Update (nothing good), but still reading more on the keytool functions, I
did change the password to changeit and a restart, but I do get that error.
*keytool -list -v -storepass changeit -keystore keystore.jks*
*Keystore type: JKS
Keystore provider: SUN
Your keystore contains 3 entries*
No need to copy/paste all, but it does show the keystore.jks file password
change worked. The error on the server is still the same;
*
Caused by: java.lang.IllegalStateException:
java.security.UnrecoverableKeyException: Cannot recover key
at com.sun.enterprise.security.SSLUtils.<clinit>(SSLUtils.java:128)
... 10 more
Caused by: java.security.UnrecoverableKeyException: Cannot recover key*
So I don't think I my thought was accurate. I am still reading, maybe
import from the .cert file, etc. but man I thought I had it!
On Thu, Oct 29, 2009 at 11:20 AM, Lance Raymond <lraymond_at_weatherflow.com>wrote:
> Man, I appreciate all the typing! Actually most of that does make sense,
> not working, but my question relates to that keystore.jks file. When I use
> keytool to check it, it asks for a password. That password is not the
> changeit default.
>
> So I did a clean install, works fine, admin console, etc. I stop
> glassfish;
> Rename keystore.jks keystore.jks.original.
> Copy the backup one to that location
> (/var/lib/glassfishv2/domains/domain1/config) and restart and it fails with
> the same error in that massive log
>
> *Caused by: java.lang.IllegalStateException: Keystore was tampered with,
> or password was incorrect*
>
> Now what I am trying to see is how do I tell glassfish use this password
> for the keystore.jks file, --or-- how do I change the keystore.jks password
> to change it. It simply seems that when glassfish goes to access that file,
> it thinks the pw is changeit, can't load it and fails, as the error is exact
> if I issue this;
> *keytool -list -v -keystore keystore.jks -storepass changeit*
> *keytool error: java.io.IOException: Keystore was tampered with, or
> password was incorrect*
>
> But if I issue the new password; I do get the 3 alias's;
> *
> keytool -list -v -keystore keystore.jks
> Enter keystore password: *
>
> *
> Keystore type: JKS
> Keystore provider: SUN
> Your keystore contains 3 entries
>
> Alias name: wfgfcert
> Creation date: Sep 23, 2009
> Entry type: PrivateKeyEntry
>
> Alias name: root
> Creation date: Sep 23, 2009
> Entry type: trustedCertEntry
> Owner: OU=Equifax Secure Certificate Authority, O=Equifax, C=US
>
> Alias name: slas
>
> Creation date: Oct 28, 2009
> Entry type: PrivateKeyEntry
> Certificate chain length: 1
> Certificate[1]:
> *
>
> So it seems I think I know what's going on, and there is probably 2 ways to
> fix, change the password in the keystore file I made to changeit, or tell
> glassfish to use the new file but use my new password.
>
> Thanks again
>
>
> On Thu, Oct 29, 2009 at 1:50 AM, <bamoss_at_sceats.com> wrote:
>
>> Hi Lance,
>>
>> I'm not 100% clear what you did here.
>>
>> What I was trying to communicate was to delete the s1as alias from the
>> existing keystore (since it is only a cert not a key) and to generate a new
>> s1as alias as a keypair in the existing keystore, so that your keystore
>> contains your chained PrivateKeyEntry (wgfcert) and the new s1as
>> PrivateKeyEntry. When you state: "Lastly I simply overwrote the newly
>> installed keystore.jks and restarted" -- you don't need to overwrite the
>> current keystore, just amend it by deleting the s1as certificate and
>> creating s1as as a signing key.
>>
>> If you had previously accessed the Glassfish Admin Console on
>> http://<FQDN>:4848 <http://%3Cfqdn%3E:4848/> and changed the certificate
>> nickname to wgfcert, then you must have both wgfcert and s1as in your
>> keystore as PrivateKeyEntry for Glassfish to start.
>>
>> If you are having no joy with this, here is what should work, to get your
>> signed certificate to work...
