IT Process Automation

  • 1.  Keystore was tampered with, or password was incorrect

    Posted Feb 18, 2019 11:57 AM

    Since North American support is offline today for holiday, and unable to look at my current ticket, I'm going to ask the community for support. 

     

    I'm trying to get Process Automation (PAM [4.3SP1]) to communicate with Service Desk Manager (SDM[14.1]) using SSL.  Windows/MSSQL for both PAM and SDM.  PAM and SDM are on different servers but are on the same subnet, so they can (and have in the past) communicated correctly.  I have PAM working in my production environment.  This is a development environment (recreate) that is not able to connect.  Accessing either PAM or SDM using a browser is successful.

     

    I receive this error in SDM when attempting to connect to PAM by trying to add a workflow to a Change Category:

    There is a problem accessing CA IT PAM Workflow - please try again or contact the administrator. Details: ; nested exception is: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

     

    I have reinstalled PAM.  I have re-registered PAM with EIAM. 

     

    In order to connect SDM and PAM, I'm using my notes as well as the online instructions at:
    How to Enable Communications between Service Desk - CA Knowledge 

     

    I was able to connect SDM and PAM using this information with a default OasisConfig.properties file where the ALIAS was ITPAM, etc.  SDM and PAM connected just fine.

     

    I was given a keystore file from our Certificate Authority with a known and tested (using keytool.exe) password and alias. 

     

    I ran the PasswordEncryption.bat file to get the password encrypted.  I took that password and exchanged it with the "itpam.web.keystore.password" in the OasisConfig.properties file and saved the file.

     

    I then went to C:\Program Files\Java\jdk****\bin and ran the keytool.exe.

     

    keytool.exe -keystore C:\PROGRA~1\CA\PAM\server\c2o\.config\c2okeystore -export -alias tomcat -file itpam.cer
    Enter keystore password: (using the new "itpam.web.keystore.password" from OasisConfig.properties as instructed)

     

    And I receive the following error:
    keytool error: java.io.IOException: Keystore was tampered with, or password was
    incorrect

     

    I've tried everything I can think of to solve this problem.  I have even performed a complete reinstall of PAM. 

     

    I validated the password on the keystore file using the following command:

    keytool -v -list -keystore C:\pam.keystore

    I put in the password when prompted and all is fine.  I'm able to see the information on the keystore file with my known password.

     

    From what I can tell, it seems that the C:\PROGRA~1\CA\PAM\server\c2o\.config\c2okeystore file is likely the problem. 

     

    Has anyone else seen this problem?

     

    Thanks to anyone who is willing to look at this.  I appreciate the time.

     

    John



  • 2.  Re: Keystore was tampered with, or password was incorrect

    Posted Feb 20, 2019 10:23 AM

    I have experienced this issue when PAM and SDM are using different levels of Java. I solved it by making sure that SDM was using the same version of Java.



  • 3.  Re: Keystore was tampered with, or password was incorrect
    Best Answer

    Posted Feb 21, 2019 06:00 PM

    Thanks Lindsay for the help on that one.  Both my applications were on the same level of Java. 

     

    I did however solve my problem.

     

     

    How to Enable Communications between Service Desk - CA Knowledge  In this document are the following steps:

     

    Copy the KEYSTOREID.

     

    Be prepared to paste the KEYSTOREID value as the password after you issue the keytool command.

     

    On the CA IT PAM server, issue the following keytool command as one line on the command line:

    C:\Progra~1\ca\sc\jre\1.6.0_24\bin\keytool.exe -keystore C:\Progra~1\ITPAM\server\c2o\.config\c2okeystore -export -alias ITPAM -file itpam.cer

     

    itpam.web.keystorealias=

    Default: ITPAM

    Note: In earlier versions of ITPAM, the default was c2o-j.

     

    The keytool utility prompts you for a password.

     

    Paste or type the KEYSTOREID value as the password. <--- this is incorrect when using your own keystore!

     

    The keytool utility uses the final parameter (-file itpam.cer) to create a file named itpam.cer. The itapm.cer file contains the necessary certificate information for communications with CA Service Desk Manager.

     

    When you use the command:

    C:\Progra~1\ca\sc\jre\1.6.0_24\bin\keytool.exe -keystore C:\mypam.keystore -export -alias [your alias] -file itpam.cer

     

    You are prompted for a password.  From the documentation, it says to use the KEYSTOREID.  I also tried using the encrypted password generated from the PasswordEncryption.bat file.

     

    The answer: use the cleartext password given to you for your keystore file.  Don't copy anything into the password prompt.  The password is exactly what your certificate authority has given to you for your keystore file.