This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Getting "Keystore was tampered with, or password was incorrect" error after configuring SSL for Edge UI

Posted on 10-31-2017 09:16 AM
adevegowda
Staff
Reply posted on --/--/---- --:-- AM

We configured the SSL for Edge UI on Private Cloud 4.16.05 based on the instructions provided here.

However, when we try to launch the UI as https://<IP address>:<port#> we got the below error in the browser:

This site can’t be reached
<IP address> took too long to respond.
Try:
Checking the connectionChecking the proxy and the firewallRunning Network Diagnostics
ERR_CONNECTION_TIMED_OUT

So we tried to run the curl command as follows:

curl -v https://0:9443/login

When we checked the edge-ui.log we saw the following exception:

java.lang.reflect.InvocationTargetException: null
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[na:1.8.0_121]
        at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[na:1.8.0_121]
        at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[na:1.8.0_121]
        at java.lang.reflect.Constructor.newInstance(Constructor.java:423) ~[na:1.8.0_121]
        at play.core.server.ServerSSLEngine$.createScalaSSLEngineProvider(ServerSSLEngine.scala:82) ~[com.typesafe.play.play_2.11-2.3.10.jar:2.3.10]
Caused by: java.lang.Exception: Error loading HTTPS keystore from /opt/apigee/customer/conf/keystore.jks
        at play.core.server.DefaultSSLEngineProvider.createSSLContext(DefaultSSLEngineProvider.scala:43) ~[com.typesafe.play.play_2.11-2.3.10.jar:2.3.10]
        at play.core.server.DefaultSSLEngineProvider.<init>(DefaultSSLEngineProvider.scala:19) ~[com.typesafe.play.play_2.11-2.3.10.jar:2.3.10]
        at services.CustomSSLEngineProvider.<init>(CustomSSLEngineProvider.scala:23) ~[enterpriseui.enterpriseui-4.16.05.06-df43663-20161229-233745.jar:4.16.05.06-df43663-20161229-233745]
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[na:1.8.0_121]
        at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[na:1.8.0_121]
Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect
        at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:780) ~[na:1.8.0_121]
        at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56) ~[na:1.8.0_121]
        at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224) ~[na:1.8.0_121]
        at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70) ~[na:1.8.0_121]
        at java.security.KeyStore.load(KeyStore.java:1445) ~[na:1.8.0_121]
Caused by: java.security.UnrecoverableKeyException: Password verification failed
        at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:778) ~[na:1.8.0_121]
        at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56) ~[na:1.8.0_121]
        at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224) ~[na:1.8.0_121]
        at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70) ~[na:1.8.0_121]
        at java.security.KeyStore.load(KeyStore.java:1445) ~[na:1.8.0_121]

I have passed on the right password in the configFile while configuring the SSL.

Can someone help how to fix this issue ?

Solved Solved
0 6 31.1K
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
adevegowda
Staff
Reply posted on --/--/---- --:-- AM

After some investigation, I found the cause for this issue as follows:

  1. Used different password while creating PKCS12 file and converting PKCS12 file to a JKS file (https://docs.apigee.com/private-cloud/v4.16.05/configuring-tlsssl-edge-premises).
    • As per the information given here, we should use the same password.
  2. Used the obfuscated password for KEY_PASS in the configFile used for configuring the SSL. This is incorrect. We should be using the password as is without encrypting it.

Re-created the JKS file by using the same password and then used the password as is in the configFile. Configured the SSL for Edge UI. We are no longer seeing the exception "Keystore was tampered with, or password was incorrect".

Just to re-iterate the complete steps to configure SSL for Edge UI:

Assuming you already have the certificate and private key files in PEM format, follow the below steps to configure SSL for Edge UI.