>>
>> 1. In the keystore that contains wgfcert shown as a
>> PrivateKeyEntry, create s1as as a PrivateKeyEntry (keytool genkey)
>> 2. Copy this keystore that has wgfcert and s1as shown as a PrivateKeyEntry
>> to some safe location
>> 3. Do a fresh install of Glassfish
>> 4. Verify that you can access the Glassfish Admin Console on
>> http://<FQDN>:4848 <http://%3Cfqdn%3E:4848/>
>> 5. Replace the default keystore with your saved keystore that contains the
>> wgfcert and s1as aliases (shown as a PrivateKeyEntry)
>> 6. Restart Glassfish
>> 7. Verify that you can access the Glassfish Admin Console on
>> http://<FQDN>:4848 <http://%3Cfqdn%3E:4848/>
>> 8. Goto Configuration > HTTP Services > HTTP Listeners and select
>> http-listener-2, then select the SSL tab
>> 9. For the certificate nickname, enter wgfcert
>> 10. Restart Glassfish
>> 11. Open a browser and enter https://<FQDN>:8181<https://%3Cfqdn%3E:8181/>
>> => This should result in a Glassfish webpage showing that Glassfish is
>> running on port 8181. Click on the SSL Padlock in the lower right hand
>> side, and it should show your signed cert.
>>
>> If you want, you can then repeat the above for the admin listener (port
>> 4848)
>>
>> With all of the above, I am assuming that the default master-password is
>> still changeit, since you have done a fresh Glassfish install (ant -f
>> setup.xml). Once all the above is working fine, you can then change the
>> master-password, but you will need to use keytool to change keypass for
>> alias wgfcert.
>>
>> Does all this make sense? Good luck and please let me know how it goes.
>>
>> Derek
>>
>>
>> -------- Original Message --------
>> Subject: Re: Clean install, import key help requested *2nd*
>> From: Lance Raymond <lraymond_at_weatherflow.com>
>> Date: Wed, October 28, 2009 5:27 pm
>> To: users_at_glassfish.dev.java.net
>>
>> ok, this is what I got so far;
>> deleted the alias from that keystore file.
>>
>> Recreated using the following;
>> * keytool -genkey -dname "CN=ws1.weatherflow.com, OU=Sun Java System
>> Application Server, O=Sun Microsystems, L=Santa Clara, ST=California, C=US"
>> -alias slas -keystore keystore.jks*
>> **
>> Note: I simply looked at a new server install slas which made sense. A
>> check on that file now shows what you said about the private key;
>> *Creation date: Oct 28, 2009
>> Entry type: PrivateKeyEntry
>> Certificate chain length: 1
>> Certificate[1]:
>> Owner: CN=ws1.domain.com, OU=Sun Java System Application Server, O=Sun
>> Microsystems, L=Santa Clara, ST=California, C=US*
>>
>> Lastly I simply overwrote the newly installed keystore.jks and restarted,
>> knowing in the back of my head it would fail, simply for this reason. The
>> password on a new installed server I think is changeit or something similar
>> where this keystore is not. So on a restart, looking at the logs I knew I
>> would see this, and sure enough, saw it.
>> *Caused by: java.lang.IllegalStateException: Keystore was tampered
>> with, or password was incorrect*
>>
>> Which does make sense. So it seems I do 'understand' a bit more, and
>> probably 80% where I want to be. So, the question now is do I tell
>> glassfish, the new keystore password is this and if so how? Or the other
>> idea, not sure if you can, is if I have the .cert file from the original,
>> and a new clean install works, can you import that cert into a keystore on a
>> new working server? Not sure which of the above is better (really don't
>> even care anymore), just love to see it start and have the cert working :)
>>
>> Derek, you have been so helpful so far, I appreciate it!
>>
>>
>>
>> On Wed, Oct 28, 2009 at 6:15 PM, <bamoss_at_sceats.com> wrote:
>>
>>> Okay, this is good news. So you should be able to set the certificate
>>> nickname to "wfgcert" once you get Glassfish started, if you haven't already
>>> done so.
>>>
>>> One thing that jumps out at me is that alias "s1as" is Entry type:
>>> trustedCertEntry. This should be Entry type: PrivateKeyEntry.
>>>
>>> Why don't you use keytool to delete alias s1as, then do a genkey and
>>> create a new s1as alias. Set the validity out a couple of years. Restart
>>> Glassfish (domain1) then see if you can access the Glassfish Admin Console
>>> on port 4848.
>>>
>>> Once you have access to Glassfish Admin Console, go to Configuration >
>>> HTTP Services > HTTP Listeners > SSL tab for port 8181 (and 4848 if you
>>> want) and set/validate that the certificate nickname is set to wfgcert.
>>> If you have to change it from s1as, restart Glassfish and click on the
>>> padlock in the browser to validate that you are now using the signed SSL
>>> cert.
>>>
>>> I believe that alias s1as can be fully replaced by editting domain.xml
>>> and replacing s1as with wfgcert -- then restart domain1. Someone from Sun
>>> would need to validate this.
