SSL not working with Spectrum OneClick - Cannot recover key
search cancel

SSL not working with Spectrum OneClick - Cannot recover key

book

Article ID: 234905

calendar_today

Updated On:

Products

CA Spectrum

Issue/Introduction


After making changes to use SSL for port 8443, OneClick client will not launch, and stdout reports a series of exceptions in the log file

Feb 16, 2022 4:26:09 PM org.apache.catalina.util.LifecycleBase handleSubClassException
SEVERE: Failed to initialize component [Connector[HTTP/1.1-8443]]
org.apache.catalina.LifecycleException: Protocol handler initialization failed
  at org.apache.catalina.connector.Connector.initInternal(Connector.java:1049)
  at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
  at org.apache.catalina.core.StandardService.initInternal(StandardService.java:556)
  at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
  at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1042)
  at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
  at org.apache.catalina.startup.Catalina.load(Catalina.java:724)
  at org.apache.catalina.startup.Catalina.load(Catalina.java:746)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
  at java.lang.reflect.Method.invoke(Method.java:498)
  at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:305)
  at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:475)
Caused by: java.lang.IllegalArgumentException: Cannot recover key
  at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:99)
  at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71)
  at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:231)
  at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1208)
  at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1221)
  at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:603)
  at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:80)
  at org.apache.catalina.connector.Connector.initInternal(Connector.java:1046)
 ... 13 more
Caused by: java.security.UnrecoverableKeyException: Cannot recover key
  at sun.security.provider.KeyProtector.recover(KeyProtector.java:315)
  at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:143)
  at sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java:57)
  at sun.security.provider.KeyStoreDelegator.engineGetKey(KeyStoreDelegator.java:96)
  at sun.security.provider.JavaKeyStore$DualFormatJKS.engineGetKey(JavaKeyStore.java:71)
  at java.security.KeyStore.getKey(KeyStore.java:1023)
  at org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:352)
  at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:245)
  at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:97)
 ... 20 more

Environment

Release : 21.2

Component : Spectrum OneClick

Cause


The error "Cannot recover key" indicates that the password specified for the keystore is incorrect or that
   the certificate contains a different password than the keystore.

Resolution


Verify that the correct password for the cacerts keystore ($SPECROOT/custom/keystore/) was provided in tomcat's server.xml file.

$SPECROOT/tomcat/conf/server.xml
look for the keystorePass="" entry



Make sure that the password is correct.

This can also apply for webtomcat as well

$SPECROOT/webtomcat/conf/server.xml

Additional Information


If a different password was provided for the certificate (keystore password vs certificate password) then tomcat will have
  a problem trying to find/read the PrivateKey. In this case the certficate password should be changed using keytool to 
  match the keystore password.