https://community.netapp.com/t5/Software-Development-Kit-SDK-and-API-Discussions/OnCommand-API-Services-use-ca-issued-certificate-with-non-default-password/m-p/137862#M2574 <P>Hi all.</P> <P>&nbsp;</P> <P>LIttle correction for step [6].</P> <P>&nbsp;</P> <P><span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>[6] Generate new keystore "keystore.jks" and key pair<BR />--------------------------------------------------------------------------------------------------------<BR />[6]# keytool -genkey -alias hostname -keyalg RSA -keystore keystore.jks -keysize 2048<BR />--------------------------------------------------------------------------------------------------------<BR />keytool -genkey -alias hostname -keyalg RSA -keystore keystore.jks -keysize 2048<BR />Enter keystore password:<BR />Re-enter new password:<BR />What is your first and last name?<BR />[Unknown]: hostname.domain.com<BR />What is the name of your organizational unit?<BR />[Unknown]:<BR />What is the name of your organization?<BR />[Unknown]: COMPANY<BR />What is the name of your City or Locality?<BR />[Unknown]: CITY<BR />What is the name of your State or Province?<BR />[Unknown]:<BR />What is the two-letter country for this unit?<BR />[Unknown]: CX<BR />Is CN=hostname.domain.com, OU=Unknown, O=COMPANY, L=CITY, ST=Unknown, C=CX correct?<BR />[no]: yes</P> <P>Enter key password for &lt;hostname&gt;<BR />(RETURN if same as keystore password): <STRONG>&lt;KEY_PASSWORD&gt;</STRONG></P> Tue, 06 Feb 2018 14:46:40 GMT Ladislav_Hajzer 2018-02-06T14:46:40Z https://community.netapp.com/t5/Software-Development-Kit-SDK-and-API-Discussions/OnCommand-API-Services-use-ca-issued-certificate-with-non-default-password/m-p/134041#M2453 <P>Hi,</P><P>&nbsp;</P><P>I'm trying to use a ca-issued certificate instead of a self-signed certificate.</P><P>If I use a Java Keystore File (JKS) with the default password 'changeit' everything works as expected, but if I'm trying to use a non-default password I get the following error</P><P>&nbsp;</P><P>&nbsp;</P><PRE>2017-08-23 14:40:05,233 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-4) MSC000001: Failed to start service jboss.server.controller.management.security_realm.SSLRealm.key-manager: org.jboss.msc.service.StartException in service jboss.server.controller.management.security_realm.SSLRealm.key-manager: JBAS015229: Unable to start service at org.jboss.as.domain.management.security.FileKeystore.load(FileKeystore.java:154) at org.jboss.as.domain.management.security.FileKeyManagerService.start(FileKeyManagerService.java:119) at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948) [jboss-msc-1.2.2.Final.jar:1.2.2.Final] at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881) [jboss-msc-1.2.2.Final.jar:1.2.2.Final] at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) [rt.jar:1.8.0_73] at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) [rt.jar:1.8.0_73] at java.lang.Thread.run(Unknown Source) [rt.jar:1.8.0_73] Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect at sun.security.provider.JavaKeyStore.engineLoad(Unknown Source) [rt.jar:1.8.0_73] at sun.security.provider.JavaKeyStore$JKS.engineLoad(Unknown Source) [rt.jar:1.8.0_73] at sun.security.provider.KeyStoreDelegator.engineLoad(Unknown Source) [rt.jar:1.8.0_73] at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(Unknown Source) [rt.jar:1.8.0_73] at java.security.KeyStore.load(Unknown Source) [rt.jar:1.8.0_73] at org.jboss.as.domain.management.security.FileKeystore.load(FileKeystore.java:113) ... 6 more Caused by: java.security.UnrecoverableKeyException: Password verification failed ... 