>>>
>>> Finally, if you change the master-password, you need to manually change
>>> keypass for any alias other than s1as. For Glassfish SSL, storepass and
>>> keypass must be the same.
>>>
>>> Hope this helps. Good luck.
>>>
>>> Derek
>>>
>>> -------- Original Message --------
>>> Subject: Re: Clean install, import key help requested *2nd*
>>> From: Lance Raymond <lraymond_at_weatherflow.com>
>>> Date: Wed, October 28, 2009 12:32 pm
>>> To: users_at_glassfish.dev.java.net
>>>
>>> Actually yes, that much has :)
>>>
>>> Now I do have a backup keystore.jks file which I think he used and just
>>> found, and do have the password. So I did the following; (note this is the
>>> old one)
>>> keytool -list -v -keystore keystore.jks (entered the pw) and have this;
>>> (just including the good stuff)
>>>
>>> Keystore type: JKS
>>> Keystore provider: SUN
>>>
>>> Your keystore contains 3 entries
>>>
>>> Alias name: wfgfcert
>>> Creation date: Sep 23, 2009
>>> Entry type: PrivateKeyEntry
>>> Certificate chain length: 2
>>> Certificate[1]:
>>> Owner: CN=api.mydomain.com, OU=Domain Control Validated - RapidSSL(R),
>>> OU=See www.rapidssl.com/resources/cps (c)09, OU=GT06273877, O=
>>> api.mydomain.com, C=US
>>> Issuer: OU=Equifax Secure Certificate Authority, O=Equifax, C=US
>>>
>>> Alias name: root
>>> Creation date: Sep 23, 2009
>>> Entry type: trustedCertEntry
>>>
>>> Owner: OU=Equifax Secure Certificate Authority, O=Equifax, C=US
>>> Issuer: OU=Equifax Secure Certificate Authority, O=Equifax, C=US
>>> Serial number: 35def4cf
>>> Valid from: Sat Aug 22 12:41:51 EDT 1998 until: Wed Aug 22 12:41:51 EDT
>>> 2018
>>>
>>>
>>> Alias name: s1as
>>> Creation date: Sep 23, 2009
>>> Entry type: trustedCertEntry
>>>
>>> Owner: CN=api.domain.com, OU=Domain Control Validated - RapidSSL(R),
>>> OU=See www.rapidssl.com/resources/cps (c)09, OU=GT06273877, O=
>>> api.domain.com, C=US
>>> Issuer: OU=Equifax Secure Certificate Authority, O=Equifax, C=US
>>>
>>>
>>> So that was done last month and it looks like he imported the key into
>>> the keystore.jks file (I almost sound like I know what I'm talking about)!
>>> The only issue I see with that file is the last one, the s1as alias is using
>>> the same domain info, where the new install uses the self-signed one. Not
>>> sure if that matters or not as I don't really need that s1as alias, but you
>>> say other things use it.
>>>
>>> As for not being around, doesn't matter, I have the laptop and will be
>>> checking in all day/night :D Thanks again for the time already spent
>>> helping.
>>>
>>>
>>>
>>>
>>> On Wed, Oct 28, 2009 at 3:00 PM, <bamoss_at_sceats.com> wrote:
>>>
>>>> If you don't have the original keystore where the wflow alias was
>>>> created, you may need to create a new keypair and get the certificate signed
>>>> by rapidssl.
>>>>
>>>> The issue is that for SSL to work correctly, you need a keypair in your
>>>> keystore. When you do a signing request to a CA, you export the certificate
>>>> (not the key) then reimport the signed certificate. This gives you a chain
>>>> keypair. What you need to see in your keystore when you do keytool -list -v
>>>> -keystore keystore.jks, is the name of your alias (eg: wflow) followed by
>>>> "Entry Type: keyEntry". You should also see this after alias "s1as". If
>>>> you don't see this in your keystore, you need to go through the cert request
>>>> process with the CA.
>>>>
>>>> Does this make sense?
>>>>
>>>> If not, I'll try to help, but will be offline for a couple of hours.
>>>>
>>>>
>>>> -------- Original Message --------
>>>> Subject: Re: Clean install, import key help requested *2nd*
>>>> From: Lance Raymond <lraymond_at_weatherflow.com>
>>>> Date: Wed, October 28, 2009 11:44 am
>>>> To: users_at_glassfish.dev.java.net
>>>>
>>>> 1st all can ignore the new post (sorry for the dup as it came from
>>>> namble) and I am just mentally shot!
