TroubleShoot: WebSphere WS-Security Keystore Errors

Troubleshooting

Problem

This document contains troubleshooting information for Web Services Security (WS-Security) problems in the WebSphere® Application Server. This can help address common issues with this component before calling IBM support and save you time.

Resolving The Problem

Troubleshooting topics:

Overview

This topic contains errors related to keystores, keys and certificates that are used in your WS-Security configuration. You may see these messages in SOAP response messages, SystemOut.log, SystemErr.log, FFDC or trace.log.

Some of the issues in this topic require a WS-Security trace to determine the root cause of the problem. The instructions to obtain a WS-Security trace are in the 'Collecting data manually' section of the Collect data tab. If a trace string different than what is on the Collect data is required for a specific problem, that trace string will be noted in the steps to diagnose the problem. In most cases, it is best to obtain a WS-Security trace from application server startup.

CWWSS5003E: The c:/WebSphere/AppServer/profiles/server1/etc/ws-security/webstore.jks key store cannot be read because an IOException error occurred.: java.net.MalformedURLException: unknown protocol: c ocurred while running action

The keystore does not exist.

CWWSS5003E: The c:/WebSphere/AppServer/profiles/server1/etc/ws-security/webstore.jks key store cannot be read because an IOException error occurred.: java.io.IOException: Keystore was tampered with, or password was incorrect

The keystore password is incorrect.

CWWSS5312E: The Application Server cannot retrieve the 'myKey' key from the 'c:/WebSphere/AppServer/profiles/server1/etc/ws-security/webstore.jks' keystore. The following exception occurred: java.security.UnrecoverableKeyException ocurred while running action:

The password may be incorrect for a private key. If it is, you will also see entries like the following in a WS-Security trace:

KeyStoreManag 3 UnrecoverableKeyException encountered. Key password is probably incorrect. KeyStoreManag E CWWSS5312E: The Application Server cannot retrieve the 'myKey' key from the 'c:/WebSphere/AppServer/profiles/server1/etc/ws-security/webstore.jks' keystore. The following exception occurred: java.security.UnrecoverableKeyException: Cannot recover key

CWWSS5312E: The Application Server cannot retrieve the 'gateway-public' key from the '/apps/ki01/e8-was85-pt02/AppServer/etc/ShowcaseKeyStore-tpt.jks' keystore. The following exception occurred: java.lang.UnsupportedOperationException: trusted certificate entries are not password-protected

The important part of this message is "java.lang.UnsupportedOperationException: trusted certificate entries are not password-protected", not CWWSS5312E. CWWSS5312E is emitted from the WS-Security runtime for a variety of errors, but "java.lang.UnsupportedOperationException: trusted certificate entries are not password-protected" is only emitted from Java Security when an alias that is a public key that requires does not have a password assigned is being accessed with a password.

When you get this error, you will most likely see something like this in a WS-Security trace:

[1/27/17 13:05:40:213 EDT] 000000d0 KeyStoreManag 3 There is no cached key information with the keystore [/opt/keys/keystore.jks] and the alias [my-public]. So a new key information is created. [1/27/17 13:05:40:213 EDT] 000000d0 KeyStoreManag > createKeyInformation(KeyStore keyStore, String alias[my-public], char[] keyPassword[not null], String keyName[my-public])boolean isHWKeyStoreRef[false]) Entry [1/27/17 13:05:40:261 EDT] 000000d0 KeyStoreManag E CWWSS5312E: The Application Server cannot retrieve the 'my-public' key from the '/opt/keys/keystore.jks' keystore. The following exception occurred: java.lang.UnsupportedOperationException: trusted certificate entries are not password-protected at java.security.KeyStoreSpi.engineGetEntry(KeyStoreSpi.java:478) at java.security.KeyStore.getEntry(KeyStore.java:1314) at com.ibm.ws.wssecurity.wssapi.token.impl.KeyStoreManager.createKeyInformation(KeyStoreManager.java:568)

By far the most likely cause of this error is that you configured a public key where a private key is required:

Private keys are required for Signature Generators and Encryption Consumers.