12 more</PRE><P>&nbsp;</P><P>According to the Installation and Setup Guide, configuring<STRONG>&nbsp;/opt/netapp/essentials/jboss/standalone/configuration/standalone.xml</STRONG> should be enough</P><PRE>&lt;system-properties&gt; &lt;property name="apiserver.keystore.keypassword" value="NEW_PASSWORD" /&gt; &lt;property name="apiserver.keystore.storepassword" value="NEW_PASSWORD" /&gt; &lt;/system-properties&gt;</PRE><P>&nbsp;</P><P>As I was getting the above error, I've tried changing password in&nbsp;<STRONG>/opt/netapp/api-server/api-tools/config/keystore-config.properties</STRONG></P><PRE>apiserver.keystore.keypassword="NEW_PASSWORD" apiserver.keystore.storepassword="NEW_PASSWORD"</PRE><P>and added this in<STRONG>&nbsp;/opt/netapp/essentials/jboss/standalone/configuration/standalone.xml</STRONG></P><PRE>&lt;security-realm name="SSLRealm"&gt; &lt;server-identities&gt; &lt;ssl&gt; &lt;keystore path="apiservice/keystore.jks" relative-to="jboss.server.config.dir" keystore-password="NEW_PASSWORD" key-password="NEW_PASSWORD" alias="server"/&gt; &lt;/ssl&gt; &lt;/server-identities&gt; &lt;/security-realm&gt;</PRE><P>&nbsp;</P><P>Maybe someone managed to get it working and can help me out <IMG id="smileyfrustrated" class="emoticon emoticon-smileyfrustrated" src="https://community.netapp.com/i/smilies/16x16_smiley-frustrated.png" alt="Smiley Frustrated" title="Smiley Frustrated" />&nbsp;</P> Wed, 04 Jun 2025 14:40:02 GMT https://community.netapp.com/t5/Software-Development-Kit-SDK-and-API-Discussions/OnCommand-API-Services-use-ca-issued-certificate-with-non-default-password/m-p/134041#M2453 acjackson 2025-06-04T14:40:02Z https://community.netapp.com/t5/Software-Development-Kit-SDK-and-API-Discussions/OnCommand-API-Services-use-ca-issued-certificate-with-non-default-password/m-p/137792#M2569 <P><SPAN>==========================================================================</SPAN><BR />CONTAINER - Generate SSL CSR<BR /><SPAN>==========================================================================</SPAN></P><P><BR />[1] By Default, the SSL certificate named keystore.jks is in the directory /opt/netapp/essentials/standalone/configuration/apiservice/<BR />[2] Create backup of original keystore file<BR />[3] Remove original keystore file<BR />[4] Change default password for keystore file in keystore configuration file<BR />[5] Change default password for keystore file in JAVA application "Netapp API services"<BR />[6] Generate new keystore "keystore.jks" and key pair<BR />[7] List content of the keystore "keystore.jks"<BR />[8] Generate CSR For Private Key (alias) "hostname"<BR /><SPAN>==========================================================================</SPAN><BR />[1]# cd /opt/netapp/essentials/jboss/standalone/configuration/apiservice/<BR />[2]# cp ./keystore.jks ./keystore.jks.old<BR />[3]# rm ./keystore.jks<BR />[4]# vi /opt/netapp/api-server/api-tools/config/keystore-config.properties<BR />--------------------------------------------------------------------------------------------------------<BR />apiserver.keystore.keypassword=&lt;KEY_PASSWORD&gt;<BR />apiserver.keystore.storepassword=&lt;KEYSTORE_PASSWORD&gt;<BR />--------------------------------------------------------------------------------------------------------<BR />[5]# vi /opt/netapp/essentials/jboss/standalone/configuration/standalone-full.xml<BR />--------------------------------------------------------------------------------------------------------<BR />...<BR />&lt;system-properties&gt;<BR />&lt;property name="apiserver.keystore.keypassword" value="&lt;KEY_PASSWORD&gt;"/&gt;<BR />&lt;property name="apiserver.keystore.storepassword" value="&lt;KEYSTORE_PASSWORD&gt;"/&gt;<BR />&lt;/system-properties&gt;<BR />...<BR />--------------------------------------------------------------------------------------------------------<BR />[6]# keytool -genkey -alias hostname -keyalg RSA -keystore keystore.jks -keysize 2048<BR />--------------------------------------------------------------------------------------------------------<BR />keytool -genkey -alias hostname -keyalg RSA -keystore keystore.jks -keysize 2048<BR />Enter keystore password:<BR />Re-enter new password:<BR />What is your first and last name?