Unable to run catalog on SSL, entry in keystore is "trustedKeyentry" with the error: Alias name [xxxxxxxx] does not identify a key entry
search cancel

Unable to run catalog on SSL, entry in keystore is "trustedKeyentry" with the error: Alias name [xxxxxxxx] does not identify a key entry

book

Article ID: 272718

calendar_today

Updated On:

Products

CA Service Catalog

Issue/Introduction

Unable to access the Service catalog URL on SSL port no 8443.

We get the following errors in the servicecatalog.log file: 

INFO   | jvm 1    | 2023/08/29 11:32:05 | SEVERE: Failed to initialize component [Connector[HTTP/1.1-8443]]
INFO   | jvm 1    | 2023/08/29 11:32:05 | org.apache.catalina.LifecycleException: Protocol handler initialization failed
INFO   | jvm 1    | 2023/08/29 11:32:05 |     at org.apache.catalina.connector.Connector.initInternal(Connector.java:1050)

INFO   | jvm 1    | 2023/08/29 11:32:05 | Caused by: java.lang.IllegalArgumentException: Alias name [xxxxxxxx] does not identify a key entry
INFO   | jvm 1    | 2023/08/29 11:32:05 |     at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:107)
INFO   | jvm 1    | 2023/08/29 11:32:05 |     at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71)
INFO   | jvm 1    | 2023/08/29 11:32:05 |     at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:235) 

Environment

Service Catalog: 17.3RU22 

Cause

This issue is caused if the Alias name is not linked to the keystore or if there is a mismatch in the alias name from the server.xml file and the one in the keystore.

Resolution

Need to first validate if the Alias name is correct in the keystore used for the SSL configuration. 

1) The following keytool command lists out the entries and other information of the keystore: 

Find the keytool in USM_HOME\embedded\jdk\bin

Llaunch the command prompt from the above location and enter the command: 

keytool -v -list  -keystore "C:\temp\CASM-SSL-Configurator-17.3.2\casm.keystore" 

(If you are using a different keystore file other than casm, please replace the same in the place of casm.keystore) 

2) The command lists out the information from the keystore along with the number of entries in the keystore.

3) If the Entry type is mentioned as TrustedCertEntry, you might not be able to establish a connection and it has to be a PrivateKeytype. 

4) Convert the TrustedCertentry to PrivateCertentry using the following command: 

keytool -importkeystore -srckeystore newcertbundle.pfx -srcstoretype PKCS12 -srcstorepass mypass -deststorepass mypass -destkeypass mypass -destkeystore newkeystore.jks

It will create a new keystore which can be used to configure SSL. 

5) The keystore created might have a long alias name which can be converted to the desired one using the following command: 

keytool -changealias -alias "your-very-very-long-alias" -destalias "new-alias" -keystore "/path/to/keystore"

Once the alias name change is verified after running the above command, recycle the services and you should be able to access CA Service on SSL.

Additional Information

https://stackoverflow.com/questions/3483121/how-to-change-the-alias-of-a-key-within-a-keystore