How can I make Jetty 9 ignore keypass while accesing keystore?

Question

How can I make Jetty 9 ignore keypass while accesing keystore?

Here is what I did:

• I generated certificate for my domain at startssl.com
• I generated chained certificate (mine + sub.class1.server.ca.pem + ca.pem) like this openssl pkcs12 -export -inkey ssl.key -in /home/ubuntu/bundle.crt -out /home/ubuntu/bundle.pkcs12
• Imported them into new keystore like this: keytool -importkeystore -srckeystore /home/ubuntu/bundle.pkcs12 -srcstoretype PKCS12 -destkeystore /opt/jetty/etc/keystore
• For some reason alias was "1" so I renamed it to "jetty" like this keytool -changealias -alias "1" -destalias "jetty" -keystore /opt/jetty/etc/keystore -storepass storepwd
• Note that I use storepwd which is default password for Jetty distro

My jetty-ssl.xml contains this

<Configure id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">
  <Set name="KeyStorePath"><Property name="jetty.home" default="." />/<Property name="jetty.keystore" default="etc/keystore"/></Set>
  <Set name="KeyStorePassword"><Property name="jetty.keystore.password" default="OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4"/></Set>
  <Set name="KeyManagerPassword"><Property name="jetty.keymanager.password" default="OBF:1u2u1wml1z7s1z7a1wnl1u2g"/></Set>
  <Set name="TrustStorePath"><Property name="jetty.home" default="." />/<Property name="jetty.truststore" default="etc/keystore"/></Set>
  <Set name="TrustStorePassword"><Property name="jetty.truststore.password" default="OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4"/></Set>
  <Set name="EndpointIdentificationAlgorithm"></Set>
  <Set name="ExcludeCipherSuites">
    <Array type="String">
      <Item>SSL_RSA_WITH_DES_CBC_SHA</Item>
      <Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
      <Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>
      <Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item>
      <Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
      <Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
      <Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>
    </Array>
  </Set>

  <New id="sslHttpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
    <Arg><Ref refid="httpConfig"/></Arg>
    <Call name="addCustomizer">
      <Arg><New class="org.eclipse.jetty.server.SecureRequestCustomizer"/></Arg>
    </Call>
  </New>
</Configure>

Now when I launch all this beauty Jetty crashes with following error

2013-07-11 21:34:01.984:WARN:oejuc.AbstractLifeCycle:main: FAILED SslContextFactory@e45a028(/opt/jetty/etc/keystore,/opt/jetty/etc/keystore): java.security.UnrecoverableKeyException: Cannot recover key
java.security.UnrecoverableKeyException: Cannot recover key
    at sun.security.provider.KeyProtector.recover(KeyProtector.java:328)
    at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:138)
    at sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java:55)
    at java.security.KeyStore.getKey(KeyStore.java:792)
    at sun.security.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:131)
    at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:68)
    at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:259)

Which is apparently password mismatch because it expects/passes keypass keypwd from default keystore that comes with Jetty.

Here is my certicifates(s): http://pastebin.com/raw.php?i=p8LhT50P It's output from keytool -list -keystore /opt/jetty/etc/keystore -storepass storepwd -storetype JKS -v

Where is it set? How can I fix this error?

Thanks!

Answer 1

There are two passwords involved: the keystore password (KeyStorePassword) and the key password (KeyManagerPassword). For PKCS#12 store, they are the same.

Since you've imported the key from the PKCS#12 store into the JKS store using the keystore's password, that doesn't mean that the password of the key itself was changed, and it's probably not "keypwd" (Jetty's default). Try to replace the value of KeyManagerPassword with your PKCS#12 store's password.

(Note that in general, you don't need to convert the keystore, you could have used PKCS12 as the KeyStoreType.)