202 Lotus blogs updated hourly. Who will post next? Home | Blogs | Search | About 
 
Latest 7 Posts
WebSphere Liberty Profile - Customising the Logging
Thu, Dec 14th 2017 31
IBM MobileFirst 8 - Commanding the CLI
Thu, Dec 14th 2017 45
Oracle Database 11gR2 - Get the dependencies right ...
Tue, Dec 12th 2017 54
DB2 on Windows - where does the db2nodes.cfg file live ?
Thu, Dec 7th 2017 23
Windows Server 2012 - Ooops, I locked my account
Thu, Dec 7th 2017 47
Nagios and NRPE - There's more ...
Wed, Dec 6th 2017 30
Nagios Remote Plugin Executor (NRPE) and xinetd on Red Hat Enterprise Linux
Wed, Dec 6th 2017 32
Top 10
Oracle Database 11gR2 - Get the dependencies right ...
Tue, Dec 12th 2017 54
Windows Server 2012 - Ooops, I locked my account
Thu, Dec 7th 2017 47
Hmmm, macOS Sierra and XQuartz and X11
Thu, Oct 27th 2016 46
IBM MobileFirst 8 - Commanding the CLI
Thu, Dec 14th 2017 45
Executing external Python/Jython scripts from within WebSphere Application Server's wsadmin tool
Thu, Feb 27th 2014 40
Transport Layer Security (TLS) 1.2 and SoapUI
Fri, Jun 12th 2015 39
java.lang.UnsupportedClassVersionError: JVMCFRE003 bad major version; class=com/davehay/EmployeeServlet, offset=6
Sat, Nov 8th 2014 38
Hmmmm, HTTP404 and SRVE0190E seen with IBM HTTP Server and WebSphere Application Server
Fri, Nov 14th 2014 33
"javax.net.ssl.SSLHandshakeException: no cipher suites in common" seen in WebSphere Application Server Node Agent logs
Sat, Mar 26th 2016 33
Mozilla Firefox Quantum - Suppressing Autoplay Videos
Wed, Dec 6th 2017 32


JKS Keystores - Pain with Passwords
Twitter Google+ Facebook LinkedIn Addthis Email Gmail Flipboard Reddit Tumblr WhatsApp StumbleUpon Yammer Evernote Delicious
   

I had a requirement to demonstrate how one could easily change the password of a JKS keystore that is being used by WebSphere Liberty Profile.

However, I kept seeing an annoying exception once I changed the password.

This was what I did: -

Create Keystore

/opt/ibm/WebSphere/Liberty/bin/securityUtility createSSLCertificate --server=defaultServer --password=passw0rd --validity=365

Created SSL certificate for server defaultServer. The certificate is created with CN=rhel7.uk.ibm.com,OU=defaultServer,O=ibm,C=us as the SubjectDN.

Add the following lines to the server.xml to enable SSL:

    <featureManager>
        <feature>ssl-1.0</feature>
    </featureManager>
    <keyStore id="defaultKeyStore" password="{xor}Lz4sLChvLTs=" />


I happily added the suggested lines to server.xml and all was well.

I then progressed: -

Validate Old Password

keytool -list -keystore /opt/ibm/WebSphere/Liberty/usr/servers/defaultServer/resources/security/key.jks -storepass passw0rd

Change the keystore password

keytool -storepasswd -new davehay -keystore /opt/ibm/WebSphere/Liberty/usr/servers/defaultServer/resources/security/key.jks -storepass passw0rd

Validate New Password

keytool -list -keystore /opt/ibm/WebSphere/Liberty/usr/servers/defaultServer/resources/security/key.jks -storepass davehay -v

This in effect changes the password FROM passw0rd TO davehay.

