2 Java.security.unrecoverablekeyexception: Password Verification Failed
Recent Changes
Changed the password for an AM/OpenAM keystore or truststore.
Renewed expired certificates.
Causes
Java.security.unrecoverablekeyexception Get Key Failed Null
Most likely there's a mismatch between the key passphrase and keystore passphrase.
This can also happen if you have a site configuration and have made changes to your certificate or passwords but not copied the files to all servers in the site.
Solution
Java.security.unrecoverablekeyexception: Password Must Not Be Null
This issue can be resolved by synchronizing the passwords using the keytool command:
- Update .storepass or .keypass respectively with the new password to ensure they match. You should also ensure they match on all servers if you have a site configuration. For example, you can use keytool commands such as the following depending on your keystore format:
- JCEKS format: $ keytool -storepasswd -new newpassword -keystore keystore.jceks -storetype JCEKS$ keytool -keypasswd -alias yourfqdnalias -new newpassword -keystore keystore.jceks -storetype JCEKS
- JKS format: $ keytool -storepasswd -new newpassword -keystore keystore.jks$ keytool -keypasswd -alias yourfqdnalias -new newpassword -keystore keystore.jks
- Restart the web application container in which AM/OpenAM runs to apply the changes.
Default keystore details - AM 5 and later; OpenAM 13.5.x
Java.security.unrecoverablekeyexception Failed To Obtain Information About Key
After installing AM/OpenAM, a default keystore is available in /path/to/openam/security/keystores/keystore.jceks (AM 7 and later) or /path/to/openam/openam/keystore.jceks (Pre-AM 7). The defaultpassword is changeit and is stored in /path/to/openam/security/secrets/default/.storepass (AM 7 and later) or /path/to/openam/openam/.storepass (Pre-AM 7).
This keystore contains multiple default test aliases; the exact test aliases included vary by version as shown in the documentation:
- AM 7 - Security Guide › About the Default Keystores and Secret Stores
- AM 6.5 - Setup and Maintenance Guide › JCEKS and JKS Keystore Comparison
- AM 6 - Setup and Maintenance Guide › JCEKS and JKS Keystore Comparison
- AM 5.x - Setup and Maintenance Guide › JCEKS and JKS Keystore Comparison
- OpenAM 13.5 - Administration Guide › JCEKS and JKS Keystore Comparison
See Security Guide › Configuring Secrets, Certificates, and Keys for further information.
Default keystore details - OpenAM 13
After installing OpenAM, a default keystore is available in the OpenAM configuration directory /path/to/openam/openam/keystore.jks. The defaultpassword is changeit and is stored in /path/to/openam/openam/.storepass. The only key in this keystore is for a self-signed certificate (default alias: test). The defaultpassword is also changeit and is stored in /path/to/openam/openam/.keypass
See Also
Related Training
N/A