Question
Anamata
NL
Last activity: 15 Dec 2022 9:20 EST
Unable to load keystore : Invalid keystore format
Hi,
I am trying to setup Deployment Manager 5.5 as described in: https://docs-previous.pega.com/devops/86/securely-authenticating-deployment-manager? In here it says I have to create the JKS files, so I followed the steps in: https://docs-previous.pega.com/security/86/creating-keystorejks-and-truststorejks-files
I know that the keytool is a Java-tool, which comes at installing Java on your local computer. The syntax for using keytool is explained here: https://docs.oracle.com/javase/7/docs/technotes/tools/solaris/keytool.html
The first step is to create a new self-signed certificate: keytool -genkey -alias <alias> -keyalg RSA -keysize <enter size> -keypass <password> -keystore cluster-keystore.jks -storepass <password> So for me it looks like: keytool -genkey -alias dmkeystore -keyalg RSA -keysize 2048 -keypass Password12! -keystore cluster-keystore.jks -storepass Password12!
The keysize has to be 2048, because the keyalg is RSA.
Now the cluster-keystore.jks is created, I login to the Pega environment and go to the keystore DMKeyStore and 'Upload file' and fill in the newly created 'Keystore password' Password12! and click on 'Save'.
While tracing this, I can see an ERROR occuring in the Activity Data-Admin-Security-Keystore Validate, step 3: (Data-Admin-Security-Keystore)Unable to load keystore : Invalid keystore format
Hi,
I am trying to setup Deployment Manager 5.5 as described in: https://docs-previous.pega.com/devops/86/securely-authenticating-deployment-manager? In here it says I have to create the JKS files, so I followed the steps in: https://docs-previous.pega.com/security/86/creating-keystorejks-and-truststorejks-files
I know that the keytool is a Java-tool, which comes at installing Java on your local computer. The syntax for using keytool is explained here: https://docs.oracle.com/javase/7/docs/technotes/tools/solaris/keytool.html
The first step is to create a new self-signed certificate: keytool -genkey -alias <alias> -keyalg RSA -keysize <enter size> -keypass <password> -keystore cluster-keystore.jks -storepass <password> So for me it looks like: keytool -genkey -alias dmkeystore -keyalg RSA -keysize 2048 -keypass Password12! -keystore cluster-keystore.jks -storepass Password12!
The keysize has to be 2048, because the keyalg is RSA.
Now the cluster-keystore.jks is created, I login to the Pega environment and go to the keystore DMKeyStore and 'Upload file' and fill in the newly created 'Keystore password' Password12! and click on 'Save'.
While tracing this, I can see an ERROR occuring in the Activity Data-Admin-Security-Keystore Validate, step 3: (Data-Admin-Security-Keystore)Unable to load keystore : Invalid keystore format
I have looked the Pega documentation, previous discussions and still can't figure out what I am doing wrong and how it should be done.
Can someone please help me?
Kind regards, Marc
***Edited by Moderator Marije to change Content Type from Discussion to Question; added capability tags***
IKOR PX
AU
@MarcHulsman - I am also facing similar issue. I kept the size at 1024.
Pega Support - please provide resolution.
Pegasystems Inc.
GB
@Atanu Sen @MarcHulsman please can you confirm that you also activated the key for application data encryption (ie the step after saving it)
Encrypting application data by using a custom key management service
4. Identify and activate the key for application data encryption.
- In the header of Dev Studio, click Configure > System > Settings > Data Encryption.
- In the Application data encryption section, in the Keystore field, enter the name of the keystore that you created in step 3.
- Click Activate.
If you need an in-depth investigation into your issue, please log a support incident on the MSP.
IKOR PX
AU
@MarijeSchillern - this keystore is for inter node communication encryption between Pega Deployment Manager Orchestrator and Candidate nodes.
LTIMindtree
SA
Hi,
You'll need to generate Cluster-Keystore.jks Trust-store.jks file too using keytool commands. Out of those 2, you did generate one already. Once you generate the trust-store.jks file and upload it, The Issue will be fixed.
IKOR PX
AU
@Kishore Sanagapalli - basically what you are saying id only the cluster-truststore.jks file needs to be uploaded to the keystore?
IKOR PX
AU
An "Invalid keystore format" error occurs when a keystore is read by a JDK version lower than a keystore generated with JDK 8u301 and higher. - from google
Updated: 15 Dec 2022 8:56 EST
LTIMindtree
SA
I mean to say that, You need to follow the steps listed in the below URL's like generating Key store and Trust store JKS files. Post the generation, YOu'll need to upload in the application.
URL's to generate the .jks files
https://docs.pega.com/security/86/creating-keystorejks-and-truststorejks-files
Adding the .JKS files to Pega Platform
https://docs.pega.com/security/86/uploading-keystore-and-truststore-files
Creating Key Store Files
https://community.pega.com/sites/default/files/help_v83/procomhelpmain.htm#data-/data-admin-/data-admin-security-/data-admin-security-keystore/main.htm#_____________Keystores
Uploading the Key Store and Trust Store files
Uploading the keystore and truststore files | Pega
I mean to say that, You need to follow the steps listed in the below URL's like generating Key store and Trust store JKS files. Post the generation, YOu'll need to upload in the application.
URL's to generate the .jks files
https://docs.pega.com/security/86/creating-keystorejks-and-truststorejks-files
Adding the .JKS files to Pega Platform
https://docs.pega.com/security/86/uploading-keystore-and-truststore-files
Creating Key Store Files
https://community.pega.com/sites/default/files/help_v83/procomhelpmain.htm#data-/data-admin-/data-admin-security-/data-admin-security-keystore/main.htm#_____________Keystores
Uploading the Key Store and Trust Store files
Uploading the keystore and truststore files | Pega
But from the latest error you have posted, I can see that Java JDK version mismatch is there. I assume, you'll need to contact your middleware Team for that, even if the issue occured again upon upoloading the both Key store and Trust Store JKS files.
Note: At one point, generating the Key store and Trust store files will prompt you to trust them to your organization layer from Middleware Area. You'll need to upload both .JKS files inside the application when you login too. Issue will be fixed then.
LTIMindtree
SA
Do let me know if you are still facing the issue, even after following all the below instructions