Generate the XOR Encoded version of the new password

/opt/ibm/WebSphere/Liberty/bin/securityUtility encode

which results in: -

{xor}Oz4pOjc+Jg==

which I entered into my server.xml

However, when I restarted Liberty and checked the messages.log file, I saw: -

[04/12/17 13:43:27:640 GMT] 0000001b com.ibm.ws.ssl.provider.AbstractJSSEProvider                 E CWPKI0813E: Error while trying to initialize the keymanager for the keystore [/opt/ibm/WebSphere/Liberty/usr/servers/defaultServer/resources/security/key.jks]. The private key password is not correct or the keystore has multiple private keys with different passwords.  This keystore can not be used for SSL.  Exception message is: [Cannot recover key].
[04/12/17 13:43:27:651 GMT] 0000001b com.ibm.ws.logging.internal.impl.IncidentImpl                I FFDC1015I: An FFDC Incident has been created: "java.security.UnrecoverableKeyException: Cannot recover key: invalid password for key in file '/opt/ibm/WebSphere/Liberty/usr/servers/defaultServer/resources/security/key.jks' com.ibm.ws.ssl.provider.IBMJSSEProvider getKeyTrustManagers" at ffdc_17.12.04_13.43.27.0.log
[04/12/17 13:43:27:684 GMT] 0000001b com.ibm.ws.logging.internal.impl.IncidentImpl                I FFDC1015I: An FFDC Incident has been created: "java.security.UnrecoverableKeyException: Cannot recover key: invalid password for key in file '/opt/ibm/WebSphere/Liberty/usr/servers/defaultServer/resources/security/key.jks' com.ibm.ws.ssl.config.SSLConfigManager initializeServerSSL" at ffdc_17.12.04_13.43.27.1.log


It took me a while, and then I realised what was going on.

When I created the keystore, the process also created a public/private key pair, which it stored within the … KEY STORE, using the SAME password id est passw0rd.

When I changed the password of the KEY STORE, I did NOT also change the password of the KEY itself.

So I updated my process: -

Change to new Password - storepass

keytool -storepasswd -new davehay -keystore /opt/ibm/WebSphere/Liberty/usr/servers/defaultServer/resources/security/key.jks -storepass passw0rd

Change to new Password - keypass

keytool -keypasswd -all -new davehay -keystore /opt/ibm/WebSphere/Liberty/usr/servers/defaultServer/resources/security/key.jks -keypass passw0rd -storepass davehay

Note that I'm using the OLD keystore password - passw0rd - as the OLD key password whilst setting the NEW key password with the NEW keystore password.

Simple eh ?

Validate New Password

keytool -list -keystore /opt/ibm/WebSphere/Liberty/usr/servers/defaultServer/resources/security/key.jks -storepass davehay -v

In summary, there's a KEYSTORE password and a KEY password; if you want them to be the same, you need to change BOTH.

Otherwise, I'd have to configure Liberty for TWO different passwords.

Easy when you know how :-)




---------------------
http://portal2portal.blogspot.com/2017/12/jks-keystores-pain-with-passwords.html
Dec 04, 2017
22 hits



