I am supplied with a jks keystore named ABCC_client.store. When I import this keystore to cacerts and try connecting it says No such Algorithm error. PFA the stacktrace
Caused by: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl)
at java.security.Provider$Service.newInstance(Provider.java:1245)
at sun.security.jca.GetInstance.getInstance(GetInstance.java:220)
at sun.security.jca.GetInstance.getInstance(GetInstance.java:147)
at javax.net.ssl.SSLContext.getInstance(SSLContext.java:125)
at javax.net.ssl.SSLContext.getDefault(SSLContext.java:68)
at javax.net.ssl.SSLSocketFactory.getDefault(SSLSocketFactory.java:102)
at org.apache.axis.components.net.JSSESocketFactory.initFactory(JSSESocketFactory.java:61)
at org.apache.axis.components.net.JSSESocketFactory.create(JSSESocketFactory.java:79)
... 32 more
Caused by: java.security.UnrecoverableKeyException: Cannot recover key
at sun.security.provider.KeyProtector.recover(KeyProtector.java:311)
at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:121)
at sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java:38)
at java.security.KeyStore.getKey(KeyStore.java:763)
at com.sun.net.ssl.internal.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:113)
at com.sun.net.ssl.internal.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:48)
at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:239)
at com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl.getDefaultKeyManager(DefaultSSLContextImpl.java:170)
at com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl.<init>(DefaultSSLContextImpl.java:40)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
at java.lang.reflect.Constructor.newInstance(Constructor.java:513)
at java.lang.Class.newInstance0(Class.java:355)
at java.lang.Class.newInstance(Class.java:308)
at java.security.Provider$Service.newInstance(Provider.java:1221)
... 39 more
But if I use this keystore independently i.e without adding it to cacerts it works.
Some googling led to me to http://joewlarson.com/blog/2009/03/25/java-ssl-use-the-same-password-for-keystore-and-key/ which says that password might me different for the key and the keystore.
If using Tomcat 6 and earlier, make sure the keystore password and the key password are same. If using Tomcat 7 and later, make sure they are the same or that the key password is specified in the server.xml file.
The private key password defined in your app/config is incorrect. First try verifying the the private key password by changing to another one as follows:
keytool -keypasswd -new changeit -keystore cacerts -storepass changeit -alias someapp -keypass password
The above example changes the password from password to changeit. This command will succeed if the private key password was password.
In order to not have the Cannot recover key exception, I had to apply the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files to the installation of Java that was running my application. Version 8 of those files can be found here or the latest version should be listed on this page. The download includes a file that explains how to apply the policy files.
Since JDK 8u151 it isn't necessary to add policy files. Instead the JCE jurisdiction policy files are controlled by a Security property called crypto.policy. Setting that to unlimited with allow unlimited cryptography to be used by the JDK. As the release notes linked to above state, it can be set by Security.setProperty() or via the java.security file. The java.security file could also be appended to by adding -Djava.security.properties=my_security.properties to the command to start the program as detailed here.
Since JDK 8u161 unlimited cryptography is enabled by default.
I had the same error when we imported a key into a keystore that was build using a 64bit OpenSSL Version. When we followed the same procedure to import the key into a keystore that was build using a 32 bit OpenSSL version everything went fine.
Check if password you are using is correct one by running below command
keytool -keypasswd -new temp123 -keystore awsdemo-keystore.jks -storepass temp123 -alias movie-service -keypass changeit
If you are getting below error then your password is wrong
keytool error: java.security.UnrecoverableKeyException: Cannot recover key
Sometimes this seems to be happening for no reason. I too faced the same and tried all methods like Keytool explorer etc.
Ultimately ended requesting Google to reset the key since I had Google play signing enabled. This is a good recommendation to follow.
https://support.google.com/googleplay/android-developer/answer/9842756?hl=en
Related
I need help, first of all, in any of stackoverflow posts I can't found a correct answer.
I'm tring to set my Web application in tomcat server with SSL using Keytool and Certbot
First I used Certbot and generated the respectives .pem files (privkey.pem, fullchain.pem, etc).
After that I did this steps:
Add with OpenSSL my privkey.pem to JKS
My password is too simple "123456", impossible to forget. (I'm just trying)
After that I convert the pkcs12 to JKS with:
Finally Add the chain.pem to my Keystore. In this step I enter the password that I entered previously. And I get the meesage:
keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect
If I edit my server.xml file in Tomcat server with connector 8443 and my keystore, when I start server I get the same error in catalina.out.
