topic Tomcat - Caused by: java.lang.IllegalArgumentException: jsse.alias_no_key_entry in Installing and Upgrading

Tomcat - Caused by: java.lang.IllegalArgumentException: jsse.alias_no_key_entry

Karl-Josef_Blaser — Sat, 16 Nov 2024 00:43:06 GMT

Dear Talend-Support-Team,

I've installed a new Talend 7.3.1. Everthung was fine - TAC, TDS, TDP, Kibana....

Then I would switch the TAC from http to https at port 8443.

The server.xml for this is attached.

When I start TAC, this error happens in the catalina.YY-MM-DD.log, which is attached too:

01-Feb-2021 11:19:49.010 SEVERE [main] org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to initialize component [Connector[HTTP/1.1-8493]]

org.apache.catalina.LifecycleException: Protocol handler initialization failed

at org.apache.catalina.connector.Connector.initInternal(Connector.java:983)

at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)

at org.apache.catalina.core.StandardService.initInternal(StandardService.java:533)

at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)

at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1057)

at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)

at org.apache.catalina.startup.Catalina.load(Catalina.java:584)

at org.apache.catalina.startup.Catalina.load(Catalina.java:607)

at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)

at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

at java.base/java.lang.reflect.Method.invoke(Method.java:566)

at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:303)

at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:473)

Caused by: java.lang.IllegalArgumentException: jsse.alias_no_key_entry

at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:99)

at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71)

at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:217)

at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1141)

at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1154)

at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:575)

at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:74)

at org.apache.catalina.connector.Connector.initInternal(Connector.java:980)

... 13 more

Caused by: java.io.IOException: jsse.alias_no_key_entry

at org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:341)

at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:247)

at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:97)

... 20 more

I've checked the signed certificates, cacerts-keystore from Java and any more.

Please, can you tell me the problem?

Thx.

Please rename the

catalina.2021-02-01.log.xml to catalina.2021-02-01.log, because I can't upload .log-files, for whatever reason.

Best regards...Karl-Josef

Re: Tomcat - Caused by: java.lang.IllegalArgumentException: jsse.alias_no_key_entry

prg — Mon, 01 Feb 2021 17:13:03 GMT

Hello @Karl-Josef Blaser,

1) Please refer to the below KB article for How to configure Talend Services to use SSL;

https://community.talend.com/s/article/How-to-configure-Talend-Services-to-use-SSL-UM3Wt

2) The Keystore password is changed but the password for the private key of the certificate is not changed to reflect the password that is changed for the Keystore. The Keystore password and the private key password have to be the same and cannot be different.

3) Check the certificate alias in the Keystore.

keytool -list -v -keystore <keystore_name> -storepass <current_keystore_password>

[ Example ] :

Alias name: guccisupport

4) Change the password for the key store.

keytool -v -storepasswd -new <new_keystore_password> -keystore <keystore_name> -storepass <current(old)_keystore_password>

5) Check the alias from step 1 and use the same alias here to change the password of the private key of the certificate. Use the same new password that is used for the Keystore for the private key as well.

keytool -v -keypasswd -alias <alias_from_step1> -new <new_keypassword_same_as_new_keystore_password> -keystore <keystore_name> -storepass <new_keystore_password_changed_in_step2> -keypass <old_keystore_password_used_in_storepass_attribute_in_step2>

Note: keytool utility exists in <INFA_HOME>\java\bin and <INFA_HOME>\java\jre\bin

Pls get back to Community, if necessary.

Thanks,

Vaishnavi

Re: Tomcat - Caused by: java.lang.IllegalArgumentException: jsse.alias_no_key_entry

Karl-Josef_Blaser — Thu, 04 Feb 2021 08:20:31 GMT

Hi Vaishnavi,

many thanks for your response.

I've this connector:

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"

maxThreads="150"

SSLEnabled="true"

scheme="https"

secure="true"

clientAuth="false"

sslProtocol="TLS"

sslEnabledProtocols="TLSv1.2,TLSv1.3"

keystoreFile="C:\Talend\7.3.1\tac\apache-tomcat\conf\server-name.jks" keystorePass="PASSWORT"

truststoreFile="C:\Talend\7.3.1\tac\apache-tomcat\conf\talend-truststore.jks" truststorePass="PASSWORT"

The problem was the keystore. For signed certifikates, the certifcate key and the certifikate must be exported in PKCS12 format.

At command prompt:

openssl pkcs12 -export -in C:\Talend\7.3.1\tac\apache-tomcat\conf\server-name.crt -inkey d:\Talend\Zertifikate\server-name.key -out d:\Talend\Zertifikate\server-name.pkcs12 -name tac -passout pass:PASSWORT

The password, that was used for signing the certificate must be entered.

The pkcs12 (server-name.pkcs12) key must be imported to the keystore file:

keytool -importkeystore -deststorepass PASSWORT -destkeystore C:\Talend\7.3.1\tac\apache-tomcat\conf\server-name.jks -deststoretype jks -srckeystore D:\Talend\Zertifikate\server-name.pkcs12 -srcstoretype PKCS12 -alias tac

The password that was previously used in the export must then be entered.

Yes, this is where your point 2 meets.

At the truststore the server-name.crt (signed certificate) and the certificates for the certification chain, if the server has no internet access, must be imported.

The connector could be startet successfully with these keystores.

Best regards...Karl-Josef