Re: Invalid Keystore Format

macroman · ‎09-08-2010

Afternoon,

Im currently going through the vCloud Director install and have hit an issue when doing untrusted certificates.

I have created my http alias certificates.ks file but when trying to add the same but changing the alias to consoleproxy its not working. Thinking its due to the file already been created so I called it certificate.ks and this worked. Now when I go /opt/vmware/cloud-director/bin/configure and type in the keystore location and password, set the ip address of the http and consoleproxy I get:

Could not read or write the confirguration file: Invalid keystore format.

Configuration failed in some way.

Help please?

Thanks James

f10 · ‎09-08-2010

Did you follow all the steps provided in http://kb.vmware.com/kb/1026309 to create self signed certs ?

If you found this or other information useful, please consider awarding points for "Correct" or "Helpful".

f10

VCP3,VCP4,HP UX CSA

Regards, Arun Pandey VCP 3,4,5 | VCAP-DCA | NCDA | HPUX-CSA | http://highoncloud.blogspot.in/ If you found this or other information useful, please consider awarding points for "Correct" or "Helpful".

macroman · ‎09-08-2010

I followed the steps for Creating and Importing self-signed SSL certificates. So is there something missing??

f10 · ‎09-08-2010

Will have to look into this, I did not encounter any similar errors during my setup.. btw did you run the keytool command from the /opt/vmware/cloud-director/jre/bin/ folder because Java version 1.6 is required.

If you found this or other information useful, please consider awarding points for "Correct" or "Helpful".

f10

VCP3,VCP4,HP UX CSA

Regards, Arun Pandey VCP 3,4,5 | VCAP-DCA | NCDA | HPUX-CSA | http://highoncloud.blogspot.in/ If you found this or other information useful, please consider awarding points for "Correct" or "Helpful".

WillL · ‎09-08-2010

I didn't have any issue when to create self signed cert following the manual.

You can't have two keystores, the configuration tool just ask once for one keystore, there shouldn't be any issue to have multiple keys in one keystore as long as the alias is difference.

Thanks,

William

admin · ‎09-08-2010

Make sure you specify the '-storetype JCEKS' arguments when you create the keystore. vCD will not accept the default keystore type (JKS).

macroman · ‎09-09-2010

Sorry for the late reply. Yes Im running keytool from /opt/vmware/cloud-director/jre/bin and its version 1.6.update 10.

I now get keytool error: java.security.KeystoreException: JCEKS after I ran

keytool -genkey -alias http -keystore /usr/certificates.ks -storepass ??? -storetype JCEKS.

Cheers

admin · ‎09-09-2010

It's not clear which copy of keytool you're actually running. The command you included will use whichever copy shows up first in your path. If you're getting errors, you may have the GCJ version of keytool installed on the system, which will not work in this case.

Either of the following sets of commands should work:

/opt/vmware/cloud-director/jre/bin/keytool -keystore /usr/certificates.ks -storetype JCEKS -storepass passwd -genkey -keyalg RSA -alias http

/opt/vmware/cloud-director/jre/bin/keytool -keystore /usr/certificates.ks -storetype JCEKS -storepass passwd -genkey -keyalg RSA -alias consoleproxy

-or-

cd /opt/vmware/cloud-director/jre/bin

./keytool -keystore /usr/certificates.ks -storetype JCEKS -storepass passwd -genkey -keyalg RSA -alias http

./keytool -keystore /usr/certificates.ks -storetype JCEKS -storepass passwd -genkey -keyalg RSA -alias consoleproxy

If you're just using self-signed certs you may find it best to start with a fresh keystore (i.e. pick a different file name or rm the certificates.ks file and then start over).

macroman · ‎09-10-2010

Morning guys its me again..

Thanks again for your replies but still having issue.

I def have Java 6.1 installed.

When I run the the keytool command with -storetype JCEKS i get an error after I put in the FQDN and if I don't put this line in I can create the http certificate but when attempting to create the consoleproxy alias with the same certificate name I get a keytool exception error on state. I have used the same company, State details for both and even tried the default but still get the same error.

Cheers

Michelle_Laveri · ‎09-21-2010

I had a similar problem. I was running Oracle Enterprize Linux (not offically supported - but should work)...

It has an in-built keytool which the syntax from the PDFs hated...

In the end I used keytool (a Java) version from my apple mac. Copied the two csrs and ks file /opt/keystore on the vCD and it worked like a charm...

Regards

Mike Laverick

RTFM Education

http://www.rtfm-ed.co.uk

Author of the SRM Book:http://www.rtfm-ed.co.uk/2010/03/22/new-administrating-vmware-site-recovery-manager-4-0/

Free PDF or at-cost Hard Copy

Regards
Michelle Laverick
@m_laverick
http://www.michellelaverick.com

Engelsman · ‎10-15-2010

James,

I had the same issue running RHEL5.5. The solution is to run the keytool executable with the full path as stated by kmsmith.