The password of your MyDSKeyStore.jks file is '-destkeypass', as a consequence of the way keytool parses the second commandline you used: -deststorepass should be followed be the password. In your case it is followed by -destkeypass.
Remark: Your question seems to be na XY problem: you want to configure a Tomcat SSL connector using certificates in PEM format, so you ask how to transform a PEM certificate into JKS. While the procedure you show is almost correct, it is useless on modern Tomcat's (cf. this answer): Tomcat supports PKCS12 files since version 5.5 at least and supports certificates in PEM format since version 8.5. There is no need to convert anything.
I've created a global JKS that has "changeme" as the keystore password. I created the JKS using the Keystore Explorer.
The idea behind using the global JKS is that apps can pull down the JKS from S3 and then reset the JKS with their own string password. We do alot of SpringBoot APIs and we use the JKSs to secure Tomcat in the container so we can get HTTPS connected.
But here's the problem I'm running into, when I change the JKS keystore password I start getting java.security.UnrecoverableKeyException: Cannot recover key errors being thrown.
In the Keystore Explorer I didn't specify a password for the alias. When I go into the Keystore Explorer to change the alias password, it accepts "changeme" as the password. So, I assume the Keystore Explorer is automatically using changeme as the password since I supplied it for the JKS keystore password.
Admittedly, I'm no expert with using JKS and understanding the intricacies of security but this one has me stumped.
I've also tried changing both the keystore password with the Keytool using the following command:
keytool -storepasswd -keystore myJKS.jks
and
keytool -keypasswd -alias myalias -keystore myJKS.jks
But when I try to change the alias I get:
keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect
What am I doing wrong?
Thanks
The error you are seeing is because you might have provided wrong keystore-password in the command.
A basic understanding of how and what JKS is. A JKS (Java KeyStore) is basically a file that protects secret keys (symmetric keys), key pairs (asymmetric keys) and certificates. The way it protects them is by a password, this password is called a keystore-password. And the keys within the JKS file can also be protected individually, which means they can have their own password, which is called a key-password.
The way to change the keystore-password:
keytool -storepasswd -keystore [KEYSTORE] -storepass [OLD_KEYSTORE_PASSWORD] -new [NEW_KEYSTORE_PASSWORD]
The way to change the key-password:
keytool -keypasswd -keystore [KEYSTORE] -storepass [KEYSTORE_PASSWORD] -alias [ALIAS] -keypass [OLD_KEY_PASSWORD] -new [NEW_KEY_PASSWORD]
These are the properties related to securing the spring-boot application. You have to define the keystore-password and key-password in those properties.
server.ssl.ciphers= # Supported SSL ciphers.
server.ssl.client-auth= # Client authentication mode.
server.ssl.enabled=true # Whether to enable SSL support.
server.ssl.enabled-protocols= # Enabled SSL protocols.
server.ssl.key-alias= # Alias that identifies the key in the key store.
server.ssl.key-password= # Password used to access the key in the key store.
server.ssl.key-store= # Path to the key store that holds the SSL certificate (typically a jks file).
server.ssl.key-store-password= # Password used to access the key store.
server.ssl.key-store-provider= # Provider for the key store.
server.ssl.key-store-type= # Type of the key store.
server.ssl.protocol=TLS # SSL protocol to use.
server.ssl.trust-store= # Trust store that holds SSL certificates.
server.ssl.trust-store-password= # Password used to access the trust store.
server.ssl.trust-store-provider= # Provider for the trust store.
server.ssl.trust-store-type= # Type of the trust store.
You can find all the spring-boot properties in the documentation here.
If you look at the properties, there is server.ssl.key-store-password and server.ssl.key-password. You can ask the users to set those two values after they change the global JKS password.
Trying to do a project with spring and cyphering the password. In http://cloud.spring.io/spring-cloud-config/single/spring-cloud-config.html#_encryption_and_decryption
There is at least one issue there as key-store is called keystore but I haven't found someplace without that same issue to base my work on.
Only similar issue I found is
unable to decrypt from spring config server / cleint
but there are no responses there.
I have done the following
Installed Full-strength JCE
Added this dependancy to the pom
<groupId>org.springframework.security</groupId>
<artifactId>spring-security-rsa</artifactId>
I have two concerns. First I am trying to get it to work in Spring CLI like this:
1.- Create a key
keytool -genkeypair -alias mytestkey -keyalg RSA -dname "CN=Web Server,OU=Unit,O=Organization,L=City,S=State,C=US" -keypass letmein -keystore server.jks -storepass letmein
2.-Encrypt something as following works but I then will be able to decrypt it without using the password so I think that defeats the purpose.
spring encrypt mysecret --key #server.jks TEST
How are the commands for encrypting and decrypting suppose to be using the password?
