"Cannot recover key" UnrecoverableKeyException when configuring Gemfire ssl
Article ID: 294431
Updated On:
Products
VMware Tanzu Gemfire
Issue/Introduction
When you generate a key with a keypass which is different from the keystore password, you will meet the exception listed below when starting locators with ssl configured:
"
For example:
"
java.security.UnrecoverableKeyException: Cannot recover key"For example:
keytool -genkey -keyalg RSA -validity 90 -keysize 2048 -alias gemfireclient -keystore clientcerts.jks -storepass keystorepassword -keypass keypassword -dname "CN=Test, OU=Digital, O=OSample, L=LSample, S=SSample, C=US"
You will see the below exception when starting locator process:
Exception in thread "main" org.apache.geode.GemFireConfigException: Error configuring GemFire ssl at org.apache.geode.internal.net.SocketCreator.initialize(SocketCreator.java:354) at org.apache.geode.internal.net.SocketCreator.<init>(SocketCreator.java:268) at org.apache.geode.internal.net.SocketCreatorFactory.createSSLSocketCreator(SocketCreatorFactory.java:105) at org.apache.geode.internal.net.SocketCreatorFactory.getSSLSocketCreator(SocketCreatorFactory.java:79) at org.apache.geode.internal.net.SocketCreatorFactory.getOrCreateSocketCreatorForSSLEnabledComponent(SocketCreatorFactory.java:95) at org.apache.geode.internal.net.SocketCreatorFactory.getSocketCreatorForComponent(SocketCreatorFactory.java:70) at org.apache.geode.distributed.internal.tcpserver.TcpClient.<init>(TcpClient.java:74) at org.apache.geode.cache.client.internal.locator.wan.LocatorMembershipListenerImpl.<init>(LocatorMembershipListenerImpl.java:57) at org.apache.geode.cache.client.internal.locator.wan.WANFactoryImpl.createLocatorMembershipListener(WANFactoryImpl.java:64) at org.apache.geode.internal.cache.wan.WANServiceProvider.createLocatorMembershipListener(WANServiceProvider.java:67) at org.apache.geode.distributed.internal.InternalLocator.<init>(InternalLocator.java:468) at org.apache.geode.distributed.internal.InternalLocator.createLocator(InternalLocator.java:259) at org.apache.geode.distributed.internal.InternalLocator.startLocator(InternalLocator.java:301) at org.apache.geode.distributed.LocatorLauncher.start(LocatorLauncher.java:641) at org.apache.geode.distributed.LocatorLauncher.run(LocatorLauncher.java:549) at org.apache.geode.distributed.LocatorLauncher.main(LocatorLauncher.java:191) Caused by: java.security.UnrecoverableKeyException: Cannot recover key at sun.security.provider.KeyProtector.recover(KeyProtector.java:328) at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:138) at sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java:55) at java.security.KeyStore.getKey(KeyStore.java:1011) at sun.security.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:133) at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:70) at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:256) at org.apache.geode.internal.net.SocketCreator.getKeyManagers(SocketCreator.java:553) at org.apache.geode.internal.net.SocketCreator.createAndConfigureSSLContext(SocketCreator.java:393) at org.apache.geode.internal.net.SocketCreator.initialize(SocketCreator.java:351) ... 15 more
Environment
Product Version: Other
Resolution
Since key entry is protected by a password (
So the solution is using the same password for key password (
-keypass), it requires this password to recover the key entry. But unfortunately JSSE doesn't provide any system property to set the key password for this. Therefore, when key password is not provided, java processes such as the Gemfire locator process with ssl enabled attempts to use the keystore password (-storepass) to recover the key entry. If the key store password is different from key password, then it will throw out the following exception:"java.security.UnrecoverableKeyException: Cannot recover key".So the solution is using the same password for key password (
-keypass) with keystore password (-storepass).Feedback
Yes
No
Powered by
