Store password errors seen after configuring SSL in Spectrum OneClick web server

Document ID : KB000049157
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

Scenario seen; The SSL configuration in Spectrum OneClick web server is correct according to the user guide instructions but there are errors referencing problems with the store password when starting the web server in the web server log file.

Solution:

When configuring the Spectrum OneClick tomcat web server for SSL one of the primary steps is to activate the following section of the $SPECROOT/tomcat/conf/server.xml file by uncommenting it, and by updating the keystoreFile value.

The default values in the server.xml file for those variables are:

keystoreFile="C:/win32app/spectrum/custom/keystore/cacerts"

keystorePass="changeit"

If the keystorePass value has been customized, after doing so there may be errors seen in the Spectrum OneClick tomcat web server log that appear.

For example lets say that you work for company ABC and have modified the storepass password to be:

keystorePass="ABC"

If that has been done the following error may be seen in the Spectrum OneClick tomcat web server log file (The log file is found in the $SPECROOT/tomcat/logs directory. On Windows systems it is named stdout.log and on Unix systems it is named catalina.out.):

     Aug 15, 2012 3:50:14 PM org.apache.tomcat.util.net.jsse.JSSESocketFactory getTrustStore
    WARNING: The provided trust store password could not be used to unlock and/or validate the trust store. 
     Retrying to access the trust store with a null password which will skip validation.  
     java.security.UnrecoverableKeyException: Password verification failed
     at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:769)
     at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:38)
     at java.security.KeyStore.load(KeyStore.java:1185)
     at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:407)
     at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getTrustStore(JSSESocketFactory.java:358)
     at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getTrustManagers(JSSESocketFactory.java:615)
     at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getTrustManagers(JSSESocketFactory.java:527)
     at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:449)
     at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:158)
     at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:380)
     at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:566)
     at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:417)
     at org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119)
     at org.apache.catalina.connector.Connector.initInternal(Connector.java:956)
     at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
     at org.apache.catalina.core.StandardService.initInternal(StandardService.java:559)
     at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
     at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:814)
     at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
     at org.apache.catalina.startup.Catalina.load(Catalina.java:624)
     at org.apache.catalina.startup.Catalina.load(Catalina.java:649)
     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
     at java.lang.reflect.Method.invoke(Method.java:597)
     at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:281)
     at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:449)

This error is commonly caused by a file in the tomcat web server directory structure that was not automatically updated by Spectrum.

Examine the OneClickService.conf file found in the $SPECROOT/tomcat/bin directory. It should have two entries by default that appear as:

jvm_opt=-Djavax.net.ssl.trustStore=C:/win32app/Spectrum/custom/keystore/cacerts
jvm_opt=-Djavax.net.ssl.trustStorePassword=changeit

To resolve this problem:

  1. Stop the Spectrum OneClick tomcat web server. To do so:

    1a - On Windows launch the Services UI and stop the Spectrum Tomcat service
    1b - On Unix run the stopTomcat.sh script from the $SPECROOT/tomcat/bin directory

  2. Edit the OneClickService.conf file as follows continuing with the above defined example to match the correct path to the cacerts file:

    Default:
    jvm_opt=-Djavax.net.ssl.trustStorePassword=changeit
    Edited:
    jvm_opt=-Djavax.net.ssl.trustStorePassword=ABC

    Save the changes to the file.

  3. Start the Spectrum OneClick tomcat web server. To do so:

    3a - On Windows launch the Services UI and start the Spectrum Tomcat service
    3b - On Unix run the startTomcat.sh script from the $SPECROOT/tomcat/bin directory

At this point the error should be resolved and the web server should be accessible via SSL. If further errors continue to appear or the web server remains inaccessible, other problems may exist and a new support issue should be opened with Spectrum support for additional assistance.