webMethods 10.3

In external application “KeyStore Explorer” I have create a pfx file containing a sign and a crypt certificate just like we normally do. The new thing this time is, that the CA/root certificate used is now 4096 bytes whereas it was previously 2048 bytes.

Error message is:

"Error: cannot load the keystore for alias ‘xx’. Details: attempt to initialize keystore using location(config\security\keystore\danskebank-live_v2.pfx) failed.

https://higherlogicdownload.s3.amazonaws.com/IMWUC/webMethods/Files3/5623ab3e06fd040bb35edb7c90c88dc980b3b599_2_1035x543.png 1.5x, https://higherlogicdownload.s3.amazonaws.com/IMWUC/webMethods/Files/5623ab3e06fd040bb35edb7c90c88dc980b3b599.png 2x" data-dominant-color="F1F3F3">

image1263×663 19 KB

Question: Does webMethods 10.3 support certificates of 4096 bytes and where can I see if it does?

Question: Do you have any idea why this fails? I am pretty sure, that the provided password is correct and that the location specified is also correct and the .pfx file looks also correct in KeyStore Explorer.

I really hope this can be solved…

Regards Mikael

we have confirmed that it is not the issue with the key of length 4096 bits.

Hi Mikael,

might it be that the IS is not able to detect which one of the two certificates (sign or crypt) should be used for the Keystore?

Best Practise in my opinion is, to collect all Root and Intermediate CAs in a separate truststore jks-file and one end certificate with its private key in a dedicated P12-Keystore-File each.

After loading all these stores under Keystore section you can the map the certificates under the Certificates section to the designated purposes.

See IS Administrators Guide for further informations.

Regards,
Holger

Hi Holger

Thanks for the reply. However, it has been working with this setup before and also currently in our prod environment:

kind regards Mikael

Hi Mikael,

in this case you should try to increase log level to see why the IS is unable to load the keystore.
Hopefully you will get a more detailed error message then.

Regards,
Holger

Hi Holger

Increasing the log level unfortunately gave me nothing extra to go by. Any other suggestions?

Kind regards and have a nice weekend

If increasing the logging level for facility 139 Keystore to trace hasn’t shed any light in the server log, Then I would suggest looking into the Error logs at Admin UI->Logs->Error Log with the stacktrace expanded to give you more hints.
It could be a file system related issue as well.

-NP

Hi Nagendra

thanks for your answer. Maybe I set up the trace logging wrongly. Would it be possible for you to specify, exactly how I should set up the extended logging to retrieve the details error message when I try to create a new keystore Alias?

Kind regards Mikael

It turned out, that the reason was, that we were using a version of Keystore Explorer which was not compatible with webMethods 10.3 seemingly. Using Keystore Explorer version 5.44 together with java version jdk 8. 261 did the trick