HTTPS connection fails (SSL) - wrong key password

Problem

If the key password is wrong, an error message will be logged for the runnable:

SEVERE: Failed to initialize end point associated with ProtocolHandler ["http-bio-23456"]

java.io.IOException: Cannot recover key

at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:496)

at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:218)

at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:400)

at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:649)

at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:434)

at org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119)

at org.apache.catalina.connector.Connector.initInternal(Connector.java:978)

at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)

at org.apache.catalina.core.StandardService.initInternal(StandardService.java:559)

at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)

at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:821)

at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)

at org.apache.catalina.startup.Catalina.load(Catalina.java:638)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

at java.lang.reflect.Method.invoke(Method.java:497)

at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280)

at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:454)

Caused by: java.security.UnrecoverableKeyException: Cannot recover key

at sun.security.provider.KeyProtector.recover(KeyProtector.java:328)

at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:138)

at sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java:55)

at java.security.KeyStore.getKey(KeyStore.java:1023)

at sun.security.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:133)

at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:70)

at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:256)

at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:597)

at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:526)

at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:471)

... 18 more

Solution

Provide the proper keystore password using the connector.https.keyPass configure parameter.

By default, the loadbalancer runnable is set to allow both unencrypted HTTP (port 80) and encrypted HTTPS (port 443) access. In order to use TLS (former SSL), the certificate must fit to the load balancer's host name. Otherwise, client connections in particular web browser connections will fail due to an invalid certificate.

Obtaining a valid certificate

If you want to use TLS, you need a valid certificate for the server on which the load balancer is running. This certificate must be signed by a certificate authority (CA). Please make sure that the certificate is compatible with the Java version of each ARIS client.

Adding a valid certificate to the load balancer

Your certificate must contain two parts:

  1. Put the *.key file and the *.crt file into a ZIP archive.

  2. Copy this ZIP file to a local directory that can be accessed by ARIS Cloud Controller (ACC).

  3. Start ARIS Cloud Controller (ACC).

  4. Stop the loadbalancer runnable. Enter, for example: stop loadbalancer_m

  5. Enter the ACC command enhance loadbalancer_<s, m, or l> with sslCertificate local file "<path to the ZIP file>"

    Example: enhance loadbalancer_m with sslCertificate local file "c:\\temp\\lbcert.zip".

    If you have blanks or special characters in the path, you must put it in quotes and use a double backslash instead of a single slash. Alternatively, use single forward slashes, for example: "c:/temp/lbcert.zip".

  6. Start the loadbalancer runnable again. Enter, for example: start loadbalancer_m

The SSL certificate is available.

If an ARIS client cannot perform connections to servers using TLS certification, you need to provide an additional certificate (see: Basic Troubleshooting Guide).