Want to change the Data Protection Advisor (DPA) application keystore password.

           

   Article Number:     534975                                   Article Version: 2     Article Type:    Break Fix 
   

 


Product:

 

Data Protection Advisor,Data Protection Advisor 6.5,Data Protection Advisor 6.4,Data Protection Advisor 6.3,Data Protection Advisor 6.2,Data Protection Advisor 18.1,Data Protection Advisor 19.1,Data Protection Advisor 18.2

 

Issue:

 

 

Would like to change the Data Protection Advisor (DPA) keystore password. Can this be done?   
   
    In some environments to adhere to security requirements it may be required to modify/set the DPA keystore's password. 
                                                           

 

 

Cause:

 

 

The password for the DPA keystore can be changed by the administrator of the environment and installation.                                                           

 

 

Resolution:

 

 

Before performing this configuration change ensure that all of the steps have been reviewed and understood completely. Performing the steps incorrectly (such as typing mistakes) can result in a situation where the DPA application may not start or the DPA GUI will be inaccessible using a HTTPS type connection.   
   
    To change the password of the DPA keystore one should perform the following steps.   
   
    Note: The current password for the keystore (apollo.keystore) is required to perform these steps.   
   
    - Login to the DPA application server as root or administrator.   
   
    - Open a Command Prompt window if the server is Windows based.   
   
    - Navigate to the directory:    /opt/emc/dpa/services/standalone/configuration   
        The path may vary if one has not installed to the default path.   
   
    - This directory should contain the following 2 files:   
        apollo.keystore   
        standalone.xml   
   
    - Before proceeding further, make copies of these two files and save them to a safe location.   
   
    NOTE: If there are any mistakes or issues with the DPA application after this procedure the original files can be reverted back to. This will restore the configuration. If copies of these original files are not saved and mistakes are made that lead to the DPA application not starting or the DPA GUI being inaccessible using HTTPS, there is no method to recover from this other than a re-installation of the DPA application.   
   
    - List the contents of the apollo.keystore with the following command:   
   
        /opt/emc/dpa/services/_jre/bin/keytool -list -keystore apollo.keystore   
   
    - The output of the command will look similar to the output below. Enter the apollo.keystore password when prompted. (the default apollo.keystore password is "apollo")   
   
        Enter keystore password:   
   
        Keystore type: JKS   
        Keystore provider: SUN   
        Your keystore contains 2 entries   
   
        apollokey, Jul 22, 2013, PrivateKeyEntry,   
        Certificate fingerprint (SHA1): 22:97:5A:5D:54:6A:55:43:FE:58:0A:74:89:35:01:86:BC:D1:E1:05   
   
        mykeyalias, Nov 17, 2018, PrivateKeyEntry,   
        Certificate fingerprint (SHA1): DF:7E:C1:F0:75:34:AD:84:D5:58:A7:C4:06:EA:36:64:4C:29:BC:25   
   
    - The output of this command shows that the keystore is configured currently with two (2) PrivateKeyEntry key-aliases, "apollokey" and "mykeyalias". Typically the keystore will have one or two of these entries, but could have more in some cases. Take note of all listed PrivateKeyEntry key-aliases (their names) that are contained in the keystore.   
   
    - To change the password for a keystore requires that all PrivateKeyEntry key-aliases contained in the keystore also have their passwords changed to match the keystore. The order of changing the passwords is not important. One can change the keystore password first or the PrivateKeyEntry key-aliases first.   
   
    - To change the password for the apollo.keystore use the following command:   
   
        /opt/emc/dpa/services/_jre/bin/keytool -storepasswd -keystore apollo.keystore   
   
    - In the output of this command you first enter the current password for the apollo.keystore. Then enter the new password for the keystore. Lastly re-enter the new password for the keystore.   
   
        Enter keystore password:   
        New keystore password:   
        Re-enter new keystore password:   
   
    - Verify the keystore password has changed as expected by again listing the contents of the apollo.keystore with the following command. The output should be identical to the previous run of the command.   
   
        /opt/emc/dpa/services/_jre/bin/keytool -list -keystore apollo.keystore   
   
    - Next change the passwords for the key-aliases. The command for changing a single key-alias password is below   
        NOTE: Again the new password must match the new password for the keystore.   
   
        /opt/emc/dpa/services/_jre/bin/keytool -keypasswd -keystore apollo.keystore -alias apollokey   
   
    - In the output of this command one first enters the current password for the apollo.keystore. Then after that there are two possible output variations.   
   
        First variation   
   
            Enter keystore password:   
            New key password for <apollokey>:   
            Re-enter new key password for <apollokey>:   
   
        Second variation    
   
            Enter keystore password:   
            Enter key password for <apollokey>   
            New key password for <apollokey>:   
            Re-enter new key password for <apollokey>:   
   
    - In the first variation, enter the new key-alias password and re-enter it again. In the second variation, first enter the current key-alias password, then the new key-alias password and then re-enter it again. Typically the current key-alias password will be the original keystore's password. (the default apollo.keystore password is "apollo")   
   
    - This command must be performed for all PrivateKeyEntry key-aliases in the keystore. In our case this means the command must be run for both apollokey and mykeyalias.   
   
    - Next the key-alias password setting will need to be changed to the new password in the DPA application's configuration file "standalone.xml"   
   
    - Edit the standalone.xml file with a Text editor such as "vi" or "Notepad".   
   
    - Navigate to the following line, which should be located towards the end of the file. Performing a search or find for "password" or "ssl" is one method to navigate there quickly.   
   
        <ssl name="ssl" key-alias="${apollo.keystore.alias:apollokey}" password="apollo" certificate-key-file="${jboss.server.config.dir}/apollo.keystore" cipher-suite="TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA" protocol="TLSv1,TLSv1.1,TLSv1.2" verify-client="false"/>   
   
    - Modify the password on this line to match the new password you have set for the keystore and key-aliases. For example if the new password is "my1Pass00", then the modified line will look like this:   
   
        <ssl name="ssl" key-alias="${apollo.keystore.alias:apollokey}" password="my1Pass00" certificate-key-file="${jboss.server.config.dir}/apollo.keystore" cipher-suite="TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA" protocol="TLSv1,TLSv1.1,TLSv1.2" verify-client="false"/>   
   
    - Save the standalone.xml file.   
   
    - Restart the DPA application.   
   
   
    NOTE: If the DPA application will not start or the DPA GUI is inaccessible using HTTPS after this configuration change, then a mistake has been made in one or more of the steps. In these cases, the original files (apollo.keystore and standalone.xml) should be reverted back to. Reverting back to the original files will restore the unmodified configuration. If copies of these original files have not saved beforehand and the DPA application will not start or the DPA GUI is inaccessible using HTTPS, there is no method to recover from this other than a re-installation of the DPA application.   
   
    Please contact Dell EMC Technical Support for more information or assistance.