"The private key password is not correct or the keystore has multiple private keys with different passwords. This keystore can not be used for... Cannot recover" errors (in "messages.log") caused by using incorrect password for certificates/keys/keystores

Troubleshooting

Problem

Customer is trying to convert Controller Web to use HTTPS. Customer has used separate instructions (for example Technote #291423) to create certificates (keys) and import them into the Java keystores.

Afterwards, user launches Controller Web website but receives an error.

To diagnose the problem, administrator opens 'messages.log' file (inside fcmweb 'backend' folder). There are multiple errors in there.

Symptom

Example #1

messages.log

[8/25/20 13:48:48:377 CEST] 00000022 com.ibm.ws.ssl.config.WSKeyStore I Successfully loaded default keystore: C:/Program Files/ibm/cognos/ccr_64/fcmweb/wlp/usr/servers/fcm.web/resources/security/key.jks of type: JKS

[8/25/20 13:48:48:392 CEST] 00000022 com.ibm.ws.ssl.provider.AbstractJSSEProvider E CWPKI0813E: Error while trying to initialize the keymanager for the keystore [C:/Program Files/ibm/cognos/ccr_64/fcmweb/wlp/usr/servers/fcm.web/resources/security/key.jks]. The private key password is not correct or the keystore has multiple private keys with different passwords. This keystore can not be used for SSL. Exception message is: [Cannot recover key].

[8/25/20 13:48:48:424 CEST] 00000022 com.ibm.ws.logging.internal.impl.IncidentImpl I FFDC1015I: An FFDC Incident has been created: "java.security.UnrecoverableKeyException: Cannot recover key: invalid password for key in file 'C:/Program Files/ibm/cognos/ccr_64/fcmweb/wlp/usr/servers/fcm.web/resources/security/key.jks' com.ibm.ws.ssl.provider.IBMJSSEProvider getKeyTrustManagers" at ffdc_20.08.25_13.48.48.0.log

[8/25/20 13:48:48:455 CEST] 00000022 com.ibm.ws.logging.internal.impl.IncidentImpl I FFDC1015I: An FFDC Incident has been created: "java.security.UnrecoverableKeyException: Cannot recover key: invalid password for key in file 'C:/Program Files/ibm/cognos/ccr_64/fcmweb/wlp/usr/servers/fcm.web/resources/security/key.jks' com.ibm.ws.ssl.config.SSLConfigManager initializeServerSSL" at ffdc_20.08.25_13.48.48.1.log

[8/25/20 13:48:48:486 CEST] 00000032 com.ibm.ws.tcpchannel.internal.TCPChannel

Example #2 (German)

console.log

[ERROR ] CWPKI0813E: Fehler beim Initialisieren des Key-Managers für den Keystore C:/Program Files/ibm/cognos/ccr_64/fcmweb/wlp/usr/servers/fcm.web/resources/security/key.jks]. Das Kennwort für den privaten Schlüssel ist nicht korrekt oder der Keystore hat mehrere private Schlüssel mit verschiedenen Kennwörtern. Dieser Keystore kann nicht für SSL verwendet werden. Ausnahmenachricht: [Cannot recover key].

messages.log

[15.09.20 14:14:51:690 MESZ] 0000001d com.ibm.ws.ssl.config.WSKeyStore I Successfully loaded default keystore: C:/Program Files/ibm/cognos/ccr_64/fcmweb/wlp/usr/servers/fcm.web/resources/security/key.jks of type: JKS
[15.09.20 14:14:51:702 MESZ] 0000001d com.ibm.ws.ssl.provider.AbstractJSSEProvider E CWPKI0813E: Fehler beim Initialisieren des Key-Managers für den Keystore C:/Program Files/ibm/cognos/ccr_64/fcmweb/wlp/usr/servers/fcm.web/resources/security/key.jks]. Das Kennwort für den privaten Schlüssel ist nicht korrekt oder der Keystore hat mehrere private Schlüssel mit verschiedenen Kennwörtern. Dieser Keystore kann nicht für SSL verwendet werden. Ausnahmenachricht: [Cannot recover key].
[15.09.20 14:14:51:724 MESZ] 0000001d com.ibm.ws.logging.internal.impl.IncidentImpl I FFDC1015I: Es wurde ein FFDC-Vorfall erstellt: "java.security.UnrecoverableKeyException: Cannot recover key: invalid password for key in file 'C:/Program Files/ibm/cognos/ccr_64/fcmweb/wlp/usr/servers/fcm.web/resources/security/key.jks' com.ibm.ws.ssl.provider.IBMJSSEProvider getKeyTrustManagers"

Document Location

Worldwide

[{"Line of Business":{"code":"LOB76","label":"Data Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SS9S6B","label":"IBM Cognos Controller"},"ARM Category":[{"code":"a8m0z000000GnFaAAK","label":"Controller WEB"}],"ARM Case Number":"TS004083872","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"},{"Product":{"code":"SSMRTZ","label":"IBM Cognos Controller on Cloud"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"LOB76","label":"Data Platform"}}]

Log InLog in to view more of this document

This document has the abstract of a technical article that is available to authorized users once you have logged on. Please use Log in button above to access the full document. After log in, if you do not have the right authorization for this document, there will be instructions on what to do next.

Tips

"The private key password is not correct or the keystore has multiple private keys with different passwords. This keystore can not be used for... Cannot recover" errors (in "messages.log") caused by using incorrect password for certificates/keys/keystores

Troubleshooting

Problem

Symptom

Document Location

Log InLog in to view more of this document

Was this topic helpful?

Document Information

UID

Share your feedback

Need support?