Recent Blog Posts
31
WebSphere Liberty Profile - Customising the Logging
Thu, Dec 14th 2017 5:21p   Dave Hay
On my current engagement, we had a requirement to trim out ( temporarily ) some information log messages which were "spamming" the console.log of a WebSphere Liberty Profile (WLP) environment.Firstly, here's some context about WLP logging: -There are three primary log files for a server: • console.log - containing the redirected standard output and standard error from the JVM process. This console output is intended for direct human consumption. The console output contains major events and
45
IBM MobileFirst 8 - Commanding the CLI
Thu, Dec 14th 2017 4:29p   Dave Hay
As with many of my projects, this is another one in the category of "Tinkering".In order to better support my current client, I needed a quick-start into the world of IBM MobileFirst Platform (MFP).I've blogged about MFP before, but mainly in the context of building out a runtime on the WebSphere Liberty Platform: -WebSphere Liberty Profile - why doesn't HTTPS work ?Using Nagios to monitor IBM HTTP Server and IBM WebSphere Liberty Profilebut now I wanted to go a little bit further.I started
54
Oracle Database 11gR2 - Get the dependencies right ...
Tue, Dec 12th 2017 9:46a   Dave Hay
Having just installed Oracle 11.2 ( 11gR2 ) onto a Red Hat Enterprise Linux 7.4 VM, I was kinda getting fed up with the sqlplus command not working …..sqlplus sqlplus: error while loading shared libraries: libclntsh.so.11.1: cannot open shared object file: No such file or directoryls -al `locate libclntsh.so`-rwxrwx---. 1 oracle oracle 48797739 Dec 12 08:49 /home/oracle/app/oracle/product/11.2.0/dbhome_1/inventory/backup/2017-12-12_08-48-58AM/Scripts/ext/lib/libclntsh.so.11.1-rwxrwx---. 1 orac
23
DB2 on Windows - where does the db2nodes.cfg file live ?
Thu, Dec 7th 2017 2:13p   Dave Hay
I was briefly tinkering with the need to update the db2nodes.cfg file to help DB2 Express 11.1 cope with the hostname change of a Windows Server 2012 R2 boxen.I'd created a new VM, via OpenStack, using a snapshot from an existing VM - which I'd NOT yet deleted.Therefore, OpenStack, being the nice IaaS solution that it is, kindly helped me out by creating the new instance with a new hostname.This borked DB2, as you'd expect ….I've seen similar issues with DB2 on Linux: -SQL10003C There are
47
Windows Server 2012 - Ooops, I locked my account
Thu, Dec 7th 2017 11:59a   Dave Hay
One of my colleagues had a bad day with a shared Windows Server 2012 R2 environment, in that he locked out the main account that we use to access the box, via Remote Desktop Protocol (RDP).This is NOT an Active Directory environment, so there's no domain controller in the mix; these are merely local accounts.Thankfully, I had another account that WASN'T locked out, so I RDP'd into the box using that account and used the Advanced User Accounts Control Panel ( aka netplwiz ), which did the tric
30
Nagios and NRPE - There's more ...
Wed, Dec 6th 2017 6:25p   Dave Hay
Following on from my earlier post: -Nagios Remote Plugin Executor (NRPE) and xinetd on Red Hat Enterprise Linuxthings are starting to become more clear.As far as I can establish, on the NRPE client/agent side, we have several components at work here.So we have the NRPE agent itself, as started using xinetd : -/etc/xinetd.d/nrpe # default: on# description: NRPE (Nagios Remote Plugin Executor)service nrpe{ flags = REUSE socket_type = stream port = 5666 w
32
Nagios Remote Plugin Executor (NRPE) and xinetd on Red Hat Enterprise Linux
Wed, Dec 6th 2017 2:15p   Dave Hay
As per a few previous posts, I'm tinkering ( there's that word again, I must think of another simile ) with Nagios.This time I'm looking to have my Nagios monitoring server ( which runs on Ubuntu ) execute an agent on a remote boxen running Red Hat Enterprise Linux (RHEL).Having installed the pre-requisites ( and I do need to document those steps more clearly ), I setup a NRPE script to be started using xinetd ( A Powerful Replacement For Inetd )cat /etc/xinetd.d/nrpe # default: on# descripti
27
WebSphere Liberty Profile - Monitoring via JMX over REST using Jython
Wed, Dec 6th 2017 1:39p   Dave Hay
For this, I'm using two excellent IBM developerWorks articles as inspiration: -Retrieve performance metrics from the WebSphere Liberty profile, Part 1 - Setup and configurationRetrieve performance metrics from the WebSphere Liberty profile, Part 2 - Data collection by using JythonWithout reposting the entire pair of articles ( which would be a daft idea ), here's a short-cut of what I ended up doing.For the record, I am using Liberty 17.0.0.3: -/opt/ibm/WebSphere/Liberty/bin/server versionWebS
30
WebSphere Liberty Profile - Snooping About
Wed, Dec 6th 2017 11:51a   Dave Hay
I've written about the SuperSnoop Servlet before: -WebSphere Application Server - Binary ScannerWebSphere Liberty Profile on macOS - SuperSnoopingWebSphere Application Server 9 - Snooping AboutWebSphere Application Server - Liberty Profile - Oh, what funand it's one tool that I use, and reuse, whenever I'm testing a build of WebSphere Application Server etc.However, it niggled me that, whilst it DOES run on WebSphere Liberty Profile, it doesn't actually work.Having deployed it: -cp SuperSnoo
32
Mozilla Firefox Quantum - Suppressing Autoplay Videos
Wed, Dec 6th 2017 6:26a   Dave Hay
So I mostly love the new Firefox 57, aka Quantum, although I have a few niggles with it; my main gripe is that the LastPass plugin appears to have been totally borked.One other issue - autoplay videos :-(Given that I don't use Adobe Flash, I was somewhat grumpy to find that the BBC News site was full of videos that'd start auto-playing as soon as I hit the site.Thankfully, the internet came to the rescue - AGAINHow can I stop videos from automatically starting (autoplay)?This takes one off to




Created and Maintained by Yancy Lent - About - Planet Lotus Blog - Advertising - Mobile Edition