Automic Workload Automation

  • 1.  JCP error: U00045101 The alias "jetty" does not exist in the keystore 'keystore'.

    Posted 08-24-2021 10:41 AM

    We are trying for the first time to enable SSL for the Java Communications Process (JCP). We followed the instructions on the documentation page installing the JCP: we obtained a server certificate, added it to a new keystore, and configured the AE server INI file. When we try to start the JCP, we see the following error message:

    20210824/115119.120 - 44     U00045101 The alias "jetty" does not exist in the keystore 'keystore'.
    20210824/115124.136 - 131    U00003432 Termination of Server 'AE_EXP2#CP001' initiated.
    20210824/115124.139 - 131    U00045014 Exception 'java.lang.InterruptedException: "null"' at 'java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject.awaitNanos():2067'.

    I thought the JCP might be looking for a key with the specific alias jetty, so I tried again, importing the server certificate to the keystore using that alias. This did not help.

    Has anyone see error U00045101 before? Has anyone gotten SSL working with the JCP?


  • 2.  RE: JCP error: U00045101 The alias "jetty" does not exist in the keystore 'keystore'.

    Posted 08-25-2021 01:19 AM
    Edited by Marcin Uracz 08-25-2021 01:19 AM
    Hi Michael,
    I have set up the JCP with internal CA certificates, even with certs coming from Lets Encrypt  ;)  The only trick is, what you stated before, the certificate  needs to be created / added  with the "jetty" alias. Other then that it was always plug and play.

    Maybe something got messed up during the import?


    ------------------------------
    Cheers,
    Marcin

    ------------------------------



  • 3.  RE: JCP error: U00045101 The alias "jetty" does not exist in the keystore 'keystore'.

    Broadcom Employee
    Posted 08-25-2021 02:09 AM
    Please verify the alias jetty in keystore and also keystore type
    Also if full path to keystore specified in ini file

    https://knowledge.broadcom.com/external/article/204423/jcp-not-working-since-implementing-https.html

    Cheers
    Frank


  • 4.  RE: JCP error: U00045101 The alias "jetty" does not exist in the keystore 'keystore'.

    Posted 08-25-2021 03:29 AM
    Edited by Michael A. Lowry 08-25-2021 04:05 AM
    I tried all of the above, but I still get the same error.

    U00045101 The alias "jetty" does not exist in the keystore '/opt/uc4/server/keystore.p12'.

    I suspect that the certificate must also be created in PKCS12 format. The certificates I have were created in PKCS10 format and it seems that the keytool program is unable to create a PKCS12 format keystore based on the PKCS10 certificates I have. Even if I specify -stortype PKCS12, the keystore written ends up in JKS format.

    I have requested new certificates in PKCS12 format. I will try again once I have them.


  • 5.  RE: JCP error: U00045101 The alias "jetty" does not exist in the keystore 'keystore'.

    Posted 08-27-2021 03:32 AM
    The Oracle documentation page for keytool indicates that the default type is specified by the keystore.type property in the Java security properties file $JAVA_HOME/../lib/security/java.security. I confirmed that this property was set to JKS in our environment. I was able to create a PKCS12 keystore only by first changing keystore.type to pkcs12.

    (Further complicating matters, I also found that the keytool program does not reliably report the type of the keystore file. In my testing, the program appeared to report only the value of keystore.type in java.security, regardless of they type of the keystore.)

    Once I figured that out, I tried creating a keystore with a self-signed certificate, just as a quick test.
    $ keytool -genkey -alias jetty -keyalg RSA -keystore keystore -storepass XXXXXXXX
    What is your first and last name?
      [Unknown]:
    What is the name of your organizational unit?
      [Unknown]:
    What is the name of your organization?
      [Unknown]:
    What is the name of your City or Locality?
      [Unknown]:
    What is the name of your State or Province?
      [Unknown]:
    What is the two-letter country code for this unit?
      [Unknown]:
    Is CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?
      [no]:  y
    I
    $ keytool -list -keystore ./keystore -storepass XXXXXXXX -v