CWWSS5312E: The Application Server cannot retrieve the 'myKey' key from the 'c:/WebSphere/AppServer/profiles/server1/etc/ws-security/webstore.jks' keystore. The following exception occurred: java.security.UnrecoverableEntryException: requested entry requires a password (JAX-WS)

The important part of this message is "java.security.UnrecoverableEntryException: the requested entry requires a password", not CWWSS5312E. CWWSS5312E is emitted from the WS-Security runtime for a variety of errors, but "java.security.UnrecoverableEntryException: requested entry requires a password" is only emitted from Java Security when an alias that requires a password is being accessed without a password.

When the following error is emitted, the cause is most likely that you have configured a keyEntry alias in a keystore (which requires a password) in a field in the WS-Security bindings that is intended for trust (that you do not provide a password), such as the Trust Store or the keystore on a digital signature consumer callback handler.

KeyStoreManag E CWWSS5312E: The Application Server cannot retrieve the 'myKey' key from the 'c:/WebSphere/AppServer/profiles/server1/etc/ws-security/webstore.jks' keystore. The following exception occurred: java.security.UnrecoverableEntryException: requested entry requires a password at java.security.KeyStoreSpi.engineGetEntry(KeyStoreSpi.java:443) at java.security.KeyStore.getEntry(KeyStore.java:1241) at com.ibm.ws.wssecurity.wssapi.token.impl.KeyStoreManager.createKeyInformation(KeyStoreManager.java:459) at com.ibm.ws.wssecurity.wssapi.token.impl.KeyStoreManager.getKeyInformation(KeyStoreManager.java:384) at com.ibm.ws.wssecurity.wssapi.token.impl.KeyStoreManager.getKeyInformation(KeyStoreManager.java:326) at com.ibm.ws.wssecurity.wssapi.token.impl.X509ConsumeLoginModule.resolveKeyInfo(X509ConsumeLoginModule.java:479) at com.ibm.ws.wssecurity.wssapi.token.impl.X509ConsumeLoginModule.login(X509ConsumeLoginModule.java:234) at com.ibm.ws.wssecurity.wssapi.token.impl.CommonTokenConsumer.invoke(CommonTokenConsumer.java:265) at com.ibm.ws.wssecurity.wssapi.CommonContentConsumer.invokeTokenConsumer(CommonContentConsumer.java:567) at com.ibm.ws.wssecurity.wssapi.CommonContentConsumer.getKey(CommonContentConsumer.java:270) at com.ibm.ws.wssecurity.keyinfo.KeyInfoConsumer.getKey(KeyInfoConsumer.java:190) at com.ibm.ws.wssecurity.dsig.SignatureConsumer.callKeyInfoConsumer(SignatureConsumer.java:1042) at com.ibm.ws.wssecurity.dsig.SignatureConsumer.invoke(SignatureConsumer.java:254)

For more information on where you must configure private keys vs public keys in the WS-Security bindings, see the Callback handler settings for JAX-WS topic in the Knowledge Center.

CWWSS5312E: The Application Server cannot retrieve the 'myKey' key from the 'c:/WebSphere/AppServer/profiles/server1/etc/ws-security/webstore.jks' keystore. The following exception occurred: java.lang.IllegalArgumentException: password can't be null (JAX-WS)

Same reason as the error above above. Different JDK levels can produce different exception types with different text, but the meaning is the same.

WSEC5184E: The key with alias "myKey" of keystore "c:/WebSphere/AppServer/profiles/server1/etc/ws-security/webstore.jks" cannot be recovered (the password could be wrong): java.security.UnrecoverableEntryException: requested entry requires a password (JAX-RPC)

Same reason as the error above except the stack will be different since it's the JAX-RPC runtime.

CWWSS6800E: The entry with alias 'anyKey' of keystore 'c:/WebSphere/AppServer/profiles/server1/etc/ws-security/webstore.jks' cannot be found: entry=null

An alias is configured that does not exist in the keystore.

CWWSS7073E: The key is not retrieved.

