Created by John McMahon, last modified by Alex Thottunkel on Jan 03, 2023
Purpose (problem description)

When you are setting up SSL and this message appears in the log (where xxx is the alias you have setup):

Alias name [xxxx] does not identify a key entry


Example of log:


Caused by: java.lang.IllegalArgumentException: Alias name [cast] does not identify a key entry

at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:107) ~[tomcat-embed-core-9.0.63.jar!/:na]

at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71) ~[tomcat-embed-core-9.0.63.jar!/:na]

at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:234) ~[tomcat-embed-core-9.0.63.jar!/:na]

at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1227) ~[tomcat-embed-core-9.0.63.jar!/:na]

at org.apache.tomcat.util.net.AbstractEndpoint.start(AbstractEndpoint.java:1313) ~[tomcat-embed-core-9.0.63.jar!/:na]

at org.apache.coyote.AbstractProtocol.start(AbstractProtocol.java:614) ~[tomcat-embed-core-9.0.63.jar!/:na]

at org.apache.catalina.connector.Connector.startInternal(Connector.java:1072) ~[tomcat-embed-core-9.0.63.jar!/:na]


Then please follow the below solution.

Observed in CAST AIP


Release
Yes/No
8.3.x (tick)
Observed on RDBMS
RDBMS
Yes/No
CSS (tick)
Step by Step scenario
  1. Encountered error in logs
Action Plan

The issue normally occurs because the key stored in the Java keystore is a certificate only entry and the configuration requires the entry to be a certificate/key pair in the Java keystore.

This can happen if you were provided a key and certificate separately (*.pem and *.crt file normally).

The best solution is to go back to the person who provided this and get a *.pk7 format file and passphrase which would have both the key and certificate in the file, and then import this into the keystore.

Otherwise you need to somehow gain access to the openssl tool and do something like the following (see Secure Socket Layer (SSL) Tools for information on keytool and openssl):


  • Convert the key and certificate to a *.p12 type using the openssl tool:
    • openssl pkcs12 -export -name cast -in in/file.cer -inkey in/key.pem -out out/keystore.p12
  • Then run this keytool command (the source keystore password is the password you give above, the destination is the one for cacerts):
    • keytool -importkeystore -destkeystore "C:\Program Files\Java\jdk-11.0.16\lib\security\cacerts" -srckeystore "C:\temp\keystore.p12" -srcstoretype pkcs12 -alias cast
    • You may get a warning about migrating from a jks keystore to a pkcs12 keystore.
  • Then when you list entries in the keystore, you should see one which has both the key and certificate:


If the above steps do not solve your issue contact CAST Technical Support. with the following Relevant input

 

Relevant input

  • CAST Log file
  • A detailed list of the steps done
  • Screenshots from part of AIP showing the issue 


Notes/comments

Ticket # 38360

Related Pages