users@glassfish.java.net

Re: Installation/asadmin create-domain -- keytool gives error

From: Mark Martin <storycrafter_at_gmail.com>
Date: Sat, 23 Jun 2007 13:53:23 -0500

Kedar,

Thanks for the suggestions. I was able to much more narrowly define the
problem -- here's where I'm at so far.

Upgrading to JDK 1.6 made no difference.
Passing along the -DDebug option made it easy to follow the keytool
processing chain. Invoking the commands manually produces the same error..

# /usr/jdk/jdk1.6.0_01/jre/bin/keytool -genkey -keyalg RSA -keystore
/downloads/glassfish/domains/domain1/config/keystore.jks -alias s1as -dname
"CN=radagast2.saga.internal,OU=Sun Java System Application Server,O=Sun
Microsystems,L=Santa Clara,ST=California,C=US" -validity 3650 -keypass
changeit -storepass changeit -J-Dsun.security.internal.keytool.skid
# /usr/jdk/jdk1.6.0_01/jre/bin/keytool -export -keystore
/downloads/glassfish/domains/domain1/config/keystore.jks -alias s1as -file
/downloads/glassfish/domains/domain1/config/s1as.cer
Enter keystore password:
Certificate stored in file
</downloads/glassfish/domains/domain1/config/s1as.cer>
# /usr/jdk/jdk1.6.0_01/jre/bin/keytool -v -import -noprompt -keystore
/downloads/glassfish/domains/domain1/config/cacerts -alias s1as -file
/downloads/glassfish/domains/domain1/config/s1as.cer
Enter keystore password:
keytool error: java.security.SignatureException: Signature does not match.
java.security.SignatureException: Signature does not match.
        at sun.security.x509.X509CertImpl.verify(X509CertImpl.java:446)
        at sun.security.x509.X509CertImpl.verify(X509CertImpl.java:389)
        at sun.security.tools.KeyTool.addTrustedCert(KeyTool.java:1915)
        at sun.security.tools.KeyTool.doCommands(KeyTool.java:814)
        at sun.security.tools.KeyTool.run(KeyTool.java:171)
        at sun.security.tools.KeyTool.main(KeyTool.java:165)


Interestingly, if I change the key algorithm to DSA, it works as expected.
I see that the signing algorithm was changed from MD5withRSA to SHA1withRSA
in JDK 1.6. (http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6560733).
This does little to explain why I was having the issue with 1.5_06, though.

I will continue to play with keytool and find out why it is unable to verify
signatures when using the RSA key algorithm (or SHA1withRSA signing) on 2
different sparc Solaris 10 boxen with 3 different JDK versions.

Thanks,
Mark

On 6/22/07, glassfish_at_javadesktop.org <glassfish_at_javadesktop.org> wrote:
>
> Hmm. Strange.
> May I suggest:
>
> - upgrading to latest JDK.
> - modifying asadmin script to pass -DDebug to the java command. That will
> give us more clues
> about what is going wrong.
>
> Thanks,
> Kedar
> [Message sent by forum member 'km' (km)]
>
> http://forums.java.net/jive/thread.jspa?messageID=223582
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>
>


-- 
------------------------------------------------------
Born to the false world, the wanderer,
Storyteller, The Pied Piper
On a quest for immortality
Gathering a troop to find the fantasy
-- Nightwish