After making changes to use SSL for port 8443, OneClick client will not launch, and the tomcat log reports a series of exceptions in the log file
Feb 16, 2022 4:26:09 PM org.apache.catalina.util.LifecycleBase handleSubClassException
SEVERE: Failed to initialize component [Connector[HTTP/1.1-8443]]
org.apache.catalina.LifecycleException: Protocol handler initialization failed
at org.apache.catalina.connector.Connector.initInternal(Connector.java:1049)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:556)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1042)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.startup.Catalina.load(Catalina.java:724)
at org.apache.catalina.startup.Catalina.load(Catalina.java:746)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:305)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:475)
Caused by: java.lang.IllegalArgumentException: Cannot recover key
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:99)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:231)
at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1208)
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1221)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:603)
at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:80)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:1046)
... 13 more
Caused by: java.security.UnrecoverableKeyException: Cannot recover key
at sun.security.provider.KeyProtector.recover(KeyProtector.java:315)
at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:143)
at sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java:57)
at sun.security.provider.KeyStoreDelegator.engineGetKey(KeyStoreDelegator.java:96)
at sun.security.provider.JavaKeyStore$DualFormatJKS.engineGetKey(JavaKeyStore.java:71)
at java.security.KeyStore.getKey(KeyStore.java:1023)
at org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:352)
at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:245)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:97)
... 20 more
The error "Cannot recover key" indicates that the password specified for the keystore is incorrect or that the certificate contains a different password than the keystore.
Verify that the correct password for the cacerts keystore ($SPECROOT/custom/keystore/) was provided in tomcat's server.xml file as well as the WebTomcat server.xml file
$SPECROOT/tomcat/conf/server.xml
$SPECROOT/webtomcat/conf/server.xml
look for the keystorePass="" entry
and keypass= entry (if the key password is different than the keystore password)
Make sure that the passwords are correct. If the passwords have changed or are incorrect they need to be updated in both server.xml files and then webtomcat and tomcat need to be cycled.
Alternatively the password to the key inside the cert can be changed to match the keystore password using this command:
keytool -keypasswd -alias <key_name> -keystore my.keystore
If a different password was provided for the certificate (keystore password vs certificate password) then tomcat will have
a problem trying to find/read the PrivateKey. In this case the certficate password should be changed using keytool to
match the keystore password.