Problem
EUM service fails to start with the following error in the EUM server log:
29 Jan 2018 12:02:32.842 +0000 main dropwizard.ServerCommand ERROR | Unable to start server, shutting down | MultiException[java.security.UnrecoverableKeyException: Cannot recover key, java.security.UnrecoverableKeyException: Cannot recover key, java.util.concurrent.RejectedExecutionException: org.eclipse.jetty.util.thread.NonBlockingThreadAnalysis
The password for the key-store specified in the EUM property is incorrect or it does not match the private key password. For EUM SSL implementation, the key-store password and the private key password must be the same.
Solution
Ensure that the password for the keystore and the private key match, and are specified in the eum.properties file.
To change the private key password using the keytool command:
1. Take a backup of the EUM keystore.
2. Run the following command:
3. Ensure that the new key password is the same as the key-store password. Verify the same password is being
specified in the eum.properties file as well.
4. Restart EUM after making these changes.
How to check if keystore is using a seperate password for PRIVATEKEY VS KEYSTORE
calendar_today
Updated On:
Products
CA Cloud Test Mobile CA Application Test
Issue/Introduction
When validating the SASL-Scarm using SSL connection we get an error
initializing Key
Store
Error: Error accessing key null + in keystore: Cannot recover key
============================================================================
| Exception:
============================================================================
| Message: Error accessing key null + in keystore: Cannot recover
key
----------------------------------------------------------------------------
| Trapped Exception: Cannot recover key
| Trapped Message: java.security.UnrecoverableKeyException: Cannot recover key
----------------------------------------------------------------------------
STACK
TRACE
java.security.UnrecoverableKeyException: Cannot recover key
at sun.security.provider.KeyProtector.recover(Unknown Source)
at sun.security.provider.JavaKeyStore.engineGetKey(Unknown Source)
at sun.security.provider.JavaKeyStore$JKS.engineGetKey(Unknown Source)
at sun.security.provider.KeyStoreDelegator.engineGetKey(Unknown
Source)
at sun.security.provider.JavaKeyStore$DualFormatJKS.engineGetKey(Unknown Source)
at java.security.KeyStore.getKey(Unknown Source)
at sun.security.ssl.SunX509KeyManagerImpl.<init>(Unknown Source)
at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(Unknown Source)
at
javax.net.ssl.KeyManagerFactory.init(Unknown Source)
Cause
The keystore had different passwords for PRIVATEKEY and KEYSTORE which is not currently supported.
Please run the command below and check if you see 2 entries similar to the one shown below.
(A trustedcertentry and a PrivateKeyEntry)
C:\Program Files\CA\DevTest>.\jre\bin\keytool.exe -keystore D:\CA\DevTest_10.5\certs\dev.kafka.truststore.jks -storepass <enter keystore password> -listKeystore type: jks
Keystore provider: SUNYour keystore contains 2 entriesroot, Feb 3, 2020, trustedCertEntry,
Certificate fingerprint (SHA1): 66:F7:ED:8A:05:C5:F6:93:28:83:A6:B8:28:DC:6A:9F:1A:67:6A:93
jetty, Feb 3, 2020, PrivateKeyEntry,
Certificate fingerprint (SHA1):
F5:30:09:E1:D0:A3:DA:2C:2D:A8:BC:BA:CD:47:42:AE:B7:D3:5B:9D
Environment
DEVTEST 10.5 10.6
Component : CA Service Virtualization
Resolution
Change the Keystore to use the same password for the PRIVATEKEY and the KEYSTORE
Feedback
thumb_up Yes
thumb_down No