users@glassfish.java.net

Re: PWC5330: Alias name serveralias does not identify a key entry

From: Jan Luehe <Jan.Luehe_at_Sun.COM>
Date: Wed, 04 Apr 2007 09:33:11 -0700

Legolas,

Legolas Woodland wrote On 04/03/07 11:46 PM,:

> Hi
> Thank you for reading my post.
> I am trying to import a cert into keystore and another cert into
> cacerts of glassfish.
>
> -run the application server, enable the ssl and give a nickname like
> serveralias
> -execute some commands to import keys into stores like :
>
> \domains\d6>keytool -import -keypass adminadmin -storepass changeit
> -file E:\certs\server.der -alias serveralias -keystore keystore.jks
>
> and another command to import caCert like :
> \domains\d6>keytool -import -keypass adminadmin -storepass changeit
> -file E:\certs\ca.der -alias serveralias -keystore cacerts.jks
>
>
>
> I should say that i have singed the server.der using cacert.
> What i want to do is:
>
>
>
>
>
>
> Now when i run try to start the application server it return something
> like:
>
>
> CORE5071: An error occured during initialization
> com.sun.appserv.server.ServerLifecycleException: WEB0105: An error
> occurred while starting the web container
> at com.sun.enterprise.web.PEWebContainer.startInstance
> (PEWebContainer.java:751)
> at
> com.sun.enterprise.web.PEWebContainerLifecycle.onStartup(PEWebContainerLifecycle.java:71)
> at
> com.sun.enterprise.server.ApplicationServer.onStartup(ApplicationServer.java:332)
>
> at
> com.sun.enterprise.server.ondemand.OnDemandServer.onStartup(OnDemandServer.java:112)
> at com.sun.enterprise.server.PEMain.run(PEMain.java:326)
> at com.sun.enterprise.server.PEMain.main(PEMain.java :260)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke
> (DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:585)
> at com.sun.enterprise.server.PELaunch.main(PELaunch.java:272)
> Caused by: LifecycleException: PWC3985: Protocol handler
> initialization failed: java.io.IOException: PWC5330: Alias name
> serveralias does not identify a key entry
> at
> org.apache.coyote.tomcat5.CoyoteConnector.initialize(CoyoteConnector.java:1592)
> at
> com.sun.enterprise.web.connector.coyote.PECoyoteConnector.initialize
> (PECoyoteConnector.java:760)
> at org.apache.catalina.startup.Embedded.start(Embedded.java:921)
> at
> com.sun.enterprise.web.WebContainer.start(WebContainer.java:853)
> at com.sun.enterprise.web.PEWebContainer.startInstance
> (PEWebContainer.java:742)
> ... 10 more
>
>
>
>
>
> Can you tell me what is wrong?
>

Keystores have 2 types of entries: key entries and certificate
entries. A "key entry" contains a private key and supporting
certificate chain for its corresponding public key, whereas a
"certificate entry" contains a single certificate for a trusted public
key.

Your server (HTTPS listener) must have a keystore entry of type
"key entry", because it must use its private key to digitally sign a
challenge, and append its supporting certificate chain to the signed
challenge, in order to authenticate itself to the client during an SSL
handshake.

It looks like in your case, the keystore entry identified by
"serveralias" is of type "certiticate entry", when it should be of
type "key entry". Looks like "E:\certs\server.der" contains a
single certificate?

Normally, you create a private/public keypair ("key entry") in your
keystore, export its public key in the form of a self-signed certificate,
have the public key certified by a CA, and reimport the CA-signed
public key (and supporting certificate chain) into your "key entry",
where it replaces the self-signed cert.


Jan


>
>
> Make sure that server does not respond to any one who has not a
> certification signed with my own CA.
> I think, if i have a cacert file containing just my own ca
> certification then glassfish will only accept clients with
> certification signed with that ca certification.
>
> let me know what do you think about my procedure
>
>
>
>
>
>