You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@cxf.apache.org by Christian Stettler <ch...@innoveo.com> on 2012/01/30 10:32:51 UTC

Private Key for 'mystskey' certificate in Fediz STS keystore

Dear list,

we are currently playing with the Fediz IDP and STS. In this context, we have the following issue:

While testing, we want to use the 'mystskey' certificate contained in the stsstore.jks keystore for the HTTPS connector in Tomcat (the one used to access the STS servlet via HTTPS). Unfortunately, the keystore password seems not to match the key password of the 'mystskey' private key. When configuring the Tomcat HTTPS connector with:

<Connector port="9443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               keystoreFile="<path/to>/stsstore.jks" keystorePass=" stsspass" keyAlias=" mystskey" keyPass=" stsspass"
               sslProtocol="TLS" />

we get the following exception in Tomcat:

java.security.UnrecoverableKeyException: Cannot recover key
        at sun.security.provider.KeyProtector.recover (KeyProtector.java:311)
        at sun.security.provider.JavaKeyStore.engineGetKey (JavaKeyStore.java:121)
        at sun.security.provider.JavaKeyStore$JKS.engineGetKey (JavaKeyStore.java:38)
        at java.security.KeyStore.getKey(KeyStore.java:763)
        ...

Does anyone know password of the 'mystskey' key? Or do you see another reason for this issue?

Thank you & regards,
Christian

Re: Private Key for 'mystskey' certificate in Fediz STS keystore

Posted by Glen Mazza <gm...@talend.com>.

Last I had checked (and as you've noticed), Tomcat required the keystore 
and key passwords to be the same:  
http://www.jroller.com/gmazza/entry/ssl_for_web_services

We keep them different, as they are used in testing and debugging and we 
want to make sure our code is never using the key password when it 
should be using that of the keystore (or vice-versa).  Having the same 
password for both might have bugs slip through the cracks.

However, it's easy enough to create a new key / keystore with the same 
passwords:
http://www.jroller.com/gmazza/entry/metro_sts_tutorial#MetroSTS3

Regards,
Glen

On 01/30/2012 04:32 AM, Christian Stettler wrote:
> Dear list,
>
> we are currently playing with the Fediz IDP and STS. In this context, we have the following issue:
>
> While testing, we want to use the 'mystskey' certificate contained in the stsstore.jks keystore for the HTTPS connector in Tomcat (the one used to access the STS servlet via HTTPS). Unfortunately, the keystore password seems not to match the key password of the 'mystskey' private key. When configuring the Tomcat HTTPS connector with:
>
> <Connector port="9443" protocol="HTTP/1.1" SSLEnabled="true"
>                 maxThreads="150" scheme="https" secure="true"
>                 keystoreFile="<path/to>/stsstore.jks" keystorePass=" stsspass" keyAlias=" mystskey" keyPass=" stsspass"
>                 sslProtocol="TLS" />
>
> we get the following exception in Tomcat:
>
> java.security.UnrecoverableKeyException: Cannot recover key
>          at sun.security.provider.KeyProtector.recover (KeyProtector.java:311)
>          at sun.security.provider.JavaKeyStore.engineGetKey (JavaKeyStore.java:121)
>          at sun.security.provider.JavaKeyStore$JKS.engineGetKey (JavaKeyStore.java:38)
>          at java.security.KeyStore.getKey(KeyStore.java:763)
>          ...
>
> Does anyone know password of the 'mystskey' key? Or do you see another reason for this issue?
>
> Thank you&  regards,
> Christian


-- 
Glen Mazza
Talend Community Coders - coders.talend.com
blog: www.jroller.com/gmazza

Re: Private Key for 'mystskey' certificate in Fediz STS keystore

Posted by Colm O hEigeartaigh <co...@apache.org>.

The password to access the private key is "stskpass", whereas to
access the keystore itself is "stsspass".

Colm.

On Mon, Jan 30, 2012 at 9:32 AM, Christian Stettler
<ch...@innoveo.com> wrote:
> Dear list,
>
> we are currently playing with the Fediz IDP and STS. In this context, we have the following issue:
>
> While testing, we want to use the 'mystskey' certificate contained in the stsstore.jks keystore for the HTTPS connector in Tomcat (the one used to access the STS servlet via HTTPS). Unfortunately, the keystore password seems not to match the key password of the 'mystskey' private key. When configuring the Tomcat HTTPS connector with:
>
> <Connector port="9443" protocol="HTTP/1.1" SSLEnabled="true"
>               maxThreads="150" scheme="https" secure="true"
>               keystoreFile="<path/to>/stsstore.jks" keystorePass=" stsspass" keyAlias=" mystskey" keyPass=" stsspass"
>               sslProtocol="TLS" />
>
> we get the following exception in Tomcat:
>
> java.security.UnrecoverableKeyException: Cannot recover key
>        at sun.security.provider.KeyProtector.recover (KeyProtector.java:311)
>        at sun.security.provider.JavaKeyStore.engineGetKey (JavaKeyStore.java:121)
>        at sun.security.provider.JavaKeyStore$JKS.engineGetKey (JavaKeyStore.java:38)
>        at java.security.KeyStore.getKey(KeyStore.java:763)
>        ...
>
> Does anyone know password of the 'mystskey' key? Or do you see another reason for this issue?
>
> Thank you & regards,
> Christian



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com