Subscribe

OnCommand API Services use ca-issued certificate with non-default password

Hi,

 

I'm trying to use a ca-issued certificate instead of a self-signed certificate.

If I use a Java Keystore File (JKS) with the default password 'changeit' everything works as expected, but if I'm trying to use a non-default password I get the following error

 

 

2017-08-23 14:40:05,233 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-4) MSC000001: Failed to start service jboss.server.controller.management.security_realm.SSLRealm.key-manager: org.jboss.msc.service.StartException in service jboss.server.controller.management.security_realm.SSLRealm.key-manager: JBAS015229: Unable to start service
at org.jboss.as.domain.management.security.FileKeystore.load(FileKeystore.java:154)
at org.jboss.as.domain.management.security.FileKeyManagerService.start(FileKeyManagerService.java:119)
at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948) [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881) [jboss-msc-1.2.2.Final.jar:1.2.2.Final]
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) [rt.jar:1.8.0_73]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) [rt.jar:1.8.0_73]
at java.lang.Thread.run(Unknown Source) [rt.jar:1.8.0_73]
Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect
at sun.security.provider.JavaKeyStore.engineLoad(Unknown Source) [rt.jar:1.8.0_73]
at sun.security.provider.JavaKeyStore$JKS.engineLoad(Unknown Source) [rt.jar:1.8.0_73]
at sun.security.provider.KeyStoreDelegator.engineLoad(Unknown Source) [rt.jar:1.8.0_73]
at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(Unknown Source) [rt.jar:1.8.0_73]
at java.security.KeyStore.load(Unknown Source) [rt.jar:1.8.0_73]
at org.jboss.as.domain.management.security.FileKeystore.load(FileKeystore.java:113)
... 6 more
Caused by: java.security.UnrecoverableKeyException: Password verification failed
... 12 more

 

According to the Installation and Setup Guide, configuring /opt/netapp/essentials/jboss/standalone/configuration/standalone.xml should be enough

<system-properties>
    <property name="apiserver.keystore.keypassword" value="NEW_PASSWORD" />
    <property name="apiserver.keystore.storepassword" value="NEW_PASSWORD" />
</system-properties>

 

As I was getting the above error, I've tried changing password in /opt/netapp/api-server/api-tools/config/keystore-config.properties

apiserver.keystore.keypassword="NEW_PASSWORD"
apiserver.keystore.storepassword="NEW_PASSWORD"

and added this in /opt/netapp/essentials/jboss/standalone/configuration/standalone.xml

<security-realm name="SSLRealm">
    <server-identities>
        <ssl>
            <keystore path="apiservice/keystore.jks" relative-to="jboss.server.config.dir" keystore-password="NEW_PASSWORD" key-password="NEW_PASSWORD" alias="server"/>
        </ssl>
    </server-identities>
</security-realm>

 

Maybe someone managed to get it working and can help me out Smiley Frustrated