Troubleshoot > Troubleshooting Deployment > Troubleshooting Deployment - Keystore and Truststore

Troubleshooting Deployment - Keystore and Truststore

Troubleshooting Keystore and Truststore - Non-FIPS mode

Problem: UCMDB server startup failed, and the startup.log shows message similar to the following:

2017-05-04 08:32:17,074  ERROR  [WrapperSimpleAppMain] (JettyManager.java:247) - Failure starting jetty server
MultiException[java.io.IOException: Keystore was tampered with, or password was incorrect, java.io.IOException: Keystore was tampered with, or password was incorrect]
	at org.eclipse.jetty.server.Server.doStart(Server.java:329)
	at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
	at com.mercury.topaz.cmdb.server.manage.servlet.JettyManager.startServer(JettyManager.java:243)
	at com.mercury.topaz.cmdb.server.manage.Framework.doStart0(Framework.java:242)
	at com.mercury.topaz.cmdb.server.manage.Framework.access$100(Framework.java:102)	
	at com.mercury.topaz.cmdb.server.manage.Framework$2.executeInContext(Framework.java:221)	
	at com.mercury.topaz.cmdb.server.manage.Framework$2.executeInContext(Framework.java:218)
	at com.mercury.topaz.cmdb.shared.manage.AuthorizationContextUtils.executeInSystemAuthorizationContext(AuthorizationContextUtils.java:24)
	at com.mercury.topaz.cmdb.server.manage.Framework.start0(Framework.java:218)
	at com.mercury.topaz.cmdb.server.manage.Framework.doStartUp(Framework.java:204)
	at com.mercury.topaz.cmdb.server.manage.Framework.access$000(Framework.java:102)
	at com.mercury.topaz.cmdb.server.manage.Framework$1.executeInContext(Framework.java:186)
	at com.mercury.topaz.cmdb.server.manage.Framework$1.executeInContext(Framework.java:183)
	at com.mercury.topaz.cmdb.shared.manage.AuthorizationContextUtils.executeInSystemAuthorizationContext(AuthorizationContextUtils.java:24)
	at com.mercury.topaz.cmdb.server.manage.Framework.startUp(Framework.java:183)
	at com.hp.ucmdb.server.Main.startFramework(Main.java:34)	
	at com.hp.ucmdb.server.Main.main(Main.java:23)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)	
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.tanukisoftware.wrapper.WrapperSimpleApp.run(WrapperSimpleApp.java:325)
	at java.lang.Thread.run(Thread.java:745)	

Solution A:

Check the verify_store_pass.log (in the C:\UCMDB\UCMDBServer\runtime\log folder), if you see the following message:

INFO: server-storepass.conf file exists and it contains keystore and truststore.

Do the following:

  1. Stop the UCMDB Server.

  2. Run commands.

    1. Check keystore password.

      Windows:

      From C:\UCMDB\UCMDBServer\bin\jre\bin, run the following commands.

      keytool -list -keystore C:\UCMDB\UCMDBServer\conf\security\server.keystore

      Linux:

      From /opt/UCMDB/UCMDBServer/bin/jre/bin, run the following commands:

      ./keytool -list -keystore /opt/UCMDB/UCMDBServer/conf/security/server.keystore

      Enter the password that you set up during the installation of UCMDB server. If you see the following message:

      keytool error: java.io.IOException:Keystore was tampered with, or password was incorrect. 

      Then the password was not properly set, and you need to change keystore and truststore passwords using keytool.

    2. Change the store password:

      Windows:

      keytool -storepasswd -new <new_keystore_pass> -keystore C:\UCMDB\UCMDBServer\conf\security\server.keystore -storepass <current_keystore_pass>

      Linux:

      ./keytool -storepasswd -new <new_keystore_pass> -keystore /opt/UCMDB/UCMDBServer/conf/security/server.keystore -storepass <current_keystore_pass>
    3. Change the key password (if the store is not empty):

      Windows:

      keytool -keypasswd -alias <alias> -keypass <currentPass> -new <newPass> -keystore C:\UCMDB\UCMDBServer\conf\security\server.keystore

      Linux:

      ./keytool -keypasswd -alias <alias> -keypass <currentPass> -new <newPass> -keystore /opt/UCMDB/UCMDBServer/conf/security/server.keystore
    4. Change the trust store password:

      Windows:

      keytool -storepasswd -new <new_truststore_pass> -keystore  C:\UCMDB\UCMDBServer\conf\security\server.truststore -storepass <current_truststore_pass>

      Linux:

      ./keytool -storepasswd -new <new_truststore_pass> -keystore  /opt/UCMDB/UCMDBServer/conf/security/server.truststore -storepass <current_truststore_pass>
  3. Start the UCMDB Server service.

Solution B:

Check the verify_store_pass.log, if you see the following message:

INFO:  keystore password and truststore password don't exist.

Or the following:

INFO:  server-storepass.conf file doesn't exist.

