Solutions
ForgeRock Identity Platform
Does not apply to Identity Cloud

Cannot recover key error shown when renewing expired certificates or changing the password for the keystore or truststore in AM (All versions)

Last updated Apr 13, 2021

The purpose of this article is to provide assistance if you receive the "java.security.UnrecoverableKeyException: Cannot recover key" error when renewing expired certificates or changing the password for the keystore or truststore. This can affect you if you are using AM for SAML2 federation or as an OAuth provider.


2 readers recommend this article

Symptoms

The symptoms vary slightly depending on whether you are using AM for SAML2 federation or as an OAuth provider.

SAML2 federation

The following error is shown in the Federation debug log if you are using AM for SAML2 federation:

libSAML:29/08/2016 03:27:14:805 PM GMT: Thread[http-bio-8443-exec-8,5,main] ERROR: Cannot recover key libSAML2:29/08/2016 03:27:14:805 PM GMT: Thread[http-bio-8443-exec-8,5,main] ERROR: FMSigProvider.sign: Either input xml string or id value or private key is null. libSAML2:29/08/2016 03:27:14:805 PM GMT: Thread[http-bio-8443-exec-8,5,main] ERROR: IDPSSOFederate.doSSOFederate: Unable to do sso or federation. com.sun.identity.saml2.common.SAML2Exception: Null input.   at com.sun.identity.saml2.xmlsig.FMSigProvider.sign(FMSigProvider.java:138)    at com.sun.identity.saml2.assertion.impl.AssertionImpl.sign(AssertionImpl.java:674)    at com.sun.identity.saml2.profile.IDPSSOUtil.signAssertion(IDPSSOUtil.java:2433) ... Caused by: java.security.UnrecoverableKeyException: Cannot recover key

An error similar to the following is also seen in the container log. For example, this error is shown in the catalina.out log for Apache Tomcat™:

SEVERE: Failed to initialize connector [Connector[HTTP/1.1-8443]] org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-8443]]   at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:106)    at org.apache.catalina.core.StandardService.initInternal(StandardService.java:559)    at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)    at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:781)    at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)    at org.apache.catalina.startup.Catalina.load(Catalina.java:595)    at org.apache.catalina.startup.Catalina.load(Catalina.java:620) ... Caused by: java.security.UnrecoverableKeyException: Cannot recover key    at sun.security.provider.KeyProtector.recover(KeyProtector.java:311)    at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:121)    at sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java:38)    at java.security.KeyStore.getKey(KeyStore.java:763)

OAuth provider

The following error is shown in the OAuth2Provider debug log if you are using AM as an OAuth provider:

OAuth2Provider:29/08/2016 03:27:14:198 AM MDT: Thread[tomcat-http--16,5,main]: TransactionId[2d899296-1b0b-4ee0-9e23-f1261f659ba3-137] 14631:: 400 server_error : Internal Server Error (500) - The server encountered an unexpected condition which prevented it from fulfilling the request     at org.restlet.resource.ServerResource.doHandle(ServerResource.java:539)     at org.restlet.resource.ServerResource.get(ServerResource.java:742)     at org.restlet.resource.ServerResource.doHandle(ServerResource.java:617)     at org.restlet.resource.ServerResource.doNegotiatedHandle(ServerResource.java:678)     at org.restlet.resource.ServerResource.doConditionalHandle(ServerResource.java:356)     at org.restlet.resource.ServerResource.handle(ServerResource.java:1043) ... Caused by: org.forgerock.json.jose.utils.KeystoreManagerException: java.security.UnrecoverableKeyException: Cannot recover key     at org.forgerock.json.jose.utils.KeystoreManager.getPrivateKey(KeystoreManager.java:139)     at org.forgerock.openam.utils.OpenAMSettingsImpl.getServerKeyPair(OpenAMSettingsImpl.java:181)     at org.forgerock.openam.oauth2.OpenAMOAuth2ProviderSettings.getServerKeyPair(OpenAMOAuth2ProviderSettings.java:610)     at org.forgerock.openam.oauth2.OpenAMTokenStore.createOpenIDToken(OpenAMTokenStore.java:253)     at org.forgerock.openidconnect.IdTokenResponseTypeHandler.handle(IdTokenResponseTypeHandler.java:61)     at org.forgerock.oauth2.core.AuthorizationTokenIssuer.issueTokens(AuthorizationTokenIssuer.java:105)     at org.forgerock.oauth2.core.AuthorizationServiceImpl.authorize(AuthorizationServiceImpl.java:155)     at org.forgerock.oauth2.restlet.AuthorizeResource.authorize(AuthorizeResource.java:95)     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)     at java.lang.reflect.Method.invoke(Method.java:606)     at org.restlet.resource.ServerResource.doHandle(ServerResource.java:523)     ... 76 more Caused by: java.security.UnrecoverableKeyException: Cannot recover key     at sun.security.provider.KeyProtector.recover(KeyProtector.java:328)     at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:138)     at sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java:55)     at java.security.KeyStore.getKey(KeyStore.java:792)     at org.forgerock.json.jose.utils.KeystoreManager.getPrivateKey(KeystoreManager.java:137)     ... 88 more

Recent Changes

Changed the password for an AM keystore or truststore.

Renewed expired certificates.

Causes

Most likely there's a mismatch between the key passphrase and keystore passphrase.

This can also happen if you have a site configuration and have made changes to your certificate or passwords but not copied the files to all servers in the site.

Solution

This issue can be resolved by synchronizing the passwords using the keytool command:

  1. Update .storepass or .keypass respectively with the new password to ensure they match. You should also ensure they match on all servers if you have a site configuration. For example, you can use keytool commands such as the following depending on your keystore format:
    • JCEKS format: $ keytool -storepasswd -new newpassword -keystore keystore.jceks -storetype JCEKS $ keytool -keypasswd -alias yourfqdnalias -new newpassword -keystore keystore.jceks -storetype JCEKS
    • JKS format: $ keytool -storepasswd -new newpassword -keystore keystore.jks $ keytool -keypasswd -alias yourfqdnalias -new newpassword -keystore keystore.jks
  2. Restart the web application container in which AM runs to apply the changes.

Default keystore details

After installing AM, a default keystore is available in /path/to/openam/security/keystores/keystore.jceks (AM 7 and later) or /path/to/openAM/keystore.jceks (Pre-AM 7). The default password is changeit and is stored in /path/to/openam/security/secrets/default/.storepass (AM 7 and later) or /path/to/openAM/.storepass (Pre-AM 7).

This keystore contains multiple default test aliases; the exact test aliases included vary by version as shown in the documentation:

See Security Guide › Configuring Secrets, Certificates, and Keys for further information.

See Also

How do I update the certificate alias for the signing key in the AM (All versions) keystore?

How do I renew expired certificates for a hosted IdP or SP in AM 5.x or 6.x?

How do I renew expired certificates for a remote IdP or SP in AM (All versions)?

Security Guide › Configuring Secrets, Certificates, and Keys 

Related Training

N/A

Related Issue Tracker IDs

N/A


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.