Security Scan shows: Certificate Trust Store (Java) Uses Default or Weak Password Details


   Article Number:     534910                                   Article Version: 2     Article Type:    Break Fix 




Data Protection Advisor,Data Protection Advisor 6.5






      The security scan provided by Bladelogic reported the following for the Data Protection Advisor Application server:   


      Certificate Trust Store (Java) Uses Default or Weak Password Details: Directory Permissions: -rwxrwxr-x Directory Owner: apollosuperuser Directory Owner Group: dpaservices   


      Technical Detail: /app/emc/dpa/services/_jre/lib/security/cacerts     







The password for the cacerts trust store was not strong enough as it was using the default one.                                                           






In order to get a stronger password, both the cacerts truststore and its alias password were changed using the following steps.   
    On the Application server:   
    1. cd "C:\Program Files\EMC\DPA\services_jre\bin"   
    2. Change the cacerts trust store password with the following command.   
    keytool.exe -storepasswd -keystore "C:\Program Files\EMC\DPA\services_jre\lib\security\cacerts"    
    Note, the old password is "changeit".  Enter new password when prompted.   
    3. Add the new line below, with the new password, at the end of file C:\Program Files\EMC\DPA\services_jre\lib\security\<new password>   
    4. Change the new cacerts alias password with command below.   
    keytool.exe -keypasswd -keystore "C:\Program Files\EMC\DPA\services_jre\lib\security\cacerts" -storepass PASSWORD -alias <cacerts alias> -keypass changeit -new PASSWORD   

      Where PASSWORD is the new password created in step 2.     
      5. Restart DPA Application.   

    For additional security the cacerts file permissions were also changed to 444.    
    After these changes, the Security Scan software no longer detected the security alert.                                                           






The cacerts is not the keystore (apollo.keystore) that DPA typically uses which is located in /opt/emc/dpa/services/standalone/configuration.  Instead, the cacerts is a separate trust store (keystore) which contains a collection of trusted certificate authority (CA) certificates. Oracle includes the cacerts file with its SSL support in the Java™ Secure Socket Extension (JSSE) tool kit and JDK.    
    For current self-signed certificate DPA does not rely on trust store. However, there may be other third parties where we could rely on this trust store when accessing remote endpoints (i.e. ESRS, backup applications, or databases). If certificate of the remote application is signed by CA it will be verified with this trust store.