SSL not working with Spectrum OneClick - Cannot recover key
Article ID: 234905
Updated On:
Products
Issue/Introduction
After making changes to use SSL for port 8443, OneClick client will not launch, and the tomcat log reports a series of exceptions in the log file
Feb 16, 2022 4:26:09 PM org.apache.catalina.util.LifecycleBase handleSubClassException
SEVERE: Failed to initialize component [Connector[HTTP/1.1-8443]]
org.apache.catalina.LifecycleException: Protocol handler initialization failed
at org.apache.catalina.connector.Connector.initInternal(Connector.java:1049)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:556)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1042)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.startup.Catalina.load(Catalina.java:724)
at org.apache.catalina.startup.Catalina.load(Catalina.java:746)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:305)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:475)
Caused by: java.lang.IllegalArgumentException: Cannot recover key
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:99)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:231)
at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1208)
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1221)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:603)
at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:80)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:1046)
... 13 more
Caused by: java.security.UnrecoverableKeyException: Cannot recover key
at sun.security.provider.KeyProtector.recover(KeyProtector.java:315)
at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:143)
at sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java:57)
at sun.security.provider.KeyStoreDelegator.engineGetKey(KeyStoreDelegator.java:96)
at sun.security.provider.JavaKeyStore$DualFormatJKS.engineGetKey(JavaKeyStore.java:71)
at java.security.KeyStore.getKey(KeyStore.java:1023)
at org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:352)
at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:245)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:97)
... 20 more
Cause
The error "Cannot recover key" indicates that the password specified for the keystore is incorrect or that the certificate contains a different password than the keystore.
Resolution
Verify that the correct password for the cacerts keystore ($SPECROOT/custom/keystore/) was provided in tomcat's server.xml file as well as the WebTomcat server.xml file
$SPECROOT/tomcat/conf/server.xml
$SPECROOT/webtomcat/conf/server.xml
look for the keystorePass="" entry
and keypass= entry (if the key password is different than the keystore password)
Make sure that the passwords are correct. If the passwords have changed or are incorrect they need to be updated in both server.xml files and then webtomcat and tomcat need to be cycled.
Additional Information
If a different password was provided for the certificate (keystore password vs certificate password) then tomcat will have
a problem trying to find/read the PrivateKey. In this case the certficate password should be changed using keytool to
match the keystore password.
Feedback