  1. Create the PKCS12 file from your certificate and private key files 
    openssl pkcs12 -export -clcerts -in opdk-ui-certificate.pem -inkey opdk-ui-key.pem -out keystore.pkcs12
    • Note: You need to enter the password as part of the command, let’s say you entered "keystore123".
  2. Convert the PKCS12 file to a JKS file named keystore.jks using the below command: 
    keytool -importkeystore -srckeystore keystore.pkcs12 -srcstoretype pkcs12 -destkeystore keystore.jks -deststoretype jks
    • Note: You need to enter the password as part of the above command again. Ensure that you use the same password used in step #1, that is, "keystore123" .
  3. Ensure that your TLS port (for ex: 9443) is open 
    iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 9443 -j ACCEPT --verbose
  4. Create a configFile with the following contents: 
    HTTPSPORT=9443
DISABLE_HTTP=n
KEY_ALGO=JKS
KEY_FILE_PATH=/tmp/mykeystore.jks
KEY_PASS=keystore123
    • Note:Ensure the password is specified as is for KEY_PASS (i.e., don't use the encrypted version of the password).
  5. Run the following command to configure the SSL for 
    /<inst_root>/apigee/apigee-service/bin/apigee-service edge-ui configure-ssl -f configFile
  6. Access the Edge UI using https and see if it works.

View solution in original post

Jump to Solution
0 Likes
6 REPLIES 6

Posted on --/--/---- --:-- AM
adevegowda
Staff
Reply posted on --/--/---- --:-- AM

After some investigation, I found the cause for this issue as follows:

  1. Used different password while creating PKCS12 file and converting PKCS12 file to a JKS file (https://docs.apigee.com/private-cloud/v4.16.05/configuring-tlsssl-edge-premises).
    • As per the information given here, we should use the same password.
  2. Used the obfuscated password for KEY_PASS in the configFile used for configuring the SSL. This is incorrect. We should be using the password as is without encrypting it.

Re-created the JKS file by using the same password and then used the password as is in the configFile. Configured the SSL for Edge UI. We are no longer seeing the exception "Keystore was tampered with, or password was incorrect".

Just to re-iterate the complete steps to configure SSL for Edge UI:

Assuming you already have the certificate and private key files in PEM format, follow the below steps to configure SSL for Edge UI.

  1. Create the PKCS12 file from your certificate and private key files 
    openssl pkcs12 -export -clcerts -in opdk-ui-certificate.pem -inkey opdk-ui-key.pem -out keystore.pkcs12
    • Note: You need to enter the password as part of the command, let’s say you entered "keystore123".
  2. Convert the PKCS12 file to a JKS file named keystore.jks using the below command: 
    keytool -importkeystore -srckeystore keystore.pkcs12 -srcstoretype pkcs12 -destkeystore keystore.jks -deststoretype jks
    • Note: You need to enter the password as part of the above command again. Ensure that you use the same password used in step #1, that is, "keystore123" .
  3. Ensure that your TLS port (for ex: 9443) is open 
    iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 9443 -j ACCEPT --verbose
  4. Create a configFile with the following contents: 
    HTTPSPORT=9443
DISABLE_HTTP=n
KEY_ALGO=JKS
KEY_FILE_PATH=/tmp/mykeystore.jks
KEY_PASS=keystore123
    • Note:Ensure the password is specified as is for KEY_PASS (i.e., don't use the encrypted version of the password).
  5. Run the following command to configure the SSL for 
    /<inst_root>/apigee/apigee-service/bin/apigee-service edge-ui configure-ssl -f configFile
  6. Access the Edge UI using https and see if it works.
Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Not applicable
In response to adevegowda
Reply posted on --/--/---- --:-- AM

This works 🙂 Thanks a lot.

Regards,

Salman

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
adevegowda
Staff
In response to adevegowda
Reply posted on --/--/---- --:-- AM

@Stephen Gilson,

Can you please update the docs with this information ?

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
sgilson
New Member
In response to adevegowda
Reply posted on --/--/---- --:-- AM
@AMAR DEVEGOWDAI think the only issue with the doc is to say to use the same password for both the PKCS12 file and JKS file, correct?

Stephen

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
adevegowda
Staff
In response to sgilson
Reply posted on --/--/---- --:-- AM

@sgilson,

1. The same password should be used for both PKCS12 and JKS files

2. We should use unencrypted password in the config file

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
sgilson
New Member
In response to adevegowda
Reply posted on --/--/---- --:-- AM

Thanks @AMAR DEVEGOWDA

Doc updated.

Stephen

Jump to Solution
0 Likes