Using IS_9.6_Core_Fix4
I have been trying to configure certificate and keystore information on our IS but now I keep getting the following error message
Successfully loaded properties file into memory
found key for : ssos
chain [0] = [
[
Version: V3
Subject: CN=ssos, OU=default, O=sag, C=DE
…
java.security.UnrecoverableKeyException: Cannot recover key
at sun.security.provider.KeyProtector.recover(KeyProtector.java:328
at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:138
at sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java:55)
…
I’ve remove the ssos certificate reference from the keystore.jks but get the same error message of ‘Cannot recover key’.
The original keystore/truststore information did work successfully including another certificate that I added. However I’ve now added an additional truststore, but get this error. Setting the keystore and truststore back to the one that worked or the original no longer work
Any suggestions?
Hi Colin,
what is the purpose of these truststores/keystores?
If it is for HTTPS transport put all base CA (if neccessary, usually they are already contained in the cacerts file of the jvm) and all intermediate CA certificates in one single JKS Truststore file and use this one in IS.
Use “Clear SSL Cache” after modifying any of these stores to get them reloaded in JVM memory.
Regards,
Holger
Hi Holger
Thanks for getting back to me
For one client I need to add a certificate in IS and put that private key into the keystore.jks. This worked successfully sending them information using pub.client:http
Another client provided us with crt and ca file which I imported into a jks on a test system producing a trusted certificate. This appeared to work but when I generated a separate truststore for a further client the error messages started to appear. I’ve not been able to resolve why it’s happened
I’ve tried what you suggested but still get the same message
Regards
Colin
Hi Colin,
can you share sreenshots of your keystore configuration screen, the certificates configuration screen (for the client certificates as well) and for the outbound passwords?
Might be that your master password for outbound passwords has expired?
Sounds like something has gone wrong during configuration.
Regards,
Holger
Hi Holger
I know that the outbound password had expired but didn’t think that mattered?!
I’ve attach a collection of screenshots showing the various parts of the configuration and hope this is sufficient information
Regards
Colin
Hi Colin,
usually the Truststore should contain all intermediate CA which are not part of cacerts.
Make sure to specify -trustcacerts when importing/adding new CA certificates to the truststore.
Remember to clear the ssl cache after reloading the new truststore file.
Each server certificate or client certificate should have its own keystore as their private keys might have different passwords. Additionally each keystore should only contain one private key.
Can modify your stores accordingly and try again?
Regards,
Holger
Hi Holger
Thanks for your suggestion, that seems to have resolved the problem. I rebuilt the keystores and truststores and the error message has gone
Regards
Colin