<BR />[Unknown]: hostname.domain.com<BR />What is the name of your organizational unit?<BR />[Unknown]:<BR />What is the name of your organization?<BR />[Unknown]: COMPANY<BR />What is the name of your City or Locality?<BR />[Unknown]: CITY<BR />What is the name of your State or Province?<BR />[Unknown]:<BR />What is the two-letter country for this unit?<BR />[Unknown]: CX<BR />Is CN=hostname.domain.com, OU=Unknown, O=COMPANY, L=CITY, ST=Unknown, C=CX correct?<BR />[no]: yes<BR /><BR />Enter key password for &lt;hostname&gt;<BR />(RETURN if same as keystore password): ENTER<BR /><BR />Warning:<BR />The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.jks -CXststoretype pkcs12".<BR />--------------------------------------------------------------------------------------------------------<BR />[7]# keytool -list -v -keystore keystore.jks<BR />--------------------------------------------------------------------------------------------------------<BR />[8]# keytool -certreq -alias hostname -file hostname.csr -keystore keystore.jks<BR />--------------------------------------------------------------------------------------------------------</P><P>&nbsp;</P><P>&nbsp;</P><P><BR /><SPAN>==========================================================================</SPAN><BR />CONTAINER - Import Root/CA certificates<BR /><SPAN>==========================================================================</SPAN></P><P><BR />!!! NOTE !!!<BR />If Root/CA certificates are already exists in system-wide CA keystore ($JAVA_HOME/jre/lib/security/cacerts),<BR />then we don't need to do this. In our case we need only step [2].<BR />!!! NOTE !!!</P><P><BR />[1] Import CA certificate "CA1" to keystore "keystore.jks"<BR />[2] Import CA certificate "CA2" to keystore "keystore.jks"<BR />--------------------------------------------------------------------------------------------------------<BR /># /opt/netapp/essentials/jboss/standalone/configuration/apiservice/<BR />[1]# keytool -importcert -trustcacerts -file CA1.crt -alias CA1 -keystore keystore.jks<BR />[2]# keytool -importcert -trustcacerts -file CA2.crt -alias CA2 -keystore keystore.jks<BR />--------------------------------------------------------------------------------------------------------</P><P>&nbsp;</P><P>&nbsp;</P><P><BR /><SPAN>==========================================================================</SPAN><BR />CONTAINER - Import signed SSL certificate<BR /><SPAN>==========================================================================</SPAN></P><P><BR />Import signed SSL certificate to keystore "keystore.jks"<BR />--------------------------------------------------------------------------------------------------------<BR /># /opt/netapp/essentials/jboss/standalone/configuration/apiservice/<BR /># keytool -importcert -trustcacerts -file hostname.crt -alias hostname -keystore keystore.jks<BR />--------------------------------------------------------------------------------------------------------</P><P><BR />Restart API services<BR />--------------------------------------------------------------------------------------------------------<BR /># /etc/init.d/apiserver restart<BR />--------------------------------------------------------------------------------------------------------</P><P>&nbsp;</P><P>&nbsp;</P><P><BR /><BR />LINKz<BR /><SPAN>==========================================================================</SPAN></P><P><BR />2014 - Java Keytool Essentials: Working with Java Keystores<BR /><A href="https://www.digitalocean.com/community/tutorials/java-keytool-essentials-working-with-java-keystores" target="_blank">https://www.digitalocean.com/community/tutorials/java-keytool-essentials-working-with-java-keystores</A></P><P>&nbsp;</P><P>2008 - The Most Common Java Keytool Keystore Commands<BR /><A href="https://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html" target="_blank">https://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html</A></P> Thu, 01 Feb 2018 15:52:39 GMT https://community.netapp.com/t5/Software-Development-Kit-SDK-and-API-Discussions/OnCommand-API-Services-use-ca-issued-certificate-with-non-default-password/m-p/137792#M2569 Ladislav_Hajzer 2018-02-01T15:52:39Z https://community.netapp.com/t5/Software-Development-Kit-SDK-and-API-Discussions/OnCommand-API-Services-use-ca-issued-certificate-with-non-default-password/m-p/137862#M2574 <P>Hi all.