Security certificate Error - need original password to Keystore for TDM Portal 4.9.1

Products

CA Test Data Manager (Data Finder / Grid Tools)

Issue/Introduction

CA TDM was installed on a new server. For the new server, we have generated our own certificate (in two formats viz. PKCS #12 and JKS ). The certificates are copied in a specific directory on the server where CA TDM is installed. Per the documentation link provided earlier:https://knowledge.broadcom.com/external/article?articleId=189744, when the command to import the certificates is executed it throws the error: Keystore was tampered with, or password was incorrect.

I had tried to use the password provided in the application.properties file, as well as the well-known default password 'changeit', but it doesn't work. Our security team says that the vendor must provide the original password with which their 'encrypted' password for the keystore is generated.

Kindly provide us a way to install the certificate and the original password through which CA TDM certificate was issued/installed.

Environment

Release : TDM 4.9.1

Component : TDM Portal

Cause

By default, when you run the TDM Portal installer, and take the default settings, the keystore file will be created, via Java's Keytool utility, with a preconfigured self-signed certificate. To help improve security, we stopped using the well-known default passwords, such as changeit'. Instead, the installer uses a randomly generated password when creating the keystore file. The random password is not recorded in clear text, so there's no way for Support to provide you with the password used to generate your keystore file. However, you can see what was done by looking at the TDM Portal Install directory\conf\KeystoreGeneratorLogs.log.

Resolution

During the TDM Portal installation, you have the option to uncheck the "Secure with HTTPS" checkbox, and use HTTP instead, or change the default port to something other than 8443.

However, on this page, there is a second checkbox, that is easily overlooked; "Auto-generate Keystore Password"

When you uncheck this box, you will be prompted to enter your own keystore password that will be used to generate the keystore file and self-signed certificate. As part of the installation process, the password is then encrypted and entered into the application.properties file - tdmweb.keystorePassword parameter.

If you used the randomly generated password during the installation, and want to use your own Certificate Authority signed certificates (3rd party certificates), you will need to use the Keytool utility, or some other certificate utility, to generate a new Keystore file, with a self-signed certificate, and provide your own password. You can then access the new Keystore and import any certificates you wish.

The following command is a sample that can be used to generate the new keystore and self-signed certificate:

keytool -genkey -dname <distinguished name> -alias <myAlias> -keyalg RSA -keysize 2048 -keypass <key_password> -sigalg SHA256withRSA -keystore <C:\path\keystore_filename> -storpass <keystore_password> -validity <num_days_valid> -ext <X.509 extention>

Where:

- -genkey tells keytool to generate the key
- -dname specifies the distinguished name, such as CN, OU, O
- -alias is the Alias name of the entry in your keystore. It's important to keep alias names consistent throughout the process, and you cannot duplicate alias names. When generating your CSR you need to use the same alias name as the self-signed certificate you are creating the CSR for.
- -keyalg is the Key algorithm name
- -keysize is the Key bit size
- -keypass is the key password
- -sigalg is the Signature algorithm name
- -keystore is keystore filename
- -storpass is the keystore password
- -validity is the number of days the certificate will be valid. For example, if you want the certificate to be valid for 1 year after creation, set validity to 365.
- -ext specifies any X.509 extentions, such as dns names

For Example:

c:\Program Files\CA\CA Test Data Manager Portal\jre\bin>keytool -genkey -dname cn=test003266,ou="Test Data Manager - Self-Signed",o=Broadcom -alias "Test Data Manager" -keyalg RSA -keysize 2048 -keypass CAdemo1234 -sigalg SHA256withRSA -keystore "C:\Program Files\CA\CA Test Data Manager Portal\conf\.my_keystore" -storepass CAdemo1234 -validity 8030 -ext san=dns:test003266.broadcom.net,dns:test003266,dns:localhost -ext EKU:true=serverAuth

This will generate your new self-signed certificate in the new keystore file. You may see the following warning after running the above command:

- Warning:
  The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore C:\Program Files\CA\CA Test Data Manager Portal\conf\.my_keystore -destkeystore C:\Program Files\CA\CA Test Data Manager Portal\conf\.my_keystore -deststoretype pkcs12".
Use keytool to generate a CSR (Certificate Signing Request)

keytool -certreq -alias <myAlias> -keystore <C:\path\keystore_filename> -file <myCSR.csr>

Note: It's important that the -alias and -keystore arguments match those that you used above when generating the self-signed certificate.
Then provide your Certificate Authority, your CSR file to be signed.
Navigate to the TDM Portal install directory, by default, this is C:\Program Files\CA\CA Test Data Manager Portal\service\bin and run the EncryptionUtil.bat -p to encrypt your new keystore password.

For example: c:\Program Files\CA\CA Test Data Manager Portal\service\bin>EncryptionUtil.bat -p
Enter password:
Re-enter password:
Encrypted password:{cry}wwI1yv571opquNrpfzeqNbj8WBXHNoDLjPthtQfk9OKO6mxMM1fy
Copy and paste the encrypted results into the C:\Program Files\CA\CA Test Data Manager Portal\conf\application.properties file -> tdmweb.keystorePassword parameter.
Update the C:\Program Files\CA\CA Test Data Manager Portal\conf\application.properties -> tdmweb.keystorePath parameter to point to your new keystore file
Update the C:\Program Files\CA\CA Test Data Manager Portal\conf\application.properties -> tdmweb.keyAlias to point to the alias you gave to your Certificate.
Restart the CA Test Data Manager Portal service.

I would also like to point out that certificates are generally created for a single server, and cannot be used by another server unless you generated the certificate as a wild-card certificate. Normally when standing up a new server, you have to also generate new certificates.

Additional Information

For more information,

Create and implement a self-signed certificate: https://techdocs.broadcom.com/us/en/ca-enterprise-software/devops/test-data-management/4-9/installing/manage-certificates/create-and-implement-a-self-signed-certificate.html
Use a certificate from a 3rd party certificate authority: https://techdocs.broadcom.com/us/en/ca-enterprise-software/devops/test-data-management/4-9/installing/manage-certificates/use-a-certificate-from-a-third-party-certificate-authority.html
Steps needed to import a 3rd party certificate: https://knowledge.broadcom.com/external/article?articleId=189744