Problem
If the key password is wrong, an error message will be logged for the runnable:
SEVERE: Failed to initialize end point associated with ProtocolHandler ["http-bio-23456"]
java.io.IOException: Cannot recover key
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:496)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:218)
at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:400)
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:649)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:434)
at org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:978)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:559)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:821)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at org.apache.catalina.startup.Catalina.load(Catalina.java:638)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:454)
Caused by: java.security.UnrecoverableKeyException: Cannot recover key
at sun.security.provider.KeyProtector.recover(KeyProtector.java:328)
at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:138)
at sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java:55)
at java.security.KeyStore.getKey(KeyStore.java:1023)
at sun.security.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:133)
at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:70)
at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:256)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:597)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:526)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:471)
... 18 more
Solution
Provide the proper keystore password using the connector.https.keyPass configure parameter.
By default, the loadbalancer runnable is set to allow both unencrypted HTTP (port 80) and encrypted HTTPS (port 443) access. In order to use TLS (former SSL), the certificate must fit to the load balancer's host name. Otherwise, client connections in particular web browser connections will fail due to an invalid certificate.
Obtaining a valid certificate
If you want to use TLS, you need a valid certificate for the server on which the load balancer is running. This certificate must be signed by a certificate authority (CA). Please make sure that the certificate is compatible with the Java version of each ARIS client.
You can buy a certificate from an official CA. Most clients in particular browsers will trust certificates signed by such a CA.
If your company uses own CA, use a certificate from this CA and add this CA to the trust store of all clients.
Adding a valid certificate to the load balancer
Your certificate must contain two parts:
The private key used to encrypt information sent back to the client (file extension .key).
The server certificate (file extension .crt).
Put the *.key file and the *.crt file into a ZIP archive.
Copy this ZIP file to a local directory that can be accessed by ARIS Cloud Controller (ACC).
Stop the loadbalancer runnable. Enter, for example: stop loadbalancer_m
Enter the ACC command enhance loadbalancer_<s, m, or l> with sslCertificate local file "<path to the ZIP file>"
Example: enhance loadbalancer_m with sslCertificate local file "c:\\temp\\lbcert.zip".
If you have blanks or special characters in the path, you must put it in quotes and use a double backslash instead of a single slash. Alternatively, use single forward slashes, for example: "c:/temp/lbcert.zip".
Start the loadbalancer runnable again. Enter, for example: start loadbalancer_m
The SSL certificate is available.
If an ARIS client cannot perform connections to servers using TLS certification, you need to provide an additional certificate (see: Basic Troubleshooting Guide).