verify that the correct password for the cacerts keystore ($SPECROOT/custom/keystore/) was provided in tomcat's server.xml file as well as the WebTomcat server.xml file

$SPECROOT/tomcat/conf/server.xml

$SPECROOT/webtomcat/conf/server.xml

look for the keystorePass="" entry

and keypass= entry (if the key password is different than the keystore password)



Make sure that the passwords are correct.  If the passwords have changed or are incorrect they need to be updated in both server.xml files and then webtomcat and tomcat need to be cycled.

Alternatively the password to the key inside the cert can be changed to match the keystore password using this command:

keytool -keypasswd  -alias <key_name> -keystore my.keystore

If a different password was provided for the certificate (keystore password vs certificate password) then tomcat will have
  a problem trying to find/read the PrivateKey. In this case the certficate password should be changed using keytool to 
  match the keystore password.