getting keystore error while loading identity keystore
563 views
Skip to first unread message
Jeffrey C Cohen
Mar 17, 2023, 4:53:37 PM3/17/23
to WildFly
Getting this error after configuring tls (configuration below)
^[[0m^[[31m13:18:29,053 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-6) MSC000001: Failed to start service org.wildfly.security.key-store.LocalhostKeyStore: org.jboss.msc.service.StartException in service org.wildfly.security.key-store.LocalhostKeyStore: WFLYELY00004: Unable to start the service.
at org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:200)
at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1739)
at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1701)
at org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1559)
at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1990)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1363)
at java.lang.Thread.run(Thread.java:750)
Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:792)
at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:57)
at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224)
at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:71)
at java.security.KeyStore.load(KeyStore.java:1445)
at org.wildfly.security.keystore.AtomicLoadKeyStoreSpi.engineLoad(AtomicLoadKeyStoreSpi.java:53)
at java.security.KeyStore.load(KeyStore.java:1445)
at org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:163)
... 8 more
Caused by: java.security.UnrecoverableKeyException: Password verification failed
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:790)
... 15 more
at org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:200)
at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1739)
at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1701)
at org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1559)
at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1990)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1363)
at java.lang.Thread.run(Thread.java:750)
Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:792)
at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:57)
at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224)
at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:71)
at java.security.KeyStore.load(KeyStore.java:1445)
at org.wildfly.security.keystore.AtomicLoadKeyStoreSpi.engineLoad(AtomicLoadKeyStoreSpi.java:53)
at java.security.KeyStore.load(KeyStore.java:1445)
at org.wildfly.extension.elytron.KeyStoreService.start(KeyStoreService.java:163)
... 8 more
Caused by: java.security.UnrecoverableKeyException: Password verification failed
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:790)
... 15 more
With this configuration in the xml:
<tls>
<key-stores>
<key-store name="LocalhostKeyStore">
<credential-reference clear-text="complex_password"/>
<implementation type="JKS"/>
<file path="ssl/my_keystore" relative-to="jboss.server.base.dir"/>
</key-store>
</key-stores>
<key-managers>
<key-manager name="LocalhostKeyManager" key-store="LocalhostKeyStore" alias-filter="myserver_alias">
<credential-reference clear-text="complex_password"/>
</key-manager>
</key-managers>
<server-ssl-contexts>
<server-ssl-context name="LocalhostSslContext" key-manager="LocalhostKeyManager"/>
</server-ssl-contexts>
</tls>
<key-stores>
<key-store name="LocalhostKeyStore">
<credential-reference clear-text="complex_password"/>
<implementation type="JKS"/>
<file path="ssl/my_keystore" relative-to="jboss.server.base.dir"/>
</key-store>
</key-stores>
<key-managers>
<key-manager name="LocalhostKeyManager" key-store="LocalhostKeyStore" alias-filter="myserver_alias">
<credential-reference clear-text="complex_password"/>
</key-manager>
</key-managers>
<server-ssl-contexts>
<server-ssl-context name="LocalhostSslContext" key-manager="LocalhostKeyManager"/>
</server-ssl-contexts>
</tls>
I have verified that the complex_password used in the "clear-text" property is correct with keytool command.
I am trying to do this with direct edits to XML instead of using the CLI.
Cameron Rodriguez
Mar 17, 2023, 5:34:20 PM3/17/23
to Jeffrey C Cohen, WildFly
Hi Jeffrey,
I attempted to recreate the keystore, placed it at `$WILDFLY_ROOT/standalone/ssl/my_keystore`, and then copied your configuration into the XML, and it seemed to work. For reference, I'm running Wildfly 27.0.1, and here's the command I used to generate the keystore:
keytool -genkeypair -keystore my_keystore -alias myserver_alias -storepass complex_password -storetype JKS -keyalg RSA -keysize 2048 -dn 'cn=localhost'
It seems to be some issue with the password itself. A few things that come to mind:
- Was the original password encoded in UTF-8? It might cause some issues if it wasn't.
- If the path to the keystore doesn't include an extension, it won't match correctly (ex. `newKeystore` when the full name is `newKeystore.jks`)
- You could also try adding the password to a credential store[1], and using that to unlock the keystore. If there's some difference in how text is handled between the CLI and the terminal, this may isolate the issue.
Best,
Reply all
Reply to author
Forward
0 new messages