>>>> Next;
>>>> "If you used mystore.jks as the keystore where you created your
>>>> original certificate request for alias" well unfortunatly I didn't create
>>>> the request someone else did who left. I have just the .csr and .cert
>>>>
>>>> I have since wiped the app server again, so sitting idle with the
>>>> following;
>>>> default keystore.jks
>>>> folder in my home with; trustedroot.crt, wfgfcert.csr, wfgfcert.cert
>>>>
>>>> I can access the normal app server on 8080, 8181 is the ssl port and the
>>>> admin on 4848.
>>>>
>>>> So starting from step 1, can I simply import the wfgfcert into the
>>>> existing keystore using wflow (I assume there can be multiple) since other
>>>> things use that s1as alias, then change ssl to use that wflow alias?
>>>>
>>>> You threw alot out there (better than anything I have read) but dont
>>>> want to screw up again!
>>>>
>>>> Thanks
>>>>
>>>>
>>>> On Wed, Oct 28, 2009 at 2:35 PM, <bamoss_at_sceats.com> wrote:
>>>>
>>>>> So with the original keystore.jks, which contains alias s1as, you are
>>>>> able to access the glassfish admin console on port 4848, correct?
>>>>>
>>>>> If you used mystore.jks as the keystore where you created your original
>>>>> certificate request for alias, then imported back the signed certificate and
>>>>> the class and root certificate, you should see three entries, a chained
>>>>> signing key and the two imported certificates (class and root certs) in the
>>>>> mystore.jks keystore. However you won't have the s1as self-signed
>>>>> certificate, that is in the original keystore, since this is created when
>>>>> glassfish is built.
>>>>>
>>>>> If the above is true, create alias s1as using genkey in mystore.jks.
>>>>> Then rename the keystore.jks to keystore.old and copy and rename mystore.jks
>>>>> to keystore.jks. You should be able to log into the glassfish admin
>>>>> console. I have enabled SSL on port 4848 and 8181, leaving 8080 for HTTP.
>>>>> If you enable SSL on these ports, the default certificate nickname will be
>>>>> "s1as". If you change this to "wflow", you should now be using your signed
>>>>> certificate. This would be done by going to Configuration > HTTP Services >
>>>>> HTTP Listeners > SSL tab. After this change, you need to restart Glassfish.
>>>>>
>>>>> Does this make sense?
>>>>>
>>>>> Note that you need to have alias s1as in your active keystore, as other
>>>>> glassfish services use this certificate nickname. I suspect this is why the
>>>>> blog entry recommends deleting the original s1as and generating a new s1as
>>>>> alias for the certificate request. The other option if you don't have s1as
>>>>> in the active keystore is to make the change in the domain.xml file
>>>>> replacing all s1as certificate aliases with your alias, however, editing the
>>>>> domain.xml file is not recommended.
>>>>>
>>>>> Hope this helps.
>>>>>
>>>>> Derek
>>>>>
>>>>> -------- Original Message --------
>>>>> Subject: RE: Clean install, import key help requested *2nd*
>>>>> From: xlancealotx <lraymond_at_weatherflow.com>
>>>>> Date: Wed, October 28, 2009 11:17 am
>>>>> To: users_at_glassfish.dev.java.net
>>>>>
>>>>>
>>>>> Yep, I have tried to both copy the mystore.jks over the keystore
>>>>> (renaming it
>>>>> to keystore), trying importing into the existing file. Also tried using
>>>>> a
>>>>> different alias, changing in the admin and restarting, all still fail.
>>>>> There are a few docs out there, all pretty much say the same few things
>>>>> which is why I am surprised I am having such a hard time and the error
>>>>> is
>>>>> just so vague.
