Wednesday, June 15, 2016

keytool error: java.lang.Exception: Cannot derive signature algorithm" When Creating a Keystore with AES

When working with Java keystores (JKS or JCEKS), especially in environments like Oracle Utilities Application Framework (OUAF), creating keys correctly is critical for SSL and application integration. In this post, we cover a common error:

When we generate the keystore with the key tool, we get this error. This typically occurs when trying to generate a key pair with a symmetric algorithm like AES, which is not designed for digital signatures.


Step 1 

keytool -genkeypair -alias ouaf.system -keyalg AES   -keystore /u02/app/oracle/product/OUAF/OMCCB/ouafkeystore.jks -keysize 128 -storetype JCEKS -dname "CN=omccb ,OU=Andavatit O=adavattecht,C=AE" -validity 365

Understanding the Root Cause
-genkeypair is used for asymmetric keys (e.g., RSA), not symmetric keys like AES.
AES is a symmetric encryption algorithm and doesn’t support public/private key pairs or digital signatures.

Step 2

with the ASE we can't use the gen key pair as the 

The genkey option is for generating a public key and associated private key, so it only works with asymmetric algorithms (AES is symmetric, so you can't use -genkey with it).

cissys @ omccb/home/cissys >cat ss.sh

keytool -genseckey -alias ouaf.system -keyalg AES   -keystore /u02/app/oracle/product/OUAF/OMCCB/ouafkeystore.jks -keysize 128 -storetype JCEKS -dname "CN=omccb ,OU=OICIT O=<Companyname>,C=AE" -validity 365

cissys @ omccb.oasiserp.com/home/cissys >


cissys @ omccb.oasiserp.com/home/cissys >./ss.sh
Enter keystore password:
Re-enter new password:
Enter key password for <ouaf.system>
        (RETURN if same as keystore password):
Re-enter new password:


Steps for  Creating a Full Public Key Infrastructure (PKI)

Step 1: Generate an AES Secret Key (Symmetric Key)

$ ./root_cert.sh
Generating a 4096 bit RSA private key
.............................................................................................................................................................................................................++
..........................................++
writing new private key to 'cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:AE
State or Province Name (full name) [Some-State]:Dubai
Locality Name (eg, city) []:Dubai
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Company Name
Organizational Unit Name (eg, section) []:OICIT
Common Name (e.g. server FQDN or YOUR name) []:omccb.
Email Address []:palaneandavar@alshirawi.ae

==

Step 2: Create an RSA Public/Private Key Pair for SSL

keytool -genkey -alias omccb -keyalg RSA -keysize 4096 -sigalg SHA256withRSA -dname "CN=<domain name>,OU=OICIT,O=<company name> ,C=AE" -keypass OMccb123 -keystore omccb.jks -storepass <Password>
$

$ keytool -list -keystore omccb.jks -storepass <Password>

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

omccb, Jun 15, 2016, PrivateKeyEntry,
Certificate fingerprint (SHA1): DD:F2:BE:B1:7F:EF:ED:68:D3:42:5C:77:7E:DF:E3:6A:CE:47:B8:DA

Step 3: Generate a CSR (Certificate Signing Request)


$ keytool -certreq -v -alias omccb -file omccb..csr -sigalg SHA256withRSA -keypass <keypass> -storepass <Storepass< -keystore omccb.jks
Certification request stored in file <omccb.csr>
Submit this to your CA
$

Step 4: Sign the CSR Using OpenSSL (as CA)

If you are acting as your own CA, sign the CSR:

You’ll be prompted for the CA’s Password.

$ openssl x509   -req -in omccb.csr -CA cacert.pem -CAkey cakey.pem -CAcreateserial -out omccb.cer
Signature ok
subject=/C=AE/O=OasisInvestmentC0mpany/OU=OICIT/CN=omccb.oasiserp.com
Getting CA Private Key
Enter pass phrase for cakey.pem:
$

Step 5: Import the CA Root Certificate into the Keystore

Before importing your signed certificate, you must trust the CA root:

$ keytool -import -v -noprompt -trustcacerts -alias rootcacert -file cacert.pem -keystore omccb.jks -storepass <Passowrd>
Certificate was added to keystore
[Storing omccb.jks]

Step 6: Import the Signed Certificate Back to the Keystore

Finally, import the signed certificate to complete the keystore:
$ keytool -import -v -alias omccb. -file omccb.cer -keystore omccb.jks -keypass OMccb123 -storepass 
 <storepass>
Certificate reply was installed in keystore
[Storing omccb.jks]
$



Wednesday, June 1, 2016

EXIM



Managing and Clearing the Exim Mail Queue on a cPanel Server

When running a cPanel-based mail server, it’s not uncommon to encounter situations where the Exim mail queue grows unexpectedly—sometimes due to spam, mail loops, or misconfigured scripts. Regularly monitoring and clearing the mail queue is essential for maintaining a healthy email environment.

Here’s a step-by-step guide on how to view, analyze, and clear Exim’s mail queue using command-line tools

Step 1: Viewing the Exim Mail Queue

exim -bp

exim -bp | exiqsumm

root@vserver622 [~]# exim -bp | exiqsumm

Count  Volume  Oldest  Newest  Domain
-----  ------  ------  ------  ------

    1     740      2m      2m  alshirawi.ae
    1     677      2m      2m  yahoo.com
---------------------------------------------------------------
    2    1417      2m      2m  TOTAL

This quickly shows you which domains have messages stuck in the queue and how many there are.

 Step 2: Removing Messages from the Queue


exiqgrep -i|xargs exim -Mrm

exiqgrep -i lists all message IDs.

xargs exim -Mrm deletes each message by its ID.

If a message is locked, Exim will notify you (e.g., Message ... is locked). In this case, you may need to retry after a few minutes or investigate why the message is locked.

B. Alternative Bulk Removal Methods

exim -bp|grep "<"|awk {'print $3'}|xargs exim -Mrm


exim -bp | awk '/^ *[0-9]+[mhd]/{print "exim -Mrm " $3}' | bash

root@vserver622 [/usr/local/cpanel/whostmgr/bin]# exiqgrep -i|xargs exim -Mrm
Message 1b86cI-0000yS-EX is locked

Step 3: Verifying the Mail Queue is Cleared


 bashvserver622 [~]#  exim -bp | awk '/^ *[0-9]+[mhd]/{print "exim -Mrm " $3}' |

root@vserver622 [~]# exim -bp | exiqsumm

Count  Volume  Oldest  Newest  Domain
-----  ------  ------  ------  ------

    2    6553      2h      2h  pooae.com
    8    26KB      2h      2h  yahoo.com
---------------------------------------------------------------
   10    32KB      2h      2h  TOTAL

 Step 4: Removing Specific Locked Messages

root@vserver622 [~]# exim -Mrm 1b86cI-0000yS-EX
Message 1b86cI-0000yS-EX has been removed

root@vserver622 [~]# exim -bp | exiqsumm

Count  Volume  Oldest  Newest  Domain
-----  ------  ------  ------  ------

    1     740      0m      0m  alshirawi.ae
    1     677      0m      0m  yahoo.com
---------------------------------------------------------------
    2    1417      0m      0m  TOTAL

Conclusion

Regularly monitoring and managing the Exim mail queue is essential for email delivery health on any cPanel server. With these command-line tools, you can quickly identify, summarize, and clean up problematic or stuck mail, ensuring that your users experience reliable email service.



Pro Tip:

If you regularly encounter large queues or locked messages, investigate the root cause—check for scripts sending excessive mail, look for authentication issues, or consider rate limiting outbound mail to avoid future problems.