java certificates jarsigner: unable to recover key from keystore

Erman

Have a new install of EBS 12.2.4 copied the keystore.dat and cacerts from another working Linux Instance, and when I run adadmin to generate Jars I get the above error. Followed document 1591073.1 and have a tar open with oracle. I am hoping maybe you could point me in the right direction.

The servers are both Linux Oracle 6.x and from document it says we should be able to move the files to this new server... thank you so much! K

Hi Kathy,

Are keyentry and keystore passwords te same?

That is ,
If the private key is protected with password , make sure the key password is set to be the same as the store password.
If the private key password was already then use "keytool -keypass" to change the key entry to have the same password as the store password.

So, make keystore  and key passwords be the same and retry.

Hi... thanks for your response.. the keystore keypass and storepass are the same and I can do a keytool -list using the passwords with no problem... but
if I do the following for the alias ---

I can list the alias with the password perfectly fine... but if I want to change the password for the alias it says the following ... when I did this on the other Linux server for the first time after getting the trusted certificates I had no problems but I don't believe I set a password per say for the alias

keytool -keypasswd -alias EBSJavaCode -keystore adkeystore.dat

Enter keystore password:

Enter key password for <EBSJavaCode>

keytool error: java.security.UnrecoverableKeyException: Cannot recover key

 thanks Kathy

 If we find a private key entry that has "Cannot recover key", we will use keytool to change it to be the same as the keystore's store password.
# keytool -keypasswd -alias <keyalias> \

       -storepass <storepass> -keypass <oldkeypass> \

       -new <storepass> -keystore adkeystore.dat

One more than for clarity I do the following command for my alias ...
       
applmgr@prodcob admin (prod) $ keytool -list -trustcacerts -keypasswd -alias EBSJavaCode -keystore adkeystore.dat
Enter keystore password:
Enter key password for <EBSJavaCode>
keytool error: java.security.UnrecoverableKeyException: Cannot recover key

Sorry for the string of responses ... but perhaps this is a red herring ... I cannot do the command from the system that actually compiled the jars with the trusted certificate ... so I am including to other errors that I am seeing ... first when I compile the jars (force) using adadmin I get the following error:

About to Sign benall.jar : Tue Aug 04 2015 10:12:11

Executing: /oracle/prodR12/fs2/EBSapps/comn/util/jdk32/jre/bin/java  -Djava.security.egd=file:/dev/urandom sun.security.tools.JarSig
ner -keystore  ********  -sigfile CUST -signedjar /oracle/prodR12/fs2/EBSapps/comn/java/classes/oracle/apps/fnd/jar/benall.jar.sig /
oracle/prodR12/fs2/EBSapps/comn/java/classes/oracle/apps/fnd/jar/benall.jar.uns EBSJavaCode

ERROR: JarSigner subcommand exited with status 1

JarSigner standard output:
jarsigner: unable to recover key from keystore

JarSigner error output:
Enter Passphrase for keystore: Enter key password for EBSJavaCode:

Second thing when I do jarasigner -verify -verbose -certs I get this following
    [CertPath not validated: Path does not chain with any of the trust anchors]

thanks again for any help you can offer .. this is driving crazy! thanks Kathy

Did you see my last update regarding "unable to recover key from keystore" ?

Also,

If you are using your private Root CA to sign jar files, then add the new Root CA to java cacerts
Otherwise, when running  jarsigner -verify -verbose -certs  on a signed jar file, you might see an error due to trust anchors not available in certificate chain
   [CertPath not validated: Path does not chain with any of the trust anchor