search cancel

Admin UI error "Cannot recover key" after deploying a new certificate

book

Article ID: 255800

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign-On CA Single Sign On Federation (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Secure Proxy Server (SiteMinder)

Issue/Introduction

SiteMinder admin tries to switch from a self-signed certificate, replacing with a certificate that is signed by a trusted Certificate Authority (CA).

After followed steps in "Obtain and Import a Trusted Certificate into the Administrative UI" from documentation, verified adminui_cert.p7b is imported into keyStore.jks.

Also verified adminui_cert.p7b includes the certificate chain (intermediate cert and rootCA cert).

However, Admin ui can not start, with server.log error:

2022-12-07 15:06:28,410 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-7) MSC000001: Failed to start service org.wildfly.core.management.security.realm.SSLRealm.key-manager: org.jboss.msc.service.StartException in service org.wildfly.core.management.security.realm.SSLRealm.key-manager: Failed to start service
    at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1730)
    at org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1558)
    at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
    at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
    at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
    at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1364)
    at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.IllegalStateException: org.jboss.msc.service.StartException in anonymous service: WFLYDM0018: Unable to start service
    at org.jboss.as.domain.management.security.FileKeyManagerService.loadKeyStore(FileKeyManagerService.java:173)
    at org.jboss.as.domain.management.security.AbstractKeyManagerService.createKeyManagers(AbstractKeyManagerService.java:131)
    at org.jboss.as.domain.management.security.AbstractKeyManagerService.start(AbstractKeyManagerService.java:89)
    at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1738)
    at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1700)
    ... 6 more
Caused by: org.jboss.msc.service.StartException in anonymous service: WFLYDM0018: Unable to start service
    at org.jboss.as.domain.management.security.FileKeystore.load(FileKeystore.java:155)
    at org.jboss.as.domain.management.security.FileKeyManagerService.loadKeyStore(FileKeyManagerService.java:169)
    ... 10 more
Caused by: java.security.UnrecoverableKeyException: Cannot recover key
    at sun.security.provider.KeyProtector.recover(KeyProtector.java:315)
    at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:141)
    at sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java:56)
    at java.security.KeyStoreSpi.engineGetEntry(KeyStoreSpi.java:473)
    at sun.security.provider.KeyStoreDelegator.engineGetEntry(KeyStoreDelegator.java:172)
    at sun.security.provider.JavaKeyStore$DualFormatJKS.engineGetEntry(JavaKeyStore.java:70)
    at java.security.KeyStore.getEntry(KeyStore.java:1521)
    at org.jboss.as.domain.management.security.FileKeystore.load(FileKeystore.java:134)
    ... 11 more

Environment

Release : 12.8.04

Cause

When generating certificate request, the following command was run, and the password used is different from store default password.

keytool -genkey -alias jboss_key -keyalg RSA -keystore keyStore.jks -storepass changeit -v

When the private key password is different from store password, this will trigger the above admin ui error during starting.

Resolution

An easy fix will be changing the oldpassword key pass back to default value which is "changeit", by running:

keytool -keypasswd -new changeit -keystore keystore.jks -storepass changeit -alias jboss_key -keypass oldpassword

If this runs successfully, you will immediately notice the standalone-full.xml file updated with new password content. 

Check the following file, ensure the keyStorePassword and trustStorePassword are present as well.

Windows: standalone.conf.bat file
UNIX: standalone.conf file

Windows:
set "JAVA_OPTS=%JAVA_OPTS% -Djavax.net.ssl.keyStorePassword=changeit"
set "JAVA_OPTS=%JAVA_OPTS% -Djavax.net.ssl.trustStorePassword=changeit"
set "JAVA_OPTS=%JAVA_OPTS% -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true"

UNIX:
JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.keyStorePassword=changeit"
JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStorePassword=changeit"
JAVA_OPTS="$JAVA_OPTS -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true"

Other troubleshooting advice:

1. Use notepad to open adminui_cert.p7b file, it will not be readable, since this should be a binary file format. 

If you see content like below, it means you received a x509 PEM format cert, not in PKCS#7 (.p7b) format. Which have to be converted before "keytool -importcert".

-----BEGIN CERTIFICATE-----
MIIERT....

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
MIIERT....

-----END CERTIFICATE-----

2. The signed certificate received has to be in PKCS#7 (.p7b) format. Common x509 PEM format will not work.  

How to convert a (PEM) X509 cert to PKCS#7 (.p7b) format?

3. The .P7B file was not being exported with whole certificate chain. The intermediate certificate needs to be imported as well if it was used.

Both tech notes explain the intermediate certificate requirement.

Error: "keytool error: java.lang.Exception: Failed to establish chain from reply" when importing signed certificates for DLP Enforce

AdminUI can't import certificate into store with error "Failed to establish chain from reply"

Additional Information

https://www.entrust.com/knowledgebase/ssl/how-do-i-convert-by-ssl-certificate-to-a-pkcs-7