CAST AIP - SSL - Errors - Alias name does not identify a key entry

When you are setting up SSL and this message appears in the log (where xxx is the alias you have setup):

Alias name [xxxx] does not identify a key entry

 

Example of log:

 

Caused by: java.lang.IllegalArgumentException: Alias name [cast] does not identify a key entry

at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:107) ~[tomcat-embed-core-9.0.63.jar!/:na]

at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71) ~[tomcat-embed-core-9.0.63.jar!/:na]

at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:234) ~[tomcat-embed-core-9.0.63.jar!/:na]

at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1227) ~[tomcat-embed-core-9.0.63.jar!/:na]

at org.apache.tomcat.util.net.AbstractEndpoint.start(AbstractEndpoint.java:1313) ~[tomcat-embed-core-9.0.63.jar!/:na]

at org.apache.coyote.AbstractProtocol.start(AbstractProtocol.java:614) ~[tomcat-embed-core-9.0.63.jar!/:na]

at org.apache.catalina.connector.Connector.startInternal(Connector.java:1072) ~[tomcat-embed-core-9.0.63.jar!/:na]

 

 

Observed in CAST AIP

Release
Yes/No
8.3.x  (tick)

 

 

Observed in RDBMS

RDBMS
Yes/No
CSS  (tick)

 

 

Step by Step scenario

Encountered error in logs

 

Action Plan

 

The issue normally occurs because the key stored in the Java keystore is a certificate only entry and the configuration requires the entry to be a certificate/key pair in the Java keystore.

This can happen if you were provided a key and certificate separately (*.pem and *.crt file normally).

The best solution is to go back to the person who provided this and get a *.pk7 format file and passphrase which would have both the key and certificate in the file, and then import this into the keystore.

Otherwise you need to somehow gain access to the openssl tool and do something like the following (see Secure Socket Layer (SSL) Tools for information on keytool and openssl):

 

  • Convert the key and certificate to a *.p12 type using the openssl tool:
    • openssl pkcs12 -export -name cast -in in/file.cer -inkey in/key.pem -out out/keystore.p12
  • Then run this keytool command (the source keystore password is the password you give above, the destination is the one for cacerts):
    • keytool -importkeystore -destkeystore "C:\Program Files\Java\jdk-11.0.16\lib\security\cacerts" -srckeystore "C:\temp\keystore.p12" -srcstoretype pkcs12 -alias cast
    • You may get a warning about migrating from a jks keystore to a pkcs12 keystore.
  • Then when you list entries in the keystore, you should see one which has both the key and certificate:

 

If the above steps do not solve your issue contact CAST Technical Support. with the following Relevant input

 

Relevant input

  • CAST Log file
  • A detailed list of the steps done
  • Screenshots from part of AIP showing the issue 

 

Ticket # 38360

 

 

 

 

Have more questions? Submit a request

Comments

Powered by Zendesk