Problem
If the key password is wrong, an error message will be logged for the runnable:
SEVERE: Failed to initialize end point associated with ProtocolHandler ["http-bio-23456"]
java.io.IOException: Cannot recover key
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:496)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:218)
at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:400)
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:649)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:434)
at org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:978)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:559)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:821)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at org.apache.catalina.startup.Catalina.load(Catalina.java:638)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:454)
Caused by: java.security.UnrecoverableKeyException: Cannot recover key
at sun.security.provider.KeyProtector.recover(KeyProtector.java:328)
at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:138)
at sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java:55)
at java.security.KeyStore.getKey(KeyStore.java:1023)
at sun.security.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:133)
at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:70)
at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:256)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:597)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:526)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:471)
... 18 more
Solution
:
By default, Apache TomcatTM uses changeit as both the keystore and the key password. If you follow the general recommendation, your keystore should have different passwords. If you only set the key password, Apache TomcatTM will also use it as keystore password. Only if key and keystore passwords differ, you must set both parameters.
Follow this procedure to change the key and keystore passwords.
Procedure
on your ARIS Publisher Server.
ARIS Cloud Controller can be used in multiple modes.
To start ACC under a Windows operating system click Start > All Programs > ARIS > Administration > Start ARIS Cloud Controller. If you have changed agent user credentials you must enter the user name and/or the password.
To start ACC under a Linux operating system, execute the acc10.sh shell script instead. To do so, enter: su -c acc10.sh aris10.
Enter: stop businesspublisher_<s, m, or l>
The runnable will be stopped.
Enter: reconfigure businesspublisher_<s, m, or l> connector.https.keyPass=<key password> connector.https.keystorePass=<keystore password>
for example reconfigure businesspublisher_m connector.https.keyPass="g3h31m" connector.https.keystorePass="g3h31m3r"
In this example quotes are not strictly necessary. Quotes are necessary for strong passwords containing special characters.
Enter: start businesspublisher_<s, m, or l>
The key and keystore passwords are set.
By default, the loadbalancer runnable is set to allow both unencrypted HTTP (port 80) and encrypted HTTPS (port 443) access. In order to use TLS (former SSL), the certificate must fit to the load balancer's host name. Otherwise, client connections in particular web browser connections will fail due to an invalid certificate.
Obtaining a valid certificate
If you want to use TLS, you need a valid certificate for the server on which the load balancer is running. This certificate must be signed by a certificate authority (CA). Please make sure that the certificate is compatible with the Java version of all ARIS clients.
You can buy a certificate from an official CA. Most clients in particular browsers will trust certificates signed by such a CA.
If your company uses own CA, use a certificate from this CA and add this CA to the trust store of all clients.
Adding a valid certificate to the load balancer
Your certificate must contain two parts:
The private key used to encrypt information sent back to the client (file extension .key).
The server certificate (file extension .crt).
Put the *.key file and the *.crt file into a ZIP archive.
Copy this ZIP file to a local directory that can be accessed by ARIS Cloud Controller (ACC).
Stop the loadbalancer runnable. Enter, for example: stop loadbalancer_m
Enter the ACC command enhance loadbalancer_<s, m, or l> with sslCertificate local file "<path to the ZIP file>"
Example: enhance loadbalancer_m with sslCertificate local file "c:\\temp\\lbcert.zip".
If you have blanks or special characters in the path, you must put it in quotes and use a double backslash instead of a single slash. Alternatively, use single forward slashes, for example: "c:/temp/lbcert.zip".
Start the loadbalancer runnable again. Enter, for example: start loadbalancer_m
The SSL certificate is available.
If ARIS clients cannot perform connections to servers using TLS certification, you need to provide an additional certificate (see: Basic Troubleshooting Guide).