Keystore parameters are not valid for the given keystore / Invalid Keystore Format
Article ID: 232306
Updated On:
Products
Issue/Introduction
When enabling SSL/TLS for Automic Workload Automation, the following errors could occur:
The JCP starts, then the JCP log shows a single line error message with:
U00045014 Exception 'java.io.IOException: "Invalid keystore format"' at 'sun.security.provider.JavaKeyStore.engineLoad():663'.
And then the JCP stops.
When using the One Installer, on the TLS Settings screen if 'Use a custom keystore' is selected, the error "Keystore parameters are not valid for the given keystore" is displayed:
Environment
Affected Release : 12.2, 12.3, 21.0
Component : AUTOMATION ENGINE
Cause
With https://bugs.openjdk.java.net/browse/JDK-8076190 all JDKs have been updated and the default encryption algorithm for the certificate in a PCKS12 keystore has been changed/upgraded to a more secure one.
For more information see the OpenJDK issue or the Java release notes:
https://www.oracle.com/java/technologies/javase/11-0-12-relnotes.html (Customizing PKCS12 keystore Generation section).
This change is active by default as of Java 8 u301 and Java 11.0.12 and the generated keystores are more secure.
Resolution
For the One Installer, this happens because it uses JRE 1.8 u281 internally. Only a keystore created with an older version (1.8 u291 or earlier, or 11.0.11 or earlier) can be used as a workaround.
For all other implementations, please use only a current JRE/JDK release (1.8 u301 or later, or 11.0.12 or later) for both the Java processes in Automic and creating the keystore and cert pair.
The One Installer will be fixed in a future release.
Additional Information
At the moment, the latest available IBM Java still does not support this format! If IBM Java is used to start Java based processes, the keystore must be created /adapted using the tools delivered with the IBM Java JRE.
Feedback
