Hi,
I'm trying to connect Splunk to Cisco ISE using pxGrid. I have followed the instructions in the doc "How To 102: Splunk & pxGrid Adaptive Network Control (ANC) Mitigation Workflow Actions" but I get an error stating "Cannot recover key". Now, I know that the passwords for the JKS files are correct because I get a different error if I use a deliberately wrong password and 'keytool' can list the details of the keys and certs within the JKS files when used with the correct password.
So the question is: which key is it trying to recover at this point? What debugging can I turn on?
root@splunk:/opt/splunk/etc/apps/Splunk_TA_cisco-ise/bin/lib# java -jar pxGrid_Search.jar pxgrid.myorg.net splunk ../certs/splunk-01.jks PaSsWoRd ../certs/ca.jks PaSsWoRd 1.1.1.1 quarantine_ip
java.security.UnrecoverableKeyException: Cannot recover key
at sun.security.provider.KeyProtector.recover(KeyProtector.java:328)
at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:146)
at sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java:56)
at sun.security.provider.KeyStoreDelegator.engineGetKey(KeyStoreDelegator.java:96)
at sun.security.provider.JavaKeyStore$DualFormatJKS.engineGetKey(JavaKeyStore.java:70)
at java.security.KeyStore.getKey(KeyStore.java:1023)
at sun.security.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:133)
at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:70)
at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:256)
at org.jivesoftware.smack.XMPPConnection.proceedTLSReceived(XMPPConnection.java:784)
at org.jivesoftware.smack.PacketReader.parsePackets(PacketReader.java:267)
at org.jivesoftware.smack.PacketReader.access$000(PacketReader.java:43)
at org.jivesoftware.smack.PacketReader$1.run(PacketReader.java:70)
Thanks for any assistance,
Mike.
The password for the private key within the keystore was different to the password for the keystore itself (see http://karim-ouda.blogspot.com/2010/07/errors-solutions-5.html).
The password for the private key within the keystore was different to the password for the keystore itself (see http://karim-ouda.blogspot.com/2010/07/errors-solutions-5.html).