</P> <P>&nbsp;</P> <P>LIttle correction for step [6].</P> <P>&nbsp;</P> <P><span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>[6] Generate new keystore "keystore.jks" and key pair<BR />--------------------------------------------------------------------------------------------------------<BR />[6]# keytool -genkey -alias hostname -keyalg RSA -keystore keystore.jks -keysize 2048<BR />--------------------------------------------------------------------------------------------------------<BR />keytool -genkey -alias hostname -keyalg RSA -keystore keystore.jks -keysize 2048<BR />Enter keystore password:<BR />Re-enter new password:<BR />What is your first and last name?<BR />[Unknown]: hostname.domain.com<BR />What is the name of your organizational unit?<BR />[Unknown]:<BR />What is the name of your organization?<BR />[Unknown]: COMPANY<BR />What is the name of your City or Locality?<BR />[Unknown]: CITY<BR />What is the name of your State or Province?<BR />[Unknown]:<BR />What is the two-letter country for this unit?<BR />[Unknown]: CX<BR />Is CN=hostname.domain.com, OU=Unknown, O=COMPANY, L=CITY, ST=Unknown, C=CX correct?<BR />[no]: yes</P> <P>Enter key password for &lt;hostname&gt;<BR />(RETURN if same as keystore password): <STRONG>&lt;KEY_PASSWORD&gt;</STRONG></P> Tue, 06 Feb 2018 14:46:40 GMT https://community.netapp.com/t5/Software-Development-Kit-SDK-and-API-Discussions/OnCommand-API-Services-use-ca-issued-certificate-with-non-default-password/m-p/137862#M2574 Ladislav_Hajzer 2018-02-06T14:46:40Z https://community.netapp.com/t5/Software-Development-Kit-SDK-and-API-Discussions/OnCommand-API-Services-use-ca-issued-certificate-with-non-default-password/m-p/138530#M2594 <P>I did (almost) the same - without re-creating the keystore.&nbsp;</P> <P>When I'm listing the content of the keystore it list all properly (keytool -list -v -keystore /opt/netapp/essentials/jboss/standalone/configuration/apiservice/keystore.jks)</P> <P>however jboss failes to start with below error.&nbsp;</P> <P>Is it really required to create new keystore from scratch ? Why can't I use the one that exists?</P> <P>Or what else I might be doing wrong?</P> <P>&nbsp;</P> <P>BTW the mamual is very badly written when it comes to this (also some paths are wrong in manual)</P> <P>&nbsp;</P> <P>JBOSS error:</P> <P>&nbsp;</P> <PRE>2018-03-01 09:46:34,758 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-3) MSC000001: Failed to start service jboss.server.controller.management.security_realm.SSLRealm.key-manager: org.jboss.msc.service.StartException in service jboss.server.controller.management.security_realm.SSLRealm.key-manager: Failed to start service at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1904) [jboss-msc-1.2.6.Final.jar:1.2.6.Final] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [rt.jar:1.8.0_161] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [rt.jar:1.8.0_161] at java.lang.Thread.run(Thread.java:748) [rt.jar:1.8.0_161] Caused by: java.lang.IllegalStateException: org.jboss.msc.service.StartException in anonymous service: WFLYDM0018: Unable to start service at org.jboss.as.domain.management.security.FileKeyManagerService.loadKeyStore(FileKeyManagerService.java:193) at org.jboss.as.domain.management.security.AbstractKeyManagerService.createKeyManagers(AbstractKeyManagerService.java:125) at org.jboss.as.domain.management.security.AbstractKeyManagerService.start(AbstractKeyManagerService.java:83) at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948) [jboss-msc-1.2.6.Final.jar:1.2.6.Final] at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881) [jboss-msc-1.2.6.Final.jar:1.2.6.Final] ... 