    Keystore type: PKCS12
    Keystore provider: SunJSSE

    Your keystore contains 1 entry

    Alias name: jetty
    Creation date: Aug 25, 2021
    Entry type: PrivateKeyEntry
    Certificate chain length: 1
    Certificate[1]:
    Owner: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
    Issuer: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
    Serial number: d54702
    Valid from: Wed Aug 25 15:56:20 CEST 2021 until: Tue Nov 23 14:56:20 CET 2021
    Certificate fingerprints:
             MD5:  9E:BB:BE:64:48:FC:5E:F7:70:E7:51:01:24:DA:BC:DF
             SHA1: AB:54:2A:EB:03:CA:47:36:AC:89:52:C5:C9:05:95:B9:7A:CE:FE:D5
             SHA256: 0B:A1:45:5B:51:16:A0:DA:1C:B3:0D:47:3C:57:8E:33:71:24:AE:8E:B2:33:C6:7B:F8:83:22:33:92:41:6F:BD
             Signature algorithm name: SHA256withRSA
             Version: 3

    Extensions:

    #1: ObjectId: 2.5.29.14 Criticality=false
    SubjectKeyIdentifier [
    KeyIdentifier [
    0000: D1 C1 46 DC 13 AB D8 AF   B4 5E 93 38 B1 A1 55 BD  ..F......^.8..U.
    0010: BE 6E 24 37                                        .n$7
    ]
    ]

    *******************************************
    *******************************************

    I then tried to start the JCP. It failed with these exceptions:

    20210825/160011.162 - 46     U00045014 Exception 'java.security.UnrecoverableKeyException: "Get Key failed: Given final block not properly padded"' at 'sun.security.pkcs12.PKCS12KeyStore.engineGetKey():410'.
    20210825/160011.166 - 46     U00045015 The previous error was caused by 'javax.crypto.BadPaddingException: "Given final block not properly padded"' at 'com.sun.crypto.provider.CipherCore.doFinal():989'.
    An error message from keytool states that for PKCS12 format keystores, the keystore password and key password must match.
    Warning: Different store and key passwords not supported for PKCS12 KeyStores. Ignoring user-specified -keypass value.
    So next I tried something new. Up until then I had been specifying just keystorePassword in the ucsrv.ini file. I decided to add keyPassword as well, and to set it to the same value. Suddenly, it started working with the self-signed certificate.

    I have now received the official certificate, and I will post an update when I have had a chance to test it.



  • 6.  RE: JCP error: U00045101 The alias "jetty" does not exist in the keystore 'keystore'.

    Posted 08-27-2021 08:12 AM

    Oder alternativ im nachhinein den Alias ändern.

    Alias ändern auf jetty:
    keytool -changealias -keystore xxxxxxxxx.p12 -alias xxx -destalias jetty




  • 7.  RE: JCP error: U00045101 The alias "jetty" does not exist in the keystore 'keystore'.

    Posted 09-01-2021 06:25 AM
    Edited by Michael A. Lowry 09-20-2021 08:20 AM

    After a bit of experimentation, I was able to get it working using the instructions in KB article 94420 How to implement HTTPS for JCP. These instructions contain several superfluous steps that initially caused some confusion. Below are my updated instructions that omit unnecessary steps and include more detailed descriptions.



    Update 2021.09.20: I moved the instructions to a stand-alone thread:

    Enabling SSL for the JCP


    I suggest that Broadcom update the JCP installation instructions in the official documentation, so that other customers are able to get up and running with HTTPS more quickly.

    Ping @Elina McCafferty



  • 8.  RE: JCP error: U00045101 The alias "jetty" does not exist in the keystore 'keystore'.

    Posted 09-01-2021 06:27 AM
    As usual, Higher Logic destroyed much of the formatting I had painstakingly done. I have neither the time nor the patience to fix it. Ugh.


  • 9.  RE: JCP error: U00045101 The alias "jetty" does not exist in the keystore 'keystore'.

    Posted 09-01-2021 06:31 AM
    Jive was a joy to use. It just worked and was a joy to use because it just got out of your way and encouraged writing and collaboration.

    Higher Logic on the other hand appears to have been specifically designed to discourage any sort of effort. You can try, but you'll probably be disappointed. Why bother?