search cancel

JCS ssl.keystore issues after upgrading

book

Article ID: 42457

calendar_today

Updated On:

Products

CA Virtual Privilege Manager CA Privileged Identity Management Endpoint (PIM) CA Privileged Access Manager (PAM)

Issue/Introduction

Issue:
After installing or upgrading your version of PIM you are having issues centered around the JCS keystore being replaced and you are most likely experiencing both of the following:

1. The default password on the JCS keystore is 'dummypass'
2. Cannot modify endpoints (timeouts occur)
3. Customer may want to update the keystore to a new password



Environment:
This should work for most if not all PIM ENTM servers 12.8 +


 
Cause:
The cause of this stems from the password being different between the JCS ssl.keystore and two important certs
eta2_server
eta2_client



Resolution: *Always take a backup of files before modifying them*
1. In order to resolve this you must remove the 2 certs and re-add them via the /opt/CA/AccessControlServer/Connector_Server/conf directory with the new password (should match the JCS ssl.keystore password)

    keytool -delete -alias eta2_server -keystore ssl.keystore
    keytool -delete -alias eta2_client -keystore ssl.keystore

2. Now that the keys are deleted you will need to re-add them via the commands below. Please note that the " " are required for this and secret should be used to reset the password to the default value in order to prevent further issues. Once this command is run, the tool will prompt you for the src keystore password which should be secret.

    keytool -importkeystore -srckeystore eta2_server.p12 -destkeystore ssl.keystore -srcstoretype pkcs12 -deststoretype jks -srcalias eta2_server -destalias eta2_server -deststorepass "secret" -destkeypass "secret"


    keytool -importkeystore -srckeystore eta2_client.p12 -destkeystore ssl.keystore -srcstoretype pkcs12 -deststoretype jks -srcalias eta2_client -destalias eta2_client -deststorepass "secret" -destkeypass "secret"

enter keystore password secret

3. Now that the certs were added you can modify the password of the JCS ssl.keystore via java encryption
        For windows location AccessControlServer\Connector Server\conf
java -ea -server -mx64M -cp ".;../lib/jcs.jar;../lib/cacommons.jar;../lib/apacheds-server-main-1.5.0-SNAPSHOT-app.jar" com.ca.jcs.crypto.legacy.LegacyCryptoService  new_password  mangled.txt  Password

    For Linux  : AccessControlServer/Connector_Server/conf

java -ea -server -mx64M -cp ".:../lib/jcs.jar:../lib/cacommons.jar:../lib/apacheds-server-main-1.5.0-SNAPSHOT-app.jar" com.ca.jcs.crypto.legacy.LegacyCryptoService  new_password  mangled.txt  Password

The above line will take the the new_password and mangle it and place it in mangled.txt (which needs to exist prior to the command) and will have randomized letters and characters looking similar to {AES}ABpCDeFjOQWERsGLU+lZi9Q==   

4. Next, copy said mangled line and place it here /opt/CA/AccessControlServer/Connector_Server/conf/server_jcs.xml:
        <property name="connectorClientCertStorePassword"><value>NEW_VALUE_FROM_MANGLED.TXT</value></property>
       <property name="ldapsCertificatePassword"><value>NEW_VALUE_FROM_MANGLED.TXT</value></property>

5. From here you can start the JCS and test modifying an endpoint
    /etc/init.d/im_jcs start

Environment

Release: ACP1M005900-12.9-Privileged Identity Manager
Component: