GlassFish Server Fails to Start After New Server Certificate Added / Imported into KeyStore

(Doc ID 1288346.1)

Last updated on NOVEMBER 05, 2016

Applies to:

Oracle GlassFish Server - Version 2.1 and later
Information in this document applies to any platform.

Symptoms

GlassFish Server 2.x (Developer/Cluster profile) does not start up after a Private key is imported into the GlassFish Server 2.x keystore. The following errors are seen inside the GlassFish server.log and the server fails to start.

[#|2011-01-26T14:10:16.343-0000|WARNING|sun-appserver2.1|javax.enterprise.system.stream.err|_ThreadID=10;_ThreadName=main;_RequestID=bb69979d-293f-411e-9596-980e756a748c;|java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.sun.enterprise.server.PELaunch.main(PELaunch.java:415)
Caused by: java.lang.ExceptionInInitializerError
at com.sun.enterprise.security.SecurityLifecycle.onInitialization(SecurityLifecycle.java:101)
at com.sun.enterprise.server.ApplicationServer.onInitialization(ApplicationServer.java:262)
at com.sun.enterprise.server.ondemand.OnDemandServer.onInitialization(OnDemandServer.java:103)
at com.sun.enterprise.server.PEMain.run(PEMain.java:399)
at com.sun.enterprise.server.PEMain.main(PEMain.java:336)
... 5 more
Caused by: java.lang.IllegalStateException: java.security.UnrecoverableKeyException: Cannot recover key
at com.sun.enterprise.security.SSLUtils.<clinit>(SSLUtils.java:128)
... 10 more
Caused by: java.security.UnrecoverableKeyException: Cannot recover key
at sun.security.provider.KeyProtector.recover(KeyProtector.java:311)
at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:121)
at sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java:38)
at java.security.KeyStore.getKey(KeyStore.java:763)
at com.sun.net.ssl.internal.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:113)
at com.sun.net.ssl.internal.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:48)
at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:239)
at com.sun.enterprise.security.SSLUtils.initKeyManagers(SSLUtils.java:320)
at com.sun.enterprise.security.SSLUtils.<clinit>(SSLUtils.java:106)
... 10 more
|#]



Changes

The problem may happen if

1. New Private Key is imported into the GlassFish server keystore (keystore.jks). For example, the keystore is added a new sts key as shown below.

# keytool -list -keystore keystore.jks
Enter keystore password: ******

Keystore type: jks
Keystore provider: SUN

Your keystore contains 2 entries

sts, Jan 5, 2011, keyEntry,
Certificate fingerprint (MD5): F4:E3:A9:02:3C:B0:36:0C:C1:48:6E:0E:3E:5C:5E:84
s1as, Jan 3, 2011, keyEntry,
Certificate fingerprint (MD5): FE:9C:43:DE:2D:FB:D7:64:AB:4D:DC:8B:0B:4B:A8:36

This new private key "sts" has a different password for it's key than the keystore's store password when it is imported from some other keystore.


2. Alternatively, the above error may also happen if an "asadmin change-master-password" is made
    and the GlassFish keystore contains other application related private keys.

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms