Unable to get principal from trust store: Keystore was tampered with, or password was incorrect
Article ID: 399789
Updated On:
Products
Issue/Introduction
Post NSX upgrade 4.2.1.0. -> 4.2.1.2 , Curl command against NSX manager reported error 'Unable to get principal from trust store: Keystore was tampered with, or password was incorrect'
Environment
NSX 4.2.1.2
Cause
Post NSX upgrade 4.2.1.0. -> 4.2.1.2 the NSX Manager and Edge nodes were in READ ONLY MODE, the next reboot to resolve that issue resulted in the Reverse-Proxy service not starting properly.
In /var/log/proxy/localhost.log you will see the following error logged every +/- 1 minute
2025-05-23T15:15:02.039Z SEVERE org.apache.catalina.core.StandardWrapperValve invoke Servlet.service() for servlet [default] in context with path [] threw exception
java.lang.RuntimeException: Unable to get principal from trust store: Keystore was tampered with, or password was incorrect
at com.vmware.nsx.management.rp.RequestHandlerFactory.isUnifiedAppliance(RequestHandlerFactory.java:63)
at com.vmware.nsx.management.rp.PreAuthenticationProxyFilter.doFilter(PreAuthenticationProxyFilter.java:68)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:168)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:168)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
at com.vmware.nsx.management.rp.ApplicationInitializationFilter.doFilter(ApplicationInitializationFilter.java:115)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:168)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
at com.vmware.nsx.management.rp.ApiRateLimitingFilter.doFilter(ApiRateLimitingFilter.java:71)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:168)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
at com.vmware.nsx.management.rp.SessionCleanupFilter.doFilter(SessionCleanupFilter.java:37)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:168)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:117)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:168)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:168)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:482)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:130)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:660)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:346)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:388)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:936)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1791)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52)
at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1190)
at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:63)
at java.base/java.lang.Thread.run(Unknown Source)
Resolution
Restart Reverse-Proxy service in NSX Manager
There are several methods to verify the reverse-proxy status and restart the service:
Method1
systemctl status proxy
systemctl restart proxyMethod2
/etc/init.d/proxy status
/etcf/init.d/proxy restartMethod3
service proxy status
service proxy restart
Once the reverse-proxy service has been restarted the logging error for 'Unable to get principal from trust store: Keystore was tampered with, or password was incorrect ' should stop.
Feedback
