Keytool error: java.security.unrecoverablekeyexception: cannot recover key

Problem

EUM service fails to start with the following error in the EUM server log:

29 Jan 2018 12:02:32.842 +0000 main dropwizard.ServerCommand ERROR

| Unable to start server, shutting down

| MultiException[java.security.UnrecoverableKeyException: Cannot recover key, java.security.UnrecoverableKeyException: Cannot recover key, java.util.concurrent.RejectedExecutionException: org.eclipse.jetty.util.thread.NonBlockingThread

Analysis

The password for the key-store specified in the EUM property is incorrect or it does not match the private key password. For EUM SSL implementation, the key-store password and the private key password must be the same. 

Solution

Ensure that the password for the keystore and the private key match, and are specified in the eum.properties file.

To change the private key password using the keytool command:

1. Take a backup of the EUM keystore.
2. Run the following command:

<Path to JAVA/bin>/keytool -keypasswd  -alias [Alias name for private key]  -keystore [path to key store]

3. Ensure that the new key password is the same as the key-store password. Verify the same password is being specified in the eum.properties file as well.
4. Restart EUM after making these changes.

How to check if keystore is using a seperate password for PRIVATEKEY VS KEYSTORE

calendar_today

Updated On:

Products

CA Cloud Test Mobile CA Application Test

Issue/Introduction

When validating the SASL-Scarm using SSL connection we get an error 

initializing Key Store
Error: Error accessing key null + in keystore: Cannot recover key

============================================================================
| Exception: 
============================================================================
| Message:     Error accessing key null + in keystore: Cannot recover key
----------------------------------------------------------------------------
| Trapped Exception: Cannot recover key
| Trapped Message:   java.security.UnrecoverableKeyException: Cannot recover key
----------------------------------------------------------------------------
STACK TRACE
java.security.UnrecoverableKeyException: Cannot recover key
 at sun.security.provider.KeyProtector.recover(Unknown Source)
 at sun.security.provider.JavaKeyStore.engineGetKey(Unknown Source)
 at sun.security.provider.JavaKeyStore$JKS.engineGetKey(Unknown Source)
 at sun.security.provider.KeyStoreDelegator.engineGetKey(Unknown Source)
 at sun.security.provider.JavaKeyStore$DualFormatJKS.engineGetKey(Unknown Source)
 at java.security.KeyStore.getKey(Unknown Source)
 at sun.security.ssl.SunX509KeyManagerImpl.<init>(Unknown Source)
 at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(Unknown Source)
 at javax.net.ssl.KeyManagerFactory.init(Unknown Source)

Cause

The keystore had different passwords for PRIVATEKEY and KEYSTORE which is not currently supported.

Please run the command below and check if you see 2 entries similar to the one shown below.
(A trustedcertentry and a PrivateKeyEntry)

C:\Program Files\CA\DevTest>.\jre\bin\keytool.exe -keystore D:\CA\DevTest_10.5\certs\dev.kafka.truststore.jks -storepass <enter keystore password> -listKeystore type: jks

Keystore provider: SUNYour keystore contains 2 entriesroot, Feb 3, 2020, trustedCertEntry,
Certificate fingerprint (SHA1): 66:F7:ED:8A:05:C5:F6:93:28:83:A6:B8:28:DC:6A:9F:1A:67:6A:93
jetty, Feb 3, 2020, PrivateKeyEntry,
Certificate fingerprint (SHA1): F5:30:09:E1:D0:A3:DA:2C:2D:A8:BC:BA:CD:47:42:AE:B7:D3:5B:9D

Environment

DEVTEST 10.5 10.6

Component : CA Service Virtualization

Resolution

Change the Keystore to use the same password for the PRIVATEKEY and the KEYSTORE

Feedback

thumb_up Yes

thumb_down No