>>>>>
>>>>>
>>>>>
>>>>> bamoss wrote:
>>>>> >
>>>>> > Did you replace the existing keystore with your new keystore,
>>>>> mykeystore
>>>>> > and rename it to keystore.jks? Does your new keystore contain the
>>>>> s1as
>>>>> > alias? Derek
>>>>> >
>>>>> >
>>>>> > -------- Original Message --------
>>>>> > Subject: Clean install, import key help requested *2nd*
>>>>> > From: glassfish_at_javadesktop.org
>>>>> > Date: Wed, October 28, 2009 8:18 am
>>>>> > To: users_at_glassfish.dev.java.net
>>>>> >
>>>>> > ok, since over a day passed, 40+ people viewed an no response,
>>>>> figured I
>>>>> > would just wipe the gf server and start from scratch. I already have
>>>>> the
>>>>> > paid cert from rapidssl and have a clean GF2 server running. I
>>>>> followed a
>>>>> > few simple steps from
>>>>> > http://wiki.glassfish.java.net/Wiki.jsp?page=How_to_ssl_versign and
>>>>> have
>>>>> > the same issue. So maybe since it's a clean install, new alias, I can
>>>>> get
>>>>> > at least one response! With that, I did the following;
>>>>> >
>>>>> > [b]Step 1[/b]
>>>>> > keytool -import -alias wflow -keystore mykeystore.jks -trustcacerts
>>>>> -file
>>>>> > wfgfcert.cert
>>>>> > Enter keystore password:
>>>>> > Re-enter new password:
>>>>> > Certificate was added to keystore
>>>>> >
>>>>> > I had a trustedroot.cert from rapidssl which they said I might need
>>>>> to
>>>>> > install, when I did I got the following;
>>>>> > keytool -import -trustcacerts -keystore mykeystore.jks -alias
>>>>> rapidssl
>>>>> > -file trustedroot.crt
>>>>> > Enter keystore password:
>>>>> > Certificate already exists in system-wide CA keystore under alias
>>>>> > <equifaxsecureca>
>>>>> > Do you still want to add it to your own keystore? [no]:
>>>>> >
>>>>> > So to me, that means no, it already knows there good!
>>>>> > [b]Step 2 (per the docs);[/b]
>>>>> > cp mykeystore.jks
>>>>> /var/lib/glassfishv2/domains/domain1/config/keystore.jks
>>>>> >
>>>>> > [b]Step 3 - make the change[/b]
>>>>> > Logged into the admin gui, there are 2 http-listener-2 (one under
>>>>> > default-config and the other under server-config) and the doc doesn't
>>>>> tell
>>>>> > which so I figure do both.
>>>>> >
>>>>> > [b]Step 4: I try to start[/b]
>>>>> > /usr/share/glassfishv2/bin/asadmin start-domain domain1
>>>>> > Starting Domain domain1, please wait.
>>>>> > Log redirected to
>>>>> /var/lib/glassfishv2/domains/domain1/logs/server.log.
>>>>> > Please enter the admin user name>admin
>>>>> > Please enter the admin password>adminadmin
>>>>> > Redirecting output to
>>>>> /var/lib/glassfishv2/domains/domain1/logs/server.log
>>>>> > Domain domain1 failed to startup. Please check the server log for
>>>>> more
>>>>> > details.
>>>>> > CLI156 Could not start the domain domain1.
>>>>> >
>>>>> > The log shows the same;
>>>>> > [i]Caused by: java.lang.IllegalStateException: Keystore was tampered
>>>>> with,
>>>>> > or password was incorrect
>>>>> > [/i]
>>>>> >
>>>>> > I didn't see anyplace that said to enter the keystore password, or
>>>>> where
>>>>> > to put it, could that be it? Either way, I'm stuck, and really would
>>>>> > appreciate some type of help. I do try to provide as much as
>>>>> possible,
>>>>> > and not the 'help' on the subject, but don't know what else to try as
>>>>> this
>>>>> > java.net seems to be the right and best place to post!
>>>>> >
>>>>> > Thanks
>>>>> > [Message sent by forum member 'xlancealotx' (
>>>>> lraymond_at_weatherflow.com)]
>>>>> >
>>>>> > http://forums.java.net/jive/thread.jspa?messageID=369651
>>>>> >
>>>>> > ---------------------------------------------------------------------
>>>>>
>>>>> > To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
>>>>> > For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>>>>> >
>>>>> >
>>>>> >
>>>>> >
>>>>> >
>>>>> > ---------------------------------------------------------------------
>>>>> > To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
>>>>> > For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>>>>> >
>>>>> >
>>>>> >
>>>>>
>>>>> --
>>>>> View this message in context:
>>>>> http://www.nabble.com/Clean-install%2C-import-key-help-requested-*2nd*-tp26096557p26099527.html
>>>>> Sent from the java.net - glassfish users mailing list archive at
>>>>> Nabble.com.
>>>>>
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
>>>>> For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net For
>>>>> additional commands, e-mail: users-help_at_glassfish.dev.java.net
>>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net For
>>>> additional commands, e-mail: users-help_at_glassfish.dev.java.net
>>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net For
>>> additional commands, e-mail: users-help_at_glassfish.dev.java.net
>>>
>>
>> --------------------------------------------------------------------- To
>> unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net For
>> additional commands, e-mail: users-help_at_glassfish.dev.java.net
>>
>
>