I haven't been able to get it to work on my project but I believe the issue is center around how I created the key. I have configured the following in case someone sees another mistake.
Relevant part of my boostrap.yml
encrypt:
key-store:
location: server.jks
password: letmein
alias: mytestkey
secret: letmein
Relevant part of my application.yml
test:'{cipher}EncryptedValue got by Step 2'
This gets me the following error
Caused by: java.lang.UnsupportedOperationException: No decryption for FailsafeTextEncryptor. Did you configure the keystore correctly?
We have had some similar problems and were able to decrypt after using a later version of the jdk. I think it was specifically jdk-8u-151 that was giving us problems. Upgrading to a later jdk fixed the issue. Hope that helps!!
I want to enable SSL for my spring boot application.
I generated a keystore with this command:
keytool -genkey -alias myapp -keyalg RSA -keystore tomcat.keystore
application.properties contains:
server.port = 8443
server.ssl.key-store = classpath:tomcat.keystore
server.ssl.key-store-password = ###
server.ssl.key-password = !&*
server.ssl.enabled=true
First I had created JKS key store with this command:
keytool -genkey -alias tomcat -keystore keystore.jks -validity 3650
But I received error when visited https://localhost:8443:
This site can’t provide a secure connection
localhost uses an unsupported protocol.
Why it's working now and not then ?
I have a few other questions:
1.I looked at a few tutorials and they all suggested to put the keystore file in src/main/resources. Is this really a good idea?
2.What is the key-store-password? what is the key-password?
3.Is this all we have to do to enable SSL ? what about crt and cer files? where are they used ?
About localhost uses an unsupported protocol. make sure the server is supporting a cipher which client can support.
This site can’t provide a secure connection, the message could be becasue the connection is not trusted! of course. here you would simply tell the client to ignore it.
You also set an alias in your JKS file, make sure you tell the server to load the correct alias.
placing the JKS in src/main/resources could be a good practice, but not essential, just make sure it's safe and accessible.
crt and cer are not required explicitly for java, but once you get a signed certificate by a CA, you would import the cert into the JKS to let the server finds the intermediate and root certs(if exists, root is not essential)
Once you generate a key by keytool, just keep the file safe. You need to generate the CSR value, also the same jKS is needed for trusted cert importing.
I also suggest to get some hand of OpenSSL(if possible) over JSSE.
I've downloaded apache james 2.3.2. At the moment I just want to get it working on localhost with ssl encyption (but I know very little about ssl). Initially I managed to get it running, create accounts (by running james-2.3.2/bin/run.bat) and connect to these account using mozilla thunderbird mail client. The trouble comes when I try to create a self signed ssl certificate. I have tried two different methods.
running keytool -genkeypair creates a keystore in .keystore
in my home directory and
running keytool -genkeypair -alias certificate -keystore
my_keystore.pfx -storepass password -validty 365 -keyalg RSA
-keysize 2048 -storetype pkcs12 creates a keystore in my_keystore.pfx.
james-2.3.2 will accept the .keystore but Thunderbird won't and Thunderbird will accept my_keystore.pfx but James throws exceptions. I think the error might be in the james-2.3.2/apps/james/SAR-INF/conf.xml file.
<sockets>
<server-sockets>
<factory name="plain" class="org.apache.avalon.cornerstone.blocks.sockets.DefaultServerSocketFactory"/>
<factory name="ssl" class="org.apache.avalon.cornerstone.blocks.sockets.TLSServerSocketFactory">
<ssl-factory>
<keystore>
<file>conf/my_keystore.pfx</file>
<password>password</password>
<key-password>password</key-password>
<type>PKCS12</type>
<protocol>TLS</protocol>
<algorithm>SHA256withRSA</algorithm>
<authenticate-client>false</authenticate-client>
</keystore>
</ssl-factory>
</factory>
</server-sockets
When i try to run james again from the batch file I get NoSuchAlgorithException. Have tried using allsorts for the algorithm tag instead of SHA256withRSA but nothing seems to work. If anyone knows the answer I'd be greatfull. Also if anyone knows how to turn on the logging so I can see it in the log file that too would be helpfull.
sunjce_provider.jar has to be copied from the JRE lib folder to the lib folder in James. James will then accept the .pfx file if the algorithm tag is left as the default SunX509. I spotted this nugget of information in the comments of the config xml file.