A public key is configured where a private key is required. You may see something like this in a trace:

[1/25/16 15:34:36:976 CST] 00000068 WSSObjectComm 3 Signing key or encrypting key is null. [1/25/16 15:34:36:976 CST] 00000068 WSSecurityGen E CWWSS5514E: An exception while processing WS-Security message: com.ibm.wsspi.wssecurity.core.SoapSecurityException: CWWSS7073E: The key is not retrieved. The exception is: at com.ibm.wsspi.wssecurity.core.SoapSecurityException.format(SoapSecurityException.java:59) at com.ibm.ws.wssecurity.wssapi.WSSObjectCommonContentGenerator.getKey(WSSObjectCommonContentGenerator.java:240) at com.ibm.ws.wssecurity.keyinfo.WSSObjectKeyInfoGenerator.getKey(WSSObjectKeyInfoGenerator.java:151)

CWWSS5003E: The c:/WebSphere/AppServer/profiles/server1/etc/ws-security/webstore.jks key store cannot be read because an IOException error occurred.: java.io.IOException: Invalid keystore format

The configured keystore type is incorrect.

CWWSS6809E: The X509 certificate owned by CN=SOAPRequester, OU=TRL, O=IBM, ST=Kanagawa, C=JP, which is created from the binary in the message is different from the X509 certificate owned by EMAILADDRESS=myx509root@us.ibm.com, CN=myx509root, OU=AIM, O=IBM, ST=TX, C=US, which is acquired from the keystore Path: g:\w\wl3wse\wssec\keys\myx509.ks.

The certificate configured in the X.509 token consumer is different than the one that was used to sign the message. When you get this message, you most likely configured a certificate on the X.509 token consumer when you shouldn't have. You should only configure a certificate on an X.509 token consumer if you want to restrict the consumer to accepting a single certificate.

CWWSS6811E: The key identifier QZOb+ZiiTuY= retrieved from the message is different from the key identifier iC3nl51GBjj0DnIxHQWiYhC3Xvw= acquired from the keystore Path: g:\w\wl3wse\wssec\keys\myx509.ks.

The message does not contain a copy of the certificate to verify the signature (like a BinarySecurityToken). When the certificate to verify the signature is not in the message, the certificate to verify the signature is configured on the X.509 token consumer. In this case, a KeyId was put in the message to identify the certificate that was used to sign the message. This error means that the KeyId calculated for the certificate configured on the X.509 token consumer does not match the one that was received in the message. They must match before the signature will be verified.

CWWSS7315E: Caught an exception attempting to create default configuration objects. The following exception occurred: java.security.AccessControlException: Access denied (java.io.FilePermission c:\WebSphere\AppServer\profiles\fvtTest\etc\ws-security\samples\intca2.cer read)].

If you get an error like this, but you know that the file in the message exists, you may have to disable Java 2 security.

SAMLResponse could not be verified.com.ibm.wsspi.wssecurity.core.SoapSecurityException: Fail to decrypt EncryptedKey

The WS-Security runtime is used to validate SAML Assertions for the SAML Web Single Sign-on TAI component. When you get this error, check a WS-Security trace for this entry:

EncryptedData 3 Fail to decrypt EncryptedKey:null

If you find this, it means that the sso_<id>.sp.keyName property is not specified for the decrypting key.

If you get a com.ibm.wsspi.wssecurity.core.SoapSecurityException: Fail to decrypt EncryptedKey error associated with a web service, also check the trace for EncryptedKey:null. If you find this, then the key name in the callback handler of the token consumer associated with decryption (your inbound encryption part) does not have a value.

CWWSS6521E: The Login failed because of an exception: javax.security.auth.login.LoginException: java.security.cert.CertPathBuilderException: unable to find valid certification path to requested target ocurred while running action: com.ibm.ws.wssecurity.handler.WSSecurityConsumerHandler

The certificate being validated is self-signed and isn't in the configured trust store. See the Trace analysis tab for information on how to debug this issue.

CWWSS6521E: The Login failed because of an exception: javax.security.auth.login.LoginException: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: java.security.cert.CertPathValidatorException: The certificate issued by EMAILADDRESS=test_it@us.ibm.com, CN=test_it, OU=AIM, O=IBM, ST=TX, C=US is not trusted; internal cause is: java.security.cert.CertPathValidatorException: Certificate chaining error

The certificate being validated is not self-signed and its issuer, or one of its subsequent issuers (the one shown in the message) isn't in the configured trust store. See the Trace analysis tab for information on how to debug this issue.

[{"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Web Services Security","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"},{"code":"PF013","label":"Inspur K-UX"}],"Version":"9.0;8.5.5;8.5;8.0;7.0","Edition":"Base;Network Deployment;Single Server","Line of Business":{"code":"LOB45","label":"Automation"}}]

Tips