HTTPS connection fails (SSL) - wrong keystore password (ARIS Publisher)

Problem

If the keystore password is wrong, an error message will be logged for the runnable:

SEVERE: Failed to initialize end point associated with ProtocolHandler ["http-bio-23456"]

java.io.IOException: Keystore was tampered with, or password was incorrect

at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:772)

at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:55)

at java.security.KeyStore.load(KeyStore.java:1445)

at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:429)

at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocketFactory.java:328)

at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:586)

at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:526)

at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:471)

at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:218)

at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:400)

at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:649)

at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:434)

at org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119)

at org.apache.catalina.connector.Connector.initInternal(Connector.java:978)

at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)

at org.apache.catalina.core.StandardService.initInternal(StandardService.java:559)

at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)

at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:821)

at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)

at org.apache.catalina.startup.Catalina.load(Catalina.java:638)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

at java.lang.reflect.Method.invoke(Method.java:497)

at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280)

at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:454)

Caused by: java.security.UnrecoverableKeyException: Password verification failed

at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:770)

... 25 more

Solution

Provide the proper keystore password using the connector.https.keystorePass configure parameter:

By default, Apache TomcatTM uses changeit as both the keystore and the key password. If you follow the general recommendation, your keystore should have different passwords. If you only set the key password, Apache TomcatTM will also use it as keystore password. Only if key and keystore passwords differ, you must set both parameters.

Follow this procedure to change the key and keystore passwords.

Procedure

  1. Start ARIS Cloud Controller on your ARIS Publisher Server.

    ARIS Cloud Controller can be used in multiple modes.

    To start ACC under a Windows operating system click Start > All Programs > ARIS > Administration > Start ARIS Cloud Controller. If you have changed agent user credentials you must enter the user name and/or the password.

    To start ACC under a Linux operating system, execute the acc10.sh shell script instead. To do so, enter: su -c acc10.sh aris10.

  2. Enter: stop businesspublisher_<s, m, or l>

    The runnable will be stopped.

  3. Enter: reconfigure businesspublisher_<s, m, or l> connector.https.keyPass=<key password> connector.https.keystorePass=<keystore password>

    for example reconfigure businesspublisher_m connector.https.keyPass="g3h31m" connector.https.keystorePass="g3h31m3r"

    In this example quotes are not strictly necessary. Quotes are necessary for strong passwords containing special characters.

  4. Enter: start businesspublisher_<s, m, or l>

The key and keystore passwords are set.

By default, Apache TomcatTM uses changeit as both the keystore and the key password. If you follow the general recommendation, your keystore should have different passwords. If you only set the key password, Apache TomcatTM will also use it as keystore password. Only if key and keystore passwords differ, you must set both parameters.

Follow this procedure to change the key and keystore passwords.

Procedure

  1. Start ARIS Cloud Controller on your ARIS Publisher Server.

    ARIS Cloud Controller can be used in multiple modes.

    To start ACC under a Windows operating system click Start > All Programs > ARIS > Administration > Start ARIS Cloud Controller. If you have changed agent user credentials you must enter the user name and/or the password.

    To start ACC under a Linux operating system, execute the acc10.sh shell script instead. To do so, enter: su -c acc10.sh aris10.

  2. Enter: stop businesspublisher_<s, m, or l>

    The runnable will be stopped.

  3. Enter: reconfigure businesspublisher_<s, m, or l> connector.https.keyPass=<key password> connector.https.keystorePass=<keystore password>

    for example reconfigure businesspublisher_m connector.https.keyPass="g3h31m" connector.https.keystorePass="g3h31m3r"

    In this example quotes are not strictly necessary. Quotes are necessary for strong passwords containing special characters.

  4. Enter: start businesspublisher_<s, m, or l>

The key and keystore passwords are set.