users@glassfish.java.net

keystore containing entry with pasword different from master password?

From: <glassfish_at_javadesktop.org>
Date: Fri, 20 Mar 2009 04:53:18 PDT

Hi,

I'm trying to put entry into glassfish keystore.jks, which have password different from keystore one. I've tried to generate entry via [b]keytool[/b] [i]-genkeypair[/i] as well as to import it from external PKCS12 keystore file via [i]-importkeystore[/i]. If entry password is same as keystore one everything works perfectly. When it differs or is changed by [i]-keypasswd[/i] following exception occurs

[#|2009-03-20T12:31:45.125+0100|WARNING|sun-appserver9.1|javax.enterprise.system.stream.err|_ThreadID=10;_ThreadName=main;_RequestID=1f19c3e4-d96a-402e-ad36-5f21db1a4b0e;|java.lang.reflect.InvocationTargetException

        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)

        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)

        at java.lang.reflect.Method.invoke(Method.java:597)

        at com.sun.enterprise.server.PELaunch.main(PELaunch.java:412)

Caused by: java.lang.ExceptionInInitializerError

        at com.sun.enterprise.security.SecurityLifecycle.onInitialization(SecurityLifecycle.java:101)

        at com.sun.enterprise.server.ApplicationServer.onInitialization(ApplicationServer.java:262)

        at com.sun.enterprise.server.ondemand.OnDemandServer.onInitialization(OnDemandServer.java:101)

        at com.sun.enterprise.server.PEMain.run(PEMain.java:401)

        at com.sun.enterprise.server.PEMain.main(PEMain.java:338)

        ... 5 more

Caused by: java.lang.IllegalStateException: java.security.UnrecoverableKeyException: Cannot recover key

        at com.sun.enterprise.security.SSLUtils.<clinit>(SSLUtils.java:128)

        ... 10 more

Caused by: java.security.UnrecoverableKeyException: Cannot recover key

        at sun.security.provider.KeyProtector.recover(KeyProtector.java:311)

        at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:121)

        at sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java:38)

        at java.security.KeyStore.getKey(KeyStore.java:763)

        at com.sun.net.ssl.internal.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:113)

        at com.sun.net.ssl.internal.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:48)

        at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:239)

        at com.sun.enterprise.security.SSLUtils.initKeyManagers(SSLUtils.java:320)

        at com.sun.enterprise.security.SSLUtils.<clinit>(SSLUtils.java:106)

        ... 10 more

|#]


From Kumar's blog http://weblogs.java.net/blog/kumarjayanti/archive/2007/11/ssl_and_crl_che.html it seems there are some limitations, which prevents to have glassfish entries with their own passwords in single keystore. Do someone know more details of it? I also wonder why glassfish tries to access non system entries in keystore during startup ...
[Message sent by forum member 'cigorin' (cigorin)]

http://forums.java.net/jive/thread.jspa?messageID=338118
© Oracle | By contributing to this project, you are agreeing to the terms of use described here.