Do the following:

  1. Generate the server-storepass.conf file.

    Windows:

    From the C:\UCMDB\UCMDBServer\bin folder, run the following command:

    key-truststore.bat <fips_mode> <new_keystore_pass> <new_truststore_pass>

    Linux:

    From the /opt/UCMDB/UCMDBServer/bin folder, run the following command:

    ./key-truststore.sh <fips_mode> <new_keystore_pass> <new_truststore_pass>

    where <fips_mode> can be only set to true or false. For non-FIPS mode UCMDB server, false for <fips_mode>.

  2. Stop the UCMDB Server.
  3. Change keystore password and truststore password with keytool.

    From the C:\UCMDB\UCMDBServer\bin\jre\bin (Windows) or /opt/UCMDB/UCMDBServer/bin/jre/bin (Linux) folder, run the following commands:

    1. Change the store password:

      Windows:

      keytool -storepasswd -new <new_keystore_pass> -keystore C:\UCMDB\UCMDBServer\conf\security\server.keystore -storepass <current_keystore_pass>

      Linux:

      ./keytool -storepasswd -new <new_keystore_pass> -keystore /opt/UCMDB/UCMDBServer/conf/security/server.keystore -storepass <current_keystore_pass>
    2. Change the key password (if the store is not empty):

      Windows:

      keytool -keypasswd -alias <alias> -keypass <currentPass> -new <newPass> -keystore C:\UCMDB\UCMDBServer\conf\security\server.keystore

      Linux:

      ./keytool -keypasswd -alias <alias> -keypass <currentPass> -new <newPass> -keystore /opt/UCMDB/UCMDBServer/conf/security/server.keystore
    3. Change the trust store password:

      Windows:

      keytool -storepasswd -new <new_truststore_pass> -keystore C:\UCMDB\UCMDBServer\conf\security\server.truststore -storepass <current_truststore_pass>

      Linux:

      ./keytool -storepasswd -new <new_truststore_pass> -keystore /opt/UCMDB/UCMDBServer/conf/security/server.truststore -storepass <current_truststore_pass>
  4. Start the UCMDB Server service.

Solution C:

If you only changed keystore password or truststore password during UCMDB server installation, and then server startup failed and the startup.log shows similar error messages as shown above. You can follow the instructions provided in Solution A or Solution B, but you need to change the keystore password or truststore password that you set during installation.

For example, if you only changed truststore password during installation and you need to generate server-storepass.conf, run the following command:

Windows: key-truststore.bat <fips_mode> null <new_truststore_pass>

Linux: ./key-truststore.sh <fips_mode> null <new_truststore_pass>

 

Problem: You have changed schema in UCMDB Server. The server startup failed and the startup.log shows the following message:

2017-05-04 08:32:17,074  ERROR  [WrapperSimpleAppMain] (JettyManager.java:247) - Failure starting jetty server
MultiException[java.io.IOException: Keystore was tampered with, or password was incorrect, java.io.IOException: Keystore was tampered with, or password was incorrect]
at org.eclipse.jetty.server.Server.doStart(Server.java:329)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
at com.mercury.topaz.cmdb.server.manage.servlet.JettyManager.startServer(JettyManager.java:243)
at com.mercury.topaz.cmdb.server.manage.Framework.doStart0(Framework.java:242)
at com.mercury.topaz.cmdb.server.manage.Framework.access$100(Framework.java:102)
at com.mercury.topaz.cmdb.server.manage.Framework$2.executeInContext(Framework.java:221)
at com.mercury.topaz.cmdb.server.manage.Framework$2.executeInContext(Framework.java:218)
at com.mercury.topaz.cmdb.shared.manage.AuthorizationContextUtils.executeInSystemAuthorizationContext(AuthorizationContextUtils.java:24)
at com.mercury.topaz.cmdb.server.manage.Framework.start0(Framework.java:218)
at com.mercury.topaz.cmdb.server.manage.Framework.doStartUp(Framework.java:204)
at com.mercury.topaz.cmdb.server.manage.Framework.access$000(Framework.java:102)
at com.mercury.topaz.cmdb.server.manage.Framework$1.executeInContext(Framework.java:186)
at com.mercury.topaz.cmdb.server.manage.Framework$1.executeInContext(Framework.java:183)
at com.mercury.topaz.cmdb.shared.manage.AuthorizationContextUtils.executeInSystemAuthorizationContext(AuthorizationContextUtils.java:24)
at com.mercury.topaz.cmdb.server.manage.Framework.startUp(Framework.java:183)
at com.hp.ucmdb.server.Main.startFramework(Main.java:34)
at com.hp.ucmdb.server.Main.main(Main.java:23)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.tanukisoftware.wrapper.WrapperSimpleApp.run(WrapperSimpleApp.java:325)
at java.lang.Thread.run(Thread.java:745)

Solution: You need to re-generate server-storepass.conf, because the new schema does not store any keystore and truststore passwords.

  • If you remember what passwords were specified previously, you can generate the server-storepass.conf file with the following command:

    Windows: key-truststore.bat <fips_mode> <new_keystore_pass> <new_truststore_pass>

    Linux: ./key-truststore.sh <fips_mode> <new_keystore_pass> <new_truststore_pass>

    where <fips_mode> can be only set to true or false. For non-FIPS mode UCMDB server, false for <fips_mode>.

  • If you don't remember the passwords, follow the instructions in Solution B to regenerate the passwords.