SiteMinder admin tries to switch from a self-signed certificate, replacing with a certificate that is signed by a trusted Certificate Authority (CA).
After followed steps in "Obtain and Import a Trusted Certificate into the Administrative UI" from documentation, verified adminui_cert.p7b is imported into keyStore.jks.
Also verified adminui_cert.p7b includes the certificate chain (intermediate cert and rootCA cert).
However, Admin ui can not start, with server.log error:
YYYY-MM-DD 15:06:28,410 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-7) MSC000001: Failed to start service org.wildfly.core.management.security.realm.SSLRealm.key-manager: org.jboss.msc.service.StartException in service org.wildfly.core.management.security.realm.SSLRealm.key-manager: Failed to start service
at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1730)
at org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1558)
at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1364)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.IllegalStateException: org.jboss.msc.service.StartException in anonymous service: WFLYDM0018: Unable to start service
at org.jboss.as.domain.management.security.FileKeyManagerService.loadKeyStore(FileKeyManagerService.java:173)
at org.jboss.as.domain.management.security.AbstractKeyManagerService.createKeyManagers(AbstractKeyManagerService.java:131)
at org.jboss.as.domain.management.security.AbstractKeyManagerService.start(AbstractKeyManagerService.java:89)
at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1738)
at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1700)
... 6 more
Caused by: org.jboss.msc.service.StartException in anonymous service: WFLYDM0018: Unable to start service
at org.jboss.as.domain.management.security.FileKeystore.load(FileKeystore.java:155)
at org.jboss.as.domain.management.security.FileKeyManagerService.loadKeyStore(FileKeyManagerService.java:169)
... 10 more
Caused by: java.security.UnrecoverableKeyException: Cannot recover key
at sun.security.provider.KeyProtector.recover(KeyProtector.java:315)
at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:141)
at sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java:56)
at java.security.KeyStoreSpi.engineGetEntry(KeyStoreSpi.java:473)
at sun.security.provider.KeyStoreDelegator.engineGetEntry(KeyStoreDelegator.java:172)
at sun.security.provider.JavaKeyStore$DualFormatJKS.engineGetEntry(JavaKeyStore.java:70)
at java.security.KeyStore.getEntry(KeyStore.java:1521)
at org.jboss.as.domain.management.security.FileKeystore.load(FileKeystore.java:134)
... 11 more
Release : 12.8.04
When generating certificate request, the following command was run, and the password used is different from store default password.
keytool -genkey -alias jboss_key -keyalg RSA -keystore keyStore.jks -storepass changeit -v
When the private key password is different from store password, this will trigger the above admin ui error during starting.
An easy fix will be changing the oldpassword key pass back to default value which is "changeit", by running:
keytool -keypasswd -new changeit -keystore keystore.jks -storepass changeit -alias jboss_key -keypass oldpassword
If this runs successfully, you will immediately notice the standalone-full.xml file updated with new password content.
Check the following file, ensure the keyStorePassword and trustStorePassword are present as well.
Windows: standalone.conf.bat file
UNIX: standalone.conf file
Windows:
set "JAVA_OPTS=%JAVA_OPTS% -Djavax.net.ssl.keyStorePassword=changeit"
set "JAVA_OPTS=%JAVA_OPTS% -Djavax.net.ssl.trustStorePassword=changeit"
set "JAVA_OPTS=%JAVA_OPTS% -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true"
UNIX:
JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.keyStorePassword=changeit"
JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStorePassword=changeit"
JAVA_OPTS="$JAVA_OPTS -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true"
Other troubleshooting advice:
1. Use notepad to open adminui_cert.p7b file, it will not be readable, since this should be a binary file format.
If you see content like below, it means you received a x509 PEM format cert, not in PKCS#7 (.p7b) format. Which have to be converted before "keytool -importcert".
-----BEGIN CERTIFICATE-----
MIIERT....
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIERT....
-----END CERTIFICATE-----
2. The signed certificate received has to be in PKCS#7 (.p7b) format. Common x509 PEM format will not work.
How to convert a (PEM) X509 cert to PKCS#7 (.p7b) format?
3. The .P7B file was not being exported with whole certificate chain. The intermediate certificate needs to be imported as well if it was used.
Below tech note explains the intermediate certificate requirement.