Notifications

296 views

Problem


Starting the Edge Encryption Proxy and one of the following Errors appears in the $proxy_installation_location/logs/edgeencryption.log:

2018-03-07 07:39:45,611 ERROR Error occured during proxy startup: Error reading keystore file keystore.jceks: Keystore was tampered with, or password was incorrect 

2018-03-07 07:40:20,834 ERROR Error occured during proxy startup: Unable to resolve certificate for <certificate alias name>. Ensure that the certificate alias exists and its password is the same as that of its keystore.

2018-03-07 07:22:38,085 ERROR Error occured during proxy startup: Failed to read the certificate: <certificate alias name>

2018-03-07 09:04:50,925 ERROR Error occured during proxy startup

java.security.UnrecoverableKeyException: Given final block not properly padded

            at com.sun.crypto.provider.KeyProtector.recover(KeyProtector.java:187)

            at com.sun.crypto.provider.JceKeyStore.engineGetKey(JceKeyStore.java:129)

            at java.security.KeyStore.getKey(Unknown Source)

            at sun.security.ssl.SunX509KeyManagerImpl.<init>(Unknown Source)

            at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(Unknown Source)

            at javax.net.ssl.KeyManagerFactory.init(Unknown Source)

            at org.eclipse.jetty.util.ssl.SslContextFactory.getKeyManagers(SslContextFactory.java:1067)

            at org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:300)

            at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:220)

            at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)

            at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:131)

            at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:113)

            at org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:72)

            at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)

            at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:131)

            at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:113)

            at org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:268)

            at org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:81)

            at org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:235)

            at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)

            at org.eclipse.jetty.server.Server.doStart(Server.java:401)

            at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)

            at com.snc.edgeencryption.proxy.CloudEdgeProxyServer.start(CloudEdgeProxyServer.java:221)

            at com.snc.edgeencryption.CloudEdge.start(CloudEdge.java:155)

            at com.snc.edgeencryption.Main.main(Main.java:30)

            at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

            at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)

            at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)

            at java.lang.reflect.Method.invoke(Unknown Source)

            at org.tanukisoftware.wrapper.WrapperSimpleApp.run(WrapperSimpleApp.java:240)

            at java.lang.Thread.run(Unknown Source)

Cause


Any of the above errors result if one of the keys (aliases) in the Edge Proxy keystore file have a different password from the keystore itself.

 

Resolution


As stated in the Edge Enryption documentation:

https://docs.servicenow.com/bundle/kingston-servicenow-platform/page/administer/edge-encryption/task/t_SetUpSecureSSLConnection.html 
 
Make sure that the private key password is the same as the Java KeyStore password.
 
This means that the passwords for all of the keystore's keys (aliases) must match the keystore's password. 
 
For example if there are two SSL keys called ssl_alias1 and ssl_alias2 in the keystore and configure the edgeencryption.properties as follows:
 
edgeencryption.proxy.https.keystore.path = keystore/keystore.jceks
edgeencryption.proxy.https.keystore.password = alias2
edgeencryption.proxy.https.cert.alias = ssl_alias2
 
You have pointed the proxy to use the ssl_alias2 key (alias) for SSL with ssl_alias2's correct password which is alias2.  Both alias and password are correct in the edgeencryption.properties file, but say that the ssl_alias1 key (alias) and the keystore password is changeme - you will see one of the mentioned errors.
 
For this to work you must change the password of all of the keys (aliases) and the keystore to be the same if there is any mismatch across the keystore file.
 
This can be done using the java keytool, refer to the java keytool documentation:
 
 
Remember the rule is:  All keys in a keystore should have the same password as the keystore.

Example on how to change the keystore password using keytool - the keystore is called keystore.jceks:

$ keytool -storepasswd -keystore keystore.jceks -storetype jceks
Enter keystore password: changeme
New keystore password: changemenew
Re-enter new keystore password: changemenew
 
 
Example on how to change the key (alias) password using keytool - the keystore is called keystore.jceks, the key (alias) is called ssl_alias2:
 
$ keytool -keypasswd -keystore keystore.jceks -alias ssl_alias2 -storetype jceks
Enter keystore password: changemenew
Enter key password for <ssl_alias2>: alias2
New key password for <ssl_alias2>: changemenew
Re-enter new key password for <ssl_alias2>: changemenew

Article Information

Last Updated:2018-03-14 11:28:04
Published:2018-03-14