CA TDM was installed on a new server. For the new server, we have generated our own certificate (in two formats viz. PKCS #12 and JKS ). The certificates are copied in a specific directory on the server where CA TDM is installed. Per the documentation link provided earlier:https://knowledge.broadcom.com/external/article?articleId=189744, when the command to import the certificates is executed it throws the error: Keystore was tampered with, or password was incorrect.
I had tried to use the password provided in the application.properties file, as well as the well-known default password 'changeit', but it doesn't work. Our security team says that the vendor must provide the original password with which their 'encrypted' password for the keystore is generated.
Kindly provide us a way to install the certificate and the original password through which CA TDM certificate was issued/installed.
By default, when you run the TDM Portal installer, and take the default settings, the keystore file will be created, via Java's Keytool utility, with a preconfigured self-signed certificate. To help improve security, we stopped using the well-known default passwords, such as changeit'. Instead, the installer uses a randomly generated password when creating the keystore file. The random password is not recorded in clear text, so there's no way for Support to provide you with the password used to generate your keystore file. However, you can see what was done by looking at the TDM Portal Install directory\conf\KeystoreGeneratorLogs.log.
Release : TDM 4.9.1
Component : TDM Portal
During the TDM Portal installation, you have the option to uncheck the "Secure with HTTPS" checkbox, and use HTTP instead, or change the default port to something other than 8443.
However, on this page, there is a second checkbox, that is easily overlooked; "Auto-generate Keystore Password"
When you uncheck this box, you will be prompted to enter your own keystore password that will be used to generate the keystore file and self-signed certificate. As part of the installation process, the password is then encrypted and entered into the application.properties file - tdmweb.keystorePassword parameter.
If you used the randomly generated password during the installation, and want to use your own Certificate Authority signed certificates (3rd party certificates), you will need to use the Keytool utility, or some other certificate utility, to generate a new Keystore file, with a self-signed certificate, and provide your own password. You can then access the new Keystore and import any certificates you wish.
keytool -genkey -dname <distinguished name> -alias <myAlias> -keyalg RSA -keysize 2048 -keypass <key_password> -sigalg SHA256withRSA -keystore <C:\path\keystore_filename> -storpass <keystore_password> -validity <num_days_valid> -ext <X.509 extention>
c:\Program Files\CA\CA Test Data Manager Portal\jre\bin>keytool -genkey -dname cn=test003266,ou="Test Data Manager - Self-Signed",o=Broadcom -alias "Test Data Manager" -keyalg RSA -keysize 2048 -keypass CAdemo1234 -sigalg SHA256withRSA -keystore "C:\Program Files\CA\CA Test Data Manager Portal\conf\.my_keystore" -storepass CAdemo1234 -validity 8030 -ext san=dns:test003266.broadcom.net,dns:test003266,dns:localhost -ext EKU:true=serverAuth
This will generate your new self-signed certificate in the new keystore file. You may see the following warning after running the above command:
I would also like to point out that certificates are generally created for a single server, and cannot be used by another server unless you generated the certificate as a wild-card certificate. Normally when standing up a new server, you have to also generate new certificates.
For more information,