Highlighted
Honored Contributor.
Honored Contributor.
586 views

uCMDB 11.33 - certificates in server.keystore overwritten at startup

Hi experts

I started to use certificates signed by Root CA and tried to replace the OOTB keystore with new certificates.
Using hardening and troubleshooting guide (https://docs.microfocus.com/UCMDB/10.33/ucmdb-docs/docs/eng/doc_lib/Content/admin/ConfigManagDB_tr_trouble_limits.htm?Highlight=keystore) it looks now quit good. But I have strange behaviour at start of the windows service:

Before start my new server.keystore has 3 certificates (1x server, 2x root ca) this looks good with "keytool -list" command.
When starting uCMDB Sevice again the content of server.keystore changes back to default.
Means after startup i can run same command (keytool -list) and i get the default certificate "hpcert".
The password (storepass) value is the same. So I assume there is a startup behaviour which cleans my keystore and loads default certificate back..
How can I prevent this? Any known bug?

Thanks in advance for your help!

0 Likes
4 Replies
Highlighted
Micro Focus Expert
Micro Focus Expert

Re: uCMDB 11.33 - certificates in server.keystore overwritten at startup

In the 'Hardening Guide', page 25ish (on 11.0 documentation):

Caution: There can be one server certificate only in server.keystore.

What you should do is:

  1. Generate a keystore
  2. Create a CSR
  3. Get it signed
  4. Install it
  5. Add Root and intermediate certificates to the cacerts file
Hope this helps,
Keith Paschal
UCMDB Worldwide Support Lead
Micro Focus Support
If you find this or any post resolves your issue, please be sure to mark it as an accepted solution."

Click the KUDOS star on the left to say 'Thanks'
0 Likes
Highlighted
Honored Contributor.
Honored Contributor.

Re: uCMDB 11.33 - certificates in server.keystore overwritten at startup

Hi Keith

Thank you for the reply.
Unfortunately this does not really help. I did it exactly this way:

Generate certificate and create CSR, sign using CA, verify using "list".
I tried to rename the alias to "hpcert" but did not help. When starting uCMDB service the server.keystore is updated with default keys..

Any other ideas?

Highlighted
Respected Contributor.
Respected Contributor.

Re: uCMDB 11.33 - certificates in server.keystore overwritten at startup

Hi,

I'm having the same issue. Has anyone found a solution?

Thank you,

Gerry

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.