Getting "Keystore was tampered with, or password was incorrect" error after configuring SSL for Edge UI

We configured the SSL for Edge UI on Private Cloud 4.16.05 based on the instructions provided here.

However, when we try to launch the UI as https://<IP address>:<port#> we got the below error in the browser:

This site can’t be reached
<IP address> took too long to respond.
Try:
Checking the connectionChecking the proxy and the firewallRunning Network Diagnostics
ERR_CONNECTION_TIMED_OUT

So we tried to run the curl command as follows:

curl -v [https://0:9443/login](https://0:9443/login)

When we checked the edge-ui.log we saw the following exception:

java.lang.reflect.InvocationTargetException: null
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[na:1.8.0_121]
        at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[na:1.8.0_121]
        at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[na:1.8.0_121]
        at java.lang.reflect.Constructor.newInstance(Constructor.java:423) ~[na:1.8.0_121]
        at play.core.server.ServerSSLEngine$.createScalaSSLEngineProvider(ServerSSLEngine.scala:82) ~[com.typesafe.play.play_2.11-2.3.10.jar:2.3.10]
Caused by: java.lang.Exception: Error loading HTTPS keystore from /opt/apigee/customer/conf/keystore.jks
        at play.core.server.DefaultSSLEngineProvider.createSSLContext(DefaultSSLEngineProvider.scala:43) ~[com.typesafe.play.play_2.11-2.3.10.jar:2.3.10]
        at play.core.server.DefaultSSLEngineProvider.<init>(DefaultSSLEngineProvider.scala:19) ~[com.typesafe.play.play_2.11-2.3.10.jar:2.3.10]
        at services.CustomSSLEngineProvider.<init>(CustomSSLEngineProvider.scala:23) ~[enterpriseui.enterpriseui-4.16.05.06-df43663-20161229-233745.jar:4.16.05.06-df43663-20161229-233745]
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[na:1.8.0_121]
        at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[na:1.8.0_121]
Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect
        at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:780) ~[na:1.8.0_121]
        at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56) ~[na:1.8.0_121]
        at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224) ~[na:1.8.0_121]
        at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70) ~[na:1.8.0_121]
        at java.security.KeyStore.load(KeyStore.java:1445) ~[na:1.8.0_121]
Caused by: java.security.UnrecoverableKeyException: Password verification failed
        at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:778) ~[na:1.8.0_121]
        at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56) ~[na:1.8.0_121]
        at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224) ~[na:1.8.0_121]
        at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70) ~[na:1.8.0_121]
        at java.security.KeyStore.load(KeyStore.java:1445) ~[na:1.8.0_121]

I have passed on the right password in the configFile while configuring the SSL.

Can someone help how to fix this issue ?

After some investigation, I found the cause for this issue as follows:

1. Used different password while creating PKCS12 file and converting PKCS12 file to a JKS file (Configuring TLS/SSL for Edge On Premises  |  Edge for Private Cloud v4.16.05  |  Apigee Docs).

   • As per the information given here, we should use the same password.

2. Used the obfuscated password for KEY_PASS in the configFile used for configuring the SSL. This is incorrect. We should be using the password as is without encrypting it.

Re-created the JKS file by using the same password and then used the password as is in the configFile. Configured the SSL for Edge UI. We are no longer seeing the exception “Keystore was tampered with, or password was incorrect”.

Just to re-iterate the complete steps to configure SSL for Edge UI:

Assuming you already have the certificate and private key files in PEM format, follow the below steps to configure SSL for Edge UI.

1. Create the PKCS12 file from your certificate and private key files

   openssl pkcs12 -export -clcerts -in opdk-ui-certificate.pem -inkey opdk-ui-key.pem -out keystore.pkcs12
   

   • Note: You need to enter the password as part of the command, let’s say you entered “keystore123”.

2. Convert the PKCS12 file to a JKS file named keystore.jks using the below command:

   keytool -importkeystore -srckeystore keystore.pkcs12 -srcstoretype pkcs12 -destkeystore keystore.jks -deststoretype jks
   

   • Note: You need to enter the password as part of the above command again. Ensure that you use the same password used in step #1, that is, “keystore123” .

3. Ensure that your TLS port (for ex: 9443) is open

   iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 9443 -j ACCEPT --verbose
   
   

4. Create a configFile with the following contents:

   HTTPSPORT=9443
   DISABLE_HTTP=n
   KEY_ALGO=JKS
   KEY_FILE_PATH=/tmp/mykeystore.jks
   KEY_PASS=keystore123
   
   

   • Note:Ensure the password is specified as is for KEY_PASS (i.e., don’t use the encrypted version of the password).

5. Run the following command to configure the SSL for

   /<inst_root>/apigee/apigee-service/bin/apigee-service edge-ui configure-ssl -f configFile
   
   

6. Access the Edge UI using https and see if it works.

This works Thanks a lot.

Regards,

Salman

@Stephen Gilson,

Can you please update the docs with this information ?

@AMAR DEVEGOWDAI think the only issue with the doc is to say to use the same password for both the PKCS12 file and JKS file, correct?

Stephen

@sgilson,

1. The same password should be used for both PKCS12 and JKS files

2. We should use unencrypted password in the config file

Thanks @AMAR DEVEGOWDA

Doc updated.

Stephen