Warning: The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12.

book

Article ID: 194394

calendar_today

Updated On:

Products

CA Workload Automation AE - Business Agents (AutoSys) CA Workload Automation AE - System Agent (AutoSys) CA Workload Automation AE - Scheduler (AutoSys) CA Workload Automation Agent CA Workload Automation AE

Issue/Introduction

Having imported a JKS (Java KeyStore) Certificate from a trusted Certificate Authority, when viewing the keystore the following warning is given:
keytool -list -keystore /opt/CA/WorkloadCC/data/config/.keystore

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore /opt/CA/WorkloadCC/data/config/.keystore -destkeystore /opt/CA/WorkloadCC/data/config/.keystore -deststoretype pkcs12".

After running the command advised, checking the keystore again gave no warning message anymore.
However, after restarting WCC, the log in page fails to load.

WCC logs show errors message such as these:
INFO   | jvm 1    | 2020/06/30 11:22:58 |      303 | Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Cause

WCC does actually require JKS keys to be imported into the keystore. Support for PKCS12 is planned for a future release.

Environment

Release : 11.3.6

Component : WORKLOAD CONTROL CENTER

Resolution

Restore the keystore to the state prior to converting JKS to PKCS12 or re-import the JKS certificate into the keystore.