The preferred method to replace a corrupt truststore is by using a copy from a healthy vRealize Log Insight node from the same cluster that does NOT return an error when listing the contents via the above command. If this is not available, the secondary method is to use the default truststore attached to this article (cacerts-nofips.tar.gz or cacerts-fips.tar.gz depending on whether FIPS is enabled in the cluster).
Non-FIPS enabled clusters
Perform one of the two operations:
- Using a utility like WinSCP or FileZilla, copy a truststore from a working node in the same cluster, using it to replace the existing one in the following directory:
/usr/java/jre-vmware/lib/security/cacerts
- Using a utility like WinSCP or FileZilla, copy the cacerts-nofips.tar.gz truststore attached to this article to the node's /tmp directory, extract it, and replace the existing one:
- SSH to the node as root
- Extract the file
tar -xvzf /tmp/cacerts-no-fips.tar.gz
- Replace the existing cacerts file with the new one and update ownership
mv /tmp/cacerts /usr/java/jre-vmware/lib/security/cacerts; chown root:root /usr/java/jre-vmware/lib/security/cacerts
- Repeat steps 1-3 on all nodes which in the cluster that were determined to have corrupt truststores
FIPS enabled clusters
Perform one of the two operations:
- Use a truststore from a working node in the same cluster to replace the existing one in the following directory:
/usr/java/jre-vmware/lib/security/cacerts
- Using a utility like WinSCP or FileZilla, copy the cacerts-fips.tar.gz truststore attached to this article to the node's /tmp directory, extract it, and replace the existing one:
- SSH to the node as root
- Extract the file
tar -xvzf /tmp/cacerts-fips.tar.gz
- Replace the existing cacerts file with the new one and update ownership
mv /tmp/cacerts /usr/java/jre-vmware/lib/security/cacerts; chown root:root /usr/java/jre-vmware/lib/security/cacerts
- Repeat steps 1-3 on all nodes which in the cluster that were determined to have corrupt truststores