Jive was a joy to use. It
and was a joy to use because it just got out of your way and encouraged writing and collaboration.
Higher Logic on the other hand appears to have been specifically designed to discourage any sort of effort. You can try, but you'll probably be disappointed. Why bother?
Original Message:
Sent: 09-01-2021 06:26 AM
From: Michael Lowry
Subject: JCP error: U00045101 The alias "jetty" does not exist in the keystore 'keystore'.
As usual, Higher Logic destroyed much of the formatting I had painstakingly done. I have neither the time nor the patience to fix it. Ugh.
Original Message:
Sent: 09-01-2021 06:24 AM
From: Michael Lowry
Subject: JCP error: U00045101 The alias "jetty" does not exist in the keystore 'keystore'.
After a bit of experimentation, I was able to get it working using the instructions in KB article 94420 How to implement HTTPS for JCP. These instructions contain several superfluous steps that initially caused some confusion. Below are my updated instructions that omit unnecessary steps and include more detailed descriptions.
Introduction
The Java Communications Process requires a PKCS12 keystore containing a client certificate with the alias jetty. If the certificate is not self-signed, then an appropriate trust chain must be included in the keystore.
Self-signed certificate
It's possible to create keystore with a self-signed certificate using a single keytool¹ command:
keytool -keystore ./httpsRESTKeyFile -alias jetty -genkey -keyalg RSA -sigalg SHA256withRSA
This will allow you to get up and running quickly, or to validate the HTTPS capability of the JCP on a test system. However, for production or customer-facing environments, it is important to use a certificate provided by a trusted certificate authority.
Certificate from a certificate authority (CA)
To use a certificate chain provided by a certificate authority, you will need to perform several additional steps. These are documented below.
Description of file names
File name | Description |
wildcard_company_local.pfx
| Certificate chain provided by a certificate authority. This file will typically contain the client certificate for the node running the JCP, a private key, and one or more CA certificates from the relevant certificate authority - either a public CA or one operated by your company. This chain of trust guarantees that the client certificate is genuine. |
wildcard_company_local.key
| Private key extracted from certificate chain. |
wildcard_company_local.crt
| Client certificate extracted from certificate chain. |
wildcard_company_local.pkcs12
| Temporary keystore containing client certificate and associated private key. |
httpsRESTKeyFile
| Final PKCS12 keystore file for use by the Java Communications Process (JCP). |
Instructions
1. (Optional) Validate the contents of the PKCS12 trust chain provided by the certificate authority (CA). The file typically contains several parts, including a private key, a root CA certificate, one ormore intermediary CA certificates, and the client certificate for the host where you will run the Java Communications Process (JCP).
openssl pkcs12 -in wildcard_company_local.pfx -info
Enter Import Password: <Enter the password provided with your certificate>
MAC Iteration 2000
MAC verified OK
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2000
Bag Attributes
localKeyID: 01 00 00 00
Microsoft CSP Name: Microsoft RSA SChannel Cryptographic Provider
friendlyName: MyCompanyServerAuthentication
Key Attributes
X509v3 Key Usage: 10
Enter PEM pass phrase: <For simplicity, use the same password>
Verifying - Enter PEM pass phrase: <Re-enter the same password again>
-----BEGIN ENCRYPTED PRIVATE KEY-----
...
-----END ENCRYPTED PRIVATE KEY-----
PKCS7 Data
Certificate bag
Bag Attributes: <Empty Attributes>
subject=/C=US/O=MyCompany/CN=MyCompany Root CA
issuer=/C=US/O=MyCompany/CN=MyCompany Root CA
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
Certificate bag
Bag Attributes: <Empty Attributes>
subject=/C=US/O=MyCompany/CN=MyCompany Intermediary CA
issuer=/C=US/O=MyCompany/CN=MyCompany Root CA
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
Certificate bag
Bag Attributes
localKeyID: 01 00 00 00
subject=/C=US/O=MyCompany/CN=ae-test.mycompany.com
issuer=/C=US/O=MyCompany/CN=MyCompany Intermediary CA
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
2. Extract the private key.
openssl pkcs12 -in ./wildcard_company_local.pfx -nocerts -out ./wildcard_company_local.key
Enter Import Password:
<Enter the password provided with your certificate>
MAC verified OK
Enter PEM pass phrase: <For simplicity, use the same password>
Verifying - Enter PEM pass phrase: <Re-enter the same password again>
3. Extract the client certificate.
openssl pkcs12 -in ./wildcard_company_local.pfx -clcerts -nokeys -out ./wildcard_company_local.crt
Enter Import Password: <Enter the password provided with your certificate>
MAC verified OK
4. Combine the private key and certificate into a single file.
openssl pkcs12 -inkey ./wildcard_company_local.key -in ./wildcard_company_local.crt -export -out ./wildcard_company_local.pkcs12
Enter pass phrase for ./wildcard_company_local_key: <Enter the same password as above>
Enter Export Password: <Use the same password as above>
Verifying - Enter Export Password: <Re-enter the same password as above>
5. Convert the combined key/certificate file to a PKCS12 keystore using the keytool¹ program.
keytool -importkeystore -srckeystore ./wildcard_company_local.pkcs12 -destkeystore ./httpsRESTKeyFile -srcstoretype PKCS12 -alias "1" -destalias "jetty"
Importing keystore ./wildcard_company_local.pkcs12 to ./httpsRESTKeyFile...
Enter destination keystore password: <Enter the same password as above>
Enter source keystore password: <Enter the same password as above>
Existing entry alias 1 exists, overwrite? [no]: yes
6. List out the keystore contents to confirm that all of the parts are there.
keytool -list -v -keystore ./httpsRESTKeyFile
Enter keystore password: <Enter the same password as above>
Keystore type: PKCS12
Keystore provider: SunJSSE
Your keystore contains 1 entry
Alias name: jetty
Creation date: Sep 1, 2021
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
...
Under the heading Extensions, you should typically see sections labeled AuthorityInfoAccess, AuthorityKeyIdentifier, CertificatePolicies, ExtendedKeyUsages, KeyUsage, SubjectAlternativeName, and SubjectKeyIdentifier.
Note
- To create a PKCS12 keystore using the keytool program, it may be necessary to first set
keystore.type
to pkcs12
in the Java security properties file $JAVA_HOME/../lib/security/java.security
. See the Oracle documentation page for keytool for more information.
I suggest that Broadcom update the JCP installation instructions in the official documentation, so that other customers are able to get up and running with HTTPS more quickly.
Ping @Elina McCafferty
Original Message:
Sent: 08-24-2021 10:41 AM
From: Michael Lowry
Subject: JCP error: U00045101 The alias "jetty" does not exist in the keystore 'keystore'.
We are trying for the first time to enable SSL for the Java Communications Process (JCP). We followed the instructions on the documentation page installing the JCP: we obtained a server certificate, added it to a new keystore, and configured the AE server INI file. When we try to start the JCP, we see the following error message:
20210824/115119.120 - 44 U00045101 The alias "jetty" does not exist in the keystore 'keystore'.
20210824/115124.136 - 131 U00003432 Termination of Server 'AE_EXP2#CP001' initiated.
20210824/115124.139 - 131 U00045014 Exception 'java.lang.InterruptedException: "null"' at 'java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject.awaitNanos():2067'.
I thought the JCP might be looking for a key with the specific alias jetty, so I tried again, importing the server certificate to the keystore using that alias. This did not help.
Has anyone see error U00045101 before? Has anyone gotten SSL working with the JCP?