Analyzer Server not starting due to Incorrect Keystore Password

Overview

  • You have generated your Analyzer Keystore with a custom password and updated the Tomcat server.xml with the same.
  • You notice that the Test Analyzer server does not start up and is inaccessible via your browser.
  • Attempting to check the Keystore using the key tool may show the following error:

    # /usr/java/jdk1.8.0_141/bin/keytool -list -keystore /opt/app/sensage/tomcat/conf/.keystore
    Enter keystore password:
    keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect
  • When you check the Tomcat logs, you see a similar error appearing,

    "SEVERE: org.apache.coyote.AbstractProtocol init - Failed to initialize end point associated with ProtocolHandler ["http-bio-8090"]
    java.io.IOException: Keystore was tampered with, or password was incorrect at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:785)

    Caused by: java.security.UnrecoverableKeyException: Password verification failed"

 

Solution

This error message indicates that there is most likely a mismatched password within the keystone and the Tomcat server.xml configuration file. To address this behavior, you will need to verify the password within your Tomcat configuration and potentially recreate the Keystore file from your SSL certificate with the correct password, replacing the previous one. Follow the steps below to confirm the root cause and regenerate these files.

  1. Verify the Custom Password is set in the Tomcat Server.xml
    1. Execute the following command and verify the value shown for "keystorePass":
      # cat /opt/tomcat/conf/server.xml | grep keystorePass
    2. If you notice that this value does not match your Custom Password and is instead showing the default password, the Ambari startup script may be overwriting this.
    3. You can address this by setting your Custom Password within the Ambari params.pp:
      1. Open /opt/app/sensage/var/lib/ambari-agent/puppet/modules/hdp-sensage/manifests/params.pp within your preferred editor.
      2. Set variable $sensage_api_password to your custom password.
      3. Restart the Analyzer from the Ambari interface.
  2. Verify the Custom Password is set for the Keystore
    1. Execute the following command:
      # /usr/java/jdk1.8.0_202-amd64/bin/keytool -list -keystore /opt/sensage/tomcat/conf/.keystore
    2. When prompted, enter the Custom Password and verify that it shows your Keystore entry.
    3. If you continue to see the password verification errors appear:
      1. Using the guidance within Replacing SSL Certificates in Analyzer, generate a new Keystore using your Certificate Authority provided PFX file.
        1. Note: If you already have your SSL Cert file available, skip step 1 and use the existing certificate.
      2. When prompted for the "destination Keystore password," use the Custom Password you defined.
  1.  

 

Testing

After relocating the newly generated Keystore and restarting Tomcat using the guidance within Replacing SSL Certificates in Analyzer, confirm that Test Analyzer has successfully started by visiting https://<yourHostname>:8090/analyzer and confirming that you reach the login page. 

If you continue to experience issues, please open a support ticket and include the Tomcat log located at /opt/sensage/var/log/tomcat/catalina.out

 

Related Articles

Comments

0 comments

Please sign in to leave a comment.