Java Security Unrecoverablekeyexception

 admin



The exception that occurred is: Given final block not properly padded. LTPAServerObj E SECJ0364E: Cannot initialize ltpa object because of the following exception com.ibm.websphere.crypto.KeyException: Given final block not properly padded Caused by: java.security.UnrecoverableKeyException: Given final block not properly padded Local fix. Constructs an UnrecoverableKeyException with the specified detail message, which provides more information about why this exception has been thrown. Method Summary Methods inherited from class java.lang. Has anyone tried using a keystore where the key password is different than the keystore password? I used keytool to create my keystore where the -storepass and -keypass are two different values. Re: Thingworx 8.4 tomcat error: java.security.UnrecoverableKeyException: Password verification faile Hi @slangley, I uses Oracle JDK and the version is 1.8.092 and it's 64bit.(see the details below).

The purpose of this article is to provide assistance if you receive the 'java.security.UnrecoverableKeyException: Cannot recover key' error when renewing expired certificates or changing the password for the keystore or truststore. This can affect you if you are using AM/OpenAM for SAML2 federation or as an OAuth provider.

Java.security.unrecoverablekeyexception cannot recover key 2 Java.security.unrecoverablekeyexception: Cannot Recover KeyJava Security Unrecoverablekeyexception

Symptoms

The symptoms vary slightly depending on whether you are using AM/OpenAM for SAML2 federation or as an OAuth provider.

SAML2 federation

The following error is shown in the Federation debug log if you are using AM/OpenAM for SAML2 federation:

libSAML:29/08/2016 03:27:14:805 PM GMT: Thread[http-bio-8443-exec-8,5,main]ERROR: Cannot recover keylibSAML2:29/08/2016 03:27:14:805 PM GMT: Thread[http-bio-8443-exec-8,5,main]ERROR: FMSigProvider.sign: Either input xml string or id value or private key is null.libSAML2:29/08/2016 03:27:14:805 PM GMT: Thread[http-bio-8443-exec-8,5,main]ERROR: IDPSSOFederate.doSSOFederate: Unable to do sso or federation.com.sun.identity.saml2.common.SAML2Exception: Null input. at com.sun.identity.saml2.xmlsig.FMSigProvider.sign(FMSigProvider.java:138) at com.sun.identity.saml2.assertion.impl.AssertionImpl.sign(AssertionImpl.java:674) at com.sun.identity.saml2.profile.IDPSSOUtil.signAssertion(IDPSSOUtil.java:2433)...Caused by: java.security.UnrecoverableKeyException: Cannot recover key

An error similar to the following is also seen in the container log. For example, this error is shown in the catalina.out log for Apache Tomcat™:

SEVERE: Failed to initialize connector [Connector[HTTP/1.1-8443]]org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-8443]] at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:106) at org.apache.catalina.core.StandardService.initInternal(StandardService.java:559) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:781) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) at org.apache.catalina.startup.Catalina.load(Catalina.java:595) at org.apache.catalina.startup.Catalina.load(Catalina.java:620)...Caused by: java.security.UnrecoverableKeyException: Cannot recover key at sun.security.provider.KeyProtector.recover(KeyProtector.java:311) at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:121) at sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java:38) at java.security.KeyStore.getKey(KeyStore.java:763)

Java.security.unrecoverablekeyexception Failed To Decrypt Safe Contents Entry

OAuth provider

Java.security.unrecoverablekeyexception password verification failed

The following error is shown in the OAuth2Provider debug log if you are using AM/OpenAM as an OAuth provider:

OAuth2Provider:29/08/2016 03:27:14:198 AM MDT: Thread[tomcat-http--16,5,main]: TransactionId[2d899296-1b0b-4ee0-9e23-f1261f659ba3-137]14631:: 400 server_error : Internal Server Error (500) - The server encountered an unexpected condition which prevented it from fulfilling the request at org.restlet.resource.ServerResource.doHandle(ServerResource.java:539) at org.restlet.resource.ServerResource.get(ServerResource.java:742) at org.restlet.resource.ServerResource.doHandle(ServerResource.java:617) at org.restlet.resource.ServerResource.doNegotiatedHandle(ServerResource.java:678) at org.restlet.resource.ServerResource.doConditionalHandle(ServerResource.java:356) at org.restlet.resource.ServerResource.handle(ServerResource.java:1043)...Caused by: org.forgerock.json.jose.utils.KeystoreManagerException: java.security.UnrecoverableKeyException: Cannot recover key at org.forgerock.json.jose.utils.KeystoreManager.getPrivateKey(KeystoreManager.java:139) at org.forgerock.openam.utils.OpenAMSettingsImpl.getServerKeyPair(OpenAMSettingsImpl.java:181) at org.forgerock.openam.oauth2.OpenAMOAuth2ProviderSettings.getServerKeyPair(OpenAMOAuth2ProviderSettings.java:610) at org.forgerock.openam.oauth2.OpenAMTokenStore.createOpenIDToken(OpenAMTokenStore.java:253) at org.forgerock.openidconnect.IdTokenResponseTypeHandler.handle(IdTokenResponseTypeHandler.java:61) at org.forgerock.oauth2.core.AuthorizationTokenIssuer.issueTokens(AuthorizationTokenIssuer.java:105) at org.forgerock.oauth2.core.AuthorizationServiceImpl.authorize(AuthorizationServiceImpl.java:155) at org.forgerock.oauth2.restlet.AuthorizeResource.authorize(AuthorizeResource.java:95) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.restlet.resource.ServerResource.doHandle(ServerResource.java:523) ... 76 moreCaused by: java.security.UnrecoverableKeyException: Cannot recover key at sun.security.provider.KeyProtector.recover(KeyProtector.java:328) at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:138) at sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java:55) at java.security.KeyStore.getKey(KeyStore.java:792) at org.forgerock.json.jose.utils.KeystoreManager.getPrivateKey(KeystoreManager.java:137) ... 88 more