So run the keytool command like this: /opt/vmware/cloud-director/jre/bin/keytool -genkey .....

Good luck!

Michelle_Laveri · ‎10-15-2010

Yep. I got this fixed too...

I ass-um-ed that woes were caused by using a non-support distribution of RHEL. I've built my lab environment on Oracle Enterprize Linux. I choose this cos it seemed to make sense from the point of view of selecting an OS that would last beyond an eval period - and the fact that Oracle is currently used for the DB back end. I've written a step-by-step guide to this configuration which will appear on TechTarget soon...

What's interesting is that issue affects other distros of Linux including the official support ones...

Regards

Mike Laverick

RTFM Education

http://www.rtfm-ed.co.uk

Author of the SRM Book:http://www.rtfm-ed.co.uk/2010/03/22/new-administrating-vmware-site-recovery-manager-4-0/

Free PDF or at-cost Hard Copy

Regards
Michelle Laverick
@m_laverick
http://www.michellelaverick.com

admin · ‎10-15-2010

The best way to prevent this problem is to not install the Java support package group when installing RHEL/OEL/CentOS. IIRC the Java option is in the Development category. Once it is installed you'd need to go use system-config-packages or rpm directly to remove the offending RPMs. GCJ et al are pretty crummy, so you won't be missing anything of value.

Michelle_Laveri · ‎10-16-2010

Agreed. And then download, install the java 1.6...

Is this issue in any of the docs. Don't recall reading it. Perhaps a kb on this would be handy?

Regards

Mike Laverick

RTFM Education

http://www.rtfm-ed.co.uk

Author of the SRM Book:http://www.rtfm-ed.co.uk/2010/03/22/new-administrating-vmware-site-recovery-manager-4-0/

Free PDF or at-cost Hard Copy

Regards
Michelle Laverick
@m_laverick
http://www.michellelaverick.com

admin · ‎10-16-2010

If you're going to generate the keystore on the vCD server host you can just used the modified copy of Sun JRE 1.6 that ships with vCD ($VCLOUD_HOME/jre) and save yourself the hassle of downloading and agreeing to the Oracle/Sun licensing. If you're generating the keystore on another machine (such as Windows or Mac OS X desktop) then the Sun JRE/JDK or Apple's JDK would be best.

The specific recommendation to not install the Java package group when installing the OS is not in the docs. The installation guide does explain how to run the vCD-packaged copy of keytool if you run into problems with a copy included with the OS. The vCloud architects (Duncan, Michael, Hany) are in a better position than me to get a KB written, but if all else fails I can raise the issue with techpubs.

f10 · ‎10-18-2010

There is any existing KB about about Generating SSL certificates for VMware vCloud Director, kindly provide a feedback to this article and we will change the article accordingly.

Arun Pandey

Knowledge Champion

VMware Inc.

VCP3, VCP4, HPCP, HP UX CSA

Regards, Arun Pandey VCP 3,4,5 | VCAP-DCA | NCDA | HPUX-CSA | http://highoncloud.blogspot.in/ If you found this or other information useful, please consider awarding points for "Correct" or "Helpful".

Michelle_Laveri · ‎10-18-2010

Interesting KB.

Will ask my editor to add the KB reference to my forthcoming article on how to install vCD...

What's interesting is - that I didn't realize that installing vCD installs the newer version of Java... And that you can run the newer keytool from its directories...

The only thing is - after installing the vCD - the thirst thing that runs is the configure utilty which will ask for the certificates. It feels "neater" to have these certs ready, so you can go stri8 from the install to the config... especially if you going to be using full trusted certs rather self-signed as I would want to get all that sorted first before kicking of an install routine.

Anyway, I will mention that vCD installs the right version of Java anyway...

I guess another alternative is to use an existing box with Java and copy the certs across - I did that on my Mac when I discovered I couldn't get keytool working due to the versioning issue...

Regards

Mike Laverick

RTFM Education

http://www.rtfm-ed.co.uk

Author of the SRM Book:http://www.rtfm-ed.co.uk/2010/03/22/new-administrating-vmware-site-recovery-manager-4-0/

Free PDF or at-cost Hard Copy

Regards
Michelle Laverick
@m_laverick
http://www.michellelaverick.com

sunvmman · ‎10-03-2011

i followed the steps in the doc for create untrusted certs for http and console .. keep on getting when running the -list

"invalid keystore format" i am running the right version of java as per doc.

will process to uninstall java that comes with redhad

sunvmman · ‎10-03-2011

removed java 1.4 from os, re-ran everything using java 1.6 bunduled with vcloud. same error. something messed up

All

Invalid Keystore Format