Highlighted
Honored Contributor.
Honored Contributor.
3359 views

Is it possible to see or decrypt the Keystore password?

greetings to all,
I am applying the CUP3 for UCMDB 10.33 however I could not finish the installation because I do not remember the password of the kesytore:

keystore.PNG

Does this password change at any time? Or the keystore password is always the default one?
Is there any command or method from the jmx to see this password?

If the password is by default I have the following options:
logomania
changeit
hppass

Is it any of these?

Thank you,

0 Likes
25 Replies
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

Re: Is it possible to see or decrypt the Keystore password?

Actually the problem is not when yoy deployed CUP3, only then you noticed it.
In URM_rsources we have 2 settings which start with server.ssl  which contain the keystore and truststore password.

In your scenario they are missing or unecrypted. This happened when you deployed 10.33 without any CUP.

Now you can follow https://docs.microfocus.com/UCMDB/10.33/ucmdb-docs/docs/eng/doc_lib/Content/admin/ConfigManagDB_tr_trouble_limits.htm?Highlight=keystore
This was discussed in the past https://community.softwaregrp.com/t5/CMS-UCMDB-and-UD-User/Fresh-uCMDB-10-32-Install-doesnt-start/td-p/1605186

A solution is to change all of them to hppass (3 items actually: keystore, truststore, alias hpcert) and assume that the code will consider it as valid.
To answer to you initial question: no, you can't decrypt it in 10.33

 

Kind regards,
Bogdan Mureșan

EMEA Technical Success
0 Likes
Highlighted
Honored Contributor.
Honored Contributor.

Re: Is it possible to see or decrypt the Keystore password?

hello johnc, so far I have no problems to start the UCMDB still working perfect, I just could not install the CUP3 because I do not know the password of the Kesytore (one of the steps of installing the CUP), for this reason I want to get it.
I do not think that starting to change passwords is a good idea, especially if it is done with great care.
I just want to confirm that the default keystore password is hppass and that it is not modified or changed at the time of having signed certificate.

0 Likes
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

Re: Is it possible to see or decrypt the Keystore password?

In the documentation provided earlier you have the steps to to verify the passwords. You will notice something interesting.

you can try to see if hppass works with

keytool -list -keystore C:\UCMDB\UCMDBServer\conf\security\server.keystore

The problem is already there, yor UCMDB is not alligned whatever you change or don't chnage the passwords. In the current state you can't update or upgrade as on the disk you have a different password than the one in URM (actually in URM you have no password but technically they are different even if one side is null)

The CUP depoyment flow inherits the keystore/truststore passowrd verification. In my opionion it shouldn't, this is a design defect but this is how we have it in 10.33. CUP deployment flow shouldn't care about that step. The password check is relevant only for the full installer but it was inherited in the CUP deployment flow.

Kind regards,
Bogdan Mureșan

EMEA Technical Success
0 Likes
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

Re: Is it possible to see or decrypt the Keystore password?

I want to state that this problem exists for all the versions upto 2018.08. No matter what keystore password is set, the default one is used (I forgot is it hppass or logomania). 

Petko

Likes are appreciated!
0 Likes
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

Re: Is it possible to see or decrypt the Keystore password?

It's happass and it affected mostly 10.32 and 10.33.
In 11.x we altered a little bit the flow but we still don't have proper logging.

Kind regards,
Bogdan Mureșan

EMEA Technical Success
0 Likes
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

Re: Is it possible to see or decrypt the Keystore password?

Hey Bogdan,

not sure about logging, but when I installed 2018.08, no matter what values I set for keystore passwords, the one used stays hppass. It's quite uncomfortable to explain the customer this hasn't been fixed for years.

Petko

Likes are appreciated!
0 Likes
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

Re: Is it possible to see or decrypt the Keystore password?

Unfortunatelly I was the lucky  engineer to report such issues 1 day after 10.32 was released, the version where we forced the change of keystore/trustsore passwords hence we received the Torubleshooting guide.

There are several things that happen in the background that we don't handle properly:

  •  passwords are et by the bin\key-truststore.bat file which, for some odd reason, doesn't have a control mechanism. It will say if it completed succesfuly or if it had an error but we never check the output so whatever happens we assume that it worked. It can fail due to improper dependecies, no JAVA_HOME path or similar thigs. It should create the conf\security\server-storepass.conf file whith the encrypted paswords.
  • the file server-storepass.conf is not created or it contains plain-text paswords or null passwords. The 2 URM settings will never be properly updated and... well, it will fail during startup
  • the installer doesn't have the proper permissions to alter the server.keystore and server.truststore files hence they will have the OOTB hppass
  • the upgrader will wrongly overwrite the server.* files and they will have the OOTB hppass

This are the main reasons that I found so far and for each of them there is a fix which can be easier or harder to implement.
I do believe that we should have better logging and cmd output handling so such scenarios will be better handled.

Kind regards,
Bogdan Mureșan

EMEA Technical Success
Highlighted
Honored Contributor.
Honored Contributor.

Re: Is it possible to see or decrypt the Keystore password?

Hi Bogdan , It really is absurd. 

I tried to deploy the CUP again and at the moment of entering the keystore password (hppass) it sends me a message that indicates that the password must contain at least the condition of alphanumeric, capital- lowercase letters and other ...

However, when checking the password of the keystore per command, the exit is successful with the password (hppass):keystore_comand.PNG

I will definitely have to expose myself to make the password change for kesytore, trustore, and others?

By the way, is it useful to implement CUP3 in ucmdb 10.33? What are its benefits?

And regarding your comment: To answer to you initial question: no, you can't decrypt it in 10.33 is it possible to decipher in some version of ucmdb? 2018.08 for example?

Thanks,

0 Likes
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

Re: Is it possible to see or decrypt the Keystore password?

Hello Marsella,

 

in 11.0 we have the diagnostic tools which resolves the masterKey password, keystore/truststore and other sensitive issues. The bad luck is that even after 9 months we still don't have the documentation for it. It needs a token in order to be used.

As stated before, the problem is not in the CUP3 deployment, now you are observing the side effects of the 10.33 deployment. The initial 10.33 deployment failed to properly update the passwords on the disk and most likely it failed to update them in the DB.

My suggestion is to open a Support case for this and mention this thread, we have here the needed information so Support can work on it.

It can be resolved. I've done it several times following the troubleshooting guide for keystore/truststore passwords.

Kind regards,
Bogdan Mureșan

EMEA Technical Success
0 Likes
Highlighted
Honored Contributor.
Honored Contributor.

Re: Is it possible to see or decrypt the Keystore password?

Hello Bogdan:

I'd like to try before opening a case to support Micro Focus.
I think the first thing I should do is standardize all the passwords? That's the suggestion you made in one of the comments, is that so?
I have a concern:
How to ensure from the implementation that passwords are correctly updated on the disk and in the database?

Thanks,

0 Likes
Highlighted
Acclaimed Contributor.
Acclaimed Contributor.

Re: Is it possible to see or decrypt the Keystore password?

Hello,

 

I don't understand your fist question regarding MF Support. Can you rephrase it?

Normally you can make sure the passwords are correctly deployed by running the installer with run as admin priviledge and by checking after the installation that you don't have happass for keystore and truststore. Some local restrictions may apply depending on what are your domain/local policies.

Kind regards,
Bogdan Mureșan

EMEA Technical Success
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.