3 more Caused by: org.jboss.msc.service.StartException in anonymous service: WFLYDM0018: Unable to start service at org.jboss.as.domain.management.security.FileKeystore.load(FileKeystore.java:153) at org.jboss.as.domain.management.security.FileKeyManagerService.loadKeyStore(FileKeyManagerService.java:189) ... 7 more Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:780) [rt.jar:1.8.0_161] at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56) [rt.jar:1.8.0_161] at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224) [rt.jar:1.8.0_161] at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70) [rt.jar:1.8.0_161] at java.security.KeyStore.load(KeyStore.java:1445) [rt.jar:1.8.0_161] at org.jboss.as.domain.management.security.FileKeystore.load(FileKeystore.java:112) ... 8 more Caused by: java.security.UnrecoverableKeyException: Password verification failed at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:778) [rt.jar:1.8.0_161] ... 13 more </PRE> <P>&nbsp;</P> Thu, 01 Mar 2018 08:57:33 GMT https://community.netapp.com/t5/Software-Development-Kit-SDK-and-API-Discussions/OnCommand-API-Services-use-ca-issued-certificate-with-non-default-password/m-p/138530#M2594 marcinlub 2018-03-01T08:57:33Z https://community.netapp.com/t5/Software-Development-Kit-SDK-and-API-Discussions/OnCommand-API-Services-use-ca-issued-certificate-with-non-default-password/m-p/138533#M2596 <P>Hi.</P> <P>&nbsp;</P> <P><STRONG>Marcinlub&gt;&nbsp;I did (almost) the same - without re-creating the keystore.</STRONG></P> <P>LH&gt; Almost, but you added new keystore configuration to file [1] and in my opinion this is not necessarry because&nbsp;this configuration is already in file [2]. Enough is to change passwords in files [2] and [3].</P> <P>&nbsp;</P> <P><STRONG>Marcinlub&gt;&nbsp;When I'm listing the content of the keystore it list all properly</STRONG></P> <P>LH&gt; Yes of course, but you still&nbsp;use old Netapp password "changeit", which is password for Keystore, but also for key.</P> <P>&nbsp;</P> <P><STRONG>Marcinlub&gt;&nbsp;Is it really required to create new keystore from scratch ? Why can't I use the one that exists?</STRONG></P> <P>LH&gt; No, it is not required, you can use existing keystore, but if you want to change default passwords for keystore and key you must also change this (because files [2] and [3] only use those passwords).&nbsp;If you want&nbsp;to change the password for JAVA keystore you can do this as in [4]. If you want to change password for the specific key which is stored in keystore you can do this as in [5].</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Best regards</P> <P>L.H.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>[1]&nbsp;/opt/netapp/essentials/jboss/standalone/configuration/standalone.xml</P> <P>[2]&nbsp;<SPAN>/opt/netapp/essentials/jboss/standalone/configuration/standalone-full.xml</SPAN></P> <P><SPAN>[3]&nbsp;/opt/netapp/api-server/api-tools/config/keystore-config.properties</SPAN></P> <P>&nbsp;</P> <P><STRONG>[4] JAVA keystore - change keystore password</STRONG></P> <P>#&nbsp;cd /opt/netapp/essentials/jboss/standalone/configuration/apiservice/</P> <P># keytool -storepasswd&nbsp;-keystore keystore.jks</P> <P>&nbsp;</P> <P><STRONG>[5] JAVA keystore - change password for specific key</STRONG></P> <P>#&nbsp;cd /opt/netapp/essentials/jboss/standalone/configuration/apiservice/</P> <P>#&nbsp;keytool -keystore keystore.jks -alias&nbsp;&lt;key_alias&gt; -keypasswd</P> <P>&nbsp;</P> <P>NOTE: &lt;key_alias&gt; is alias for specific key which is stored in keystore.</P> Thu, 01 Mar 2018 10:08:00 GMT https://community.netapp.com/t5/Software-Development-Kit-SDK-and-API-Discussions/OnCommand-API-Services-use-ca-issued-certificate-with-non-default-password/m-p/138533#M2596 Ladislav_Hajzer 2018-03-01T10:08:00Z