Recent Changes

Changed the password for an AM/OpenAM keystore or truststore.

Renewed expired certificates.

Causes

Most likely there's a mismatch between the key passphrase and keystore passphrase.

This can also happen if you have a site configuration and have made changes to your certificate or passwords but not copied the files to all servers in the site.

Solution

This issue can be resolved by synchronizing the passwords using the keytool command:

  1. Update .storepass or .keypass respectively with the new password to ensure they match. You should also ensure they match on all servers if you have a site configuration. For example, you can use keytool commands such as the following depending on your keystore format:
    • JCEKS format: $ keytool -storepasswd -new newpassword -keystore keystore.jceks -storetype JCEKS$ keytool -keypasswd -alias yourfqdnalias -new newpassword -keystore keystore.jceks -storetype JCEKS
    • JKS format: $ keytool -storepasswd -new newpassword -keystore keystore.jks$ keytool -keypasswd -alias yourfqdnalias -new newpassword -keystore keystore.jks
  2. Restart the web application container in which AM/OpenAM runs to apply the changes.

Default keystore details - AM 5 and later; OpenAM 13.5.x

After installing AM/OpenAM, a default keystore is available in /path/to/openam/security/keystores/keystore.jceks (AM 7 and later) or /path/to/openam/openam/keystore.jceks (Pre-AM 7). The defaultpassword is changeit and is stored in /path/to/openam/security/secrets/default/.storepass (AM 7 and later) or /path/to/openam/openam/.storepass (Pre-AM 7).

This keystore contains multiple default test aliases; the exact test aliases included vary by version as shown in the documentation:

  • AM 7 - Security Guide › About the Default Keystores and Secret Stores
  • AM 6.5 - Setup and Maintenance Guide › JCEKS and JKS Keystore Comparison
  • AM 6 - Setup and Maintenance Guide › JCEKS and JKS Keystore Comparison
  • AM 5.x - Setup and Maintenance Guide › JCEKS and JKS Keystore Comparison
  • OpenAM 13.5 - Administration Guide › JCEKS and JKS Keystore Comparison

See Security Guide › Configuring Secrets, Certificates, and Keys for further information.

Default keystore details - OpenAM 13

After installing OpenAM, a default keystore is available in the OpenAM configuration directory /path/to/openam/openam/keystore.jks. The defaultpassword is changeit and is stored in /path/to/openam/openam/.storepass. The only key in this keystore is for a self-signed certificate (default alias: test). The defaultpassword is also changeit and is stored in /path/to/openam/openam/.keypass

See Also

Related Training

N/A

Related Issue Tracker IDs

I am supplied with a jks keystore named ABCC_client.store. When I import this keystore to cacerts and try connecting it says No such Algorithm error. PFA the stacktrace

But if I use this keystore independently i.e without adding it to cacerts it works.

Some googling led to me to http://joewlarson.com/blog/2009/03/25/java-ssl-use-the-same-password-for-keystore-and-key/ which says that password might me different for the key and the keystore.

Answers:

make sure KeyStore password and The Keypassword are same .

Answers:

The private key password defined in your app/config is incorrect. First try verifying the the private key password by changing to another one as follows:

The above example changes the password from password to changeit. This command will succeed if the private key password was password.

Answers:

I had the same error when we imported a key into a keystore that was build using a 64bit OpenSSL Version. When we followed the same procedure to import the key into a keystore that was build using a 32 bit OpenSSL version everything went fine.

Answers:

In order to not have the Cannot recover key exception, I had to apply the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files to the installation of Java that was running my application. Version 8 of those files can be found here or the latest version should be listed on this page. The download includes a file that explains how to apply the policy files.

Tags: exception, java, security, sed