Troubleshooting
Problem
After a new certificate is generated (such as a certificate from a certificate authority (CA)) and the new keystore is applied, errors start occurring indicating that the key (certificate) in the keystore cannot be recovered. Restarts of the IBM® WebSphere® Application Server instance can also fail.
Symptom
Errors seen upon restart, or otherwise during the events, indicate that the key, or certificate, cannot be recovered. The errors can alternatively indicate the keystore password is incorrect.
The errors could be embedded within other operations, as it depends which component tried to access the keystore at a particular time. Messages can also differ on WebSphere Application Server and WebSphere Liberty
The main message to look for is "java.security.UnrecoverableKeyException: Cannot recover key", or simply just "Cannot recover key".
If you are having issues that are not specifically the error "Cannot recover key", you may be running into a different issue described in this other technote:
Troubleshooting: Unable to open PKCS12 keystores due to an UnrecoverableKeyException
Examples
- ORBX0390E: Cannot create listener thread. Exception=[ org.omg.CORBA.INTERNAL: CAUGHT_EXCEPTION_WHILE_CONFIGURING_SSL_SERVER_SOCKET, Exception=com.ibm.websphere.ssl.SSLException: java.security.UnrecoverableKeyException: Cannot recover key vmcid: 0x31415926 minor code: 77 completed: No - received while attempting to open server socket on port 31415].
- CWWSS5312E: The Application Server cannot retrieve the 'myCert' key from the '/var/keystores/key.jks' keystore. The following exception occurred: java.security.UnrecoverableKeyException: Cannot recover key
Enabling the MustGather to capture TLS traces provides more details on the errors.
Other components' tracing, or FFDC files, might reveal further details beyond what the basic error message shows.
More Examples
- [3/14/15 3:14:15:000 UTC] 00000001 AbstractJSSEP 3 Cannot recover key: invalid password for file '/var/keystores/key.jks'
[3/14/15 3:14:15:000 UTC] 00000001 AbstractJSSEP 3 Exception caught during init, java.security.UnrecoverableKeyException: Cannot recover key
[3/14/15 3:14:15:020 UTC] 00000001 JSSEHelper < The following exception occurred in getSSLContext(). Exit
java.security.UnrecoverableKeyException: Cannot recover key
at com.ibm.crypto.provider.C.recover(Unknown Source)
at com.ibm.crypto.provider.JavaKeyStore.engineGetKey(Unknown Source)
at java.security.KeyStore.getKey(KeyStore.java:1034)
at com.ibm.jsse2.az.<init>(az.java:74)
at com.ibm.jsse2.ah$a.engineInit(ah$a.java:19)
at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:11)
at com.ibm.ws.ssl.provider.AbstractJSSEProvider.getKeyTrustManagers(AbstractJSSEProvider.java:552)
at com.ibm.ws.ssl.provider.AbstractJSSEProvider.generateNewSSLContext(AbstractJSSEProvider.java:220)
at com.ibm.ws.ssl.provider.AbstractJSSEProvider.getSSLContext(AbstractJSSEProvider.java:202)
at com.ibm.websphere.ssl.JSSEHelper.getSSLContext(JSSEHelper.java:763) - UnrecoverableKeyException encountered. Key password is probably incorrect.
- CWPKI0813E: Error while trying to initialize the keymanager for the keystore [/var/keystores/key.jks]. The private key password is not correct or the keystore has multiple private keys with different passwords. This keystore can not be used for SSL. Exception message is: [Cannot recover key].
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"ARM Category":[{"code":"a8m50000000CdL1AAK","label":"WebSphere Application Server traditional-All Platforms-\u003ESecurity-\u003ESSL-\u003ESSL - Certificates"}],"ARM Case Number":"TS010712762","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"},{"Type":"MASTER","Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSAW57","label":"WebSphere Application Server Network Deployment"},"ARM Category":[{"code":"a8m50000000CdL1AAK","label":"WebSphere Application Server traditional-All Platforms-\u003ESecurity-\u003ESSL-\u003ESSL - Certificates"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"},{"Type":"MASTER","Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSD28V","label":"WebSphere Application Server Liberty Core"},"ARM Category":[{"code":"a8m3p000000F7yQAAS","label":"IBM WebSphere Liberty-All Platforms-\u003ELiberty SSL"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Log InLog in to view more of this document
This document has the abstract of a technical article that is available to authorized users once you have logged on. Please use Log in button above to access the full document. After log in, if you do not have the right authorization for this document, there will be instructions on what to do next.
Was this topic helpful?
Document Information
Modified date:
03 March 2025
UID
ibm16826703