CA WCC login page does not show up after switching to SSL mode and/or importing private-signed SSL certificates.

Document ID : KB000045488
Last Modified Date : 14/02/2018
Show Technical Document Details

Issue:

CA Workload Control Center login page does not load after switching to SSL mode and/or importing private-signed SSL certificates.

The %CA_WCC_INSTALL_LOCATION%\log\CA-wcc.log has the following Java exceptions logged:

INFO   | jvm 1    | <DATESTAMP> |  org.apache.coyote.AbstractProtocol init
INFO   | jvm 1    | <DATESTAMP> | SEVERE: Failed to initialize end point associated with ProtocolHandler ["http-bio-8443"]
INFO   | jvm 1    | <DATESTAMP> | java.io.IOException: Alias name tomcat does not identify a key entry
...
...
INFO   | jvm 1    | <DATESTAMP> |  org.apache.catalina.core.StandardService initInternal
INFO   | jvm 1    | <DATESTAMP> | SEVERE: Failed to initialize connector [Connector[HTTP/1.1-8443]]
INFO   | jvm 1    | <DATESTAMP> | org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-8443]]
...
...
INFO   | jvm 1    | <DATESTAMP> | Caused by: org.apache.catalina.LifecycleException: Protocol handler initialization failed
INFO   | jvm 1    | <DATESTAMP> |     at org.apache.catalina.connector.Connector.initInternal(Connector.java:983)
INFO   | jvm 1    | <DATESTAMP> |     at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
INFO   | jvm 1    | <DATESTAMP> |     ... 18 more
INFO   | jvm 1    | <DATESTAMP> | Caused by: java.io.IOException: Alias name tomcat does not identify a key entry
INFO   | jvm 1    | <DATESTAMP> |     at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:531)
INFO   | jvm 1    | <DATESTAMP> |     at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:469)

Environment:

CA Workload Control Center 11.3.x, 11.3.x, 11.4 SPx

Cause:

The Java exception "java.io.IOException: Alias name tomcat does not identify a key entry" happens when the imported private-signed certificate (from Certificate Authority vendor) was generated without the "tomcat" alias.

 

Resolution:

Ensure that the server key and the certificate signing request (CSR) provided to the Certificate Authority vendor were generated with the alias as "tomcat".

Follow the KB Article How-To: Use private signed SSL certificates with CA Workload Control Center (TEC1380954) to implement private SSL certificates in CA WCC.

 

Additional Information:

A video demo of KB article TEC1380954 is available at WCC: Browser Certificates - Using a private certificate.