Changing passwords for the Tomcat keystore

You must change the default passwords for the Tomcat keystore and private keys.

The default password for Tomcat private key and keystore is changeit. You must change the passwords by using the keytool command.
Note: The keytool application is included in the Java™ developer kit and is not part of IBM DevOps Deploy (Deploy).

If you change the key password to a value other than the keystore password, you must update the password in the secured-installed.properties file manually. The properties for Tomcat key and keystore passwords are defined as tomcat.key.password and tomcat.keystore.password in the secured-installed.properties file.

The properties are referenced in the server/opt/tomcat/conf/server.xml file as keyPass="${tomcat.key.password}" and storePass="${tomcat.keystore.password}" in the HTTPS connector configuration.

Important: If you use a plain text password in the server.xml file and the passwords entered in the secured-installed.properties and server.xml files do not match, then the server fails to accept any web requests and you cannot access the application on your browser. As a Tomcat keystore limitation, you do not get any visible error messages.
You must consider the following scenarios before changing the passwords:
  • If you change the keystore password, then you must change the Tomcat private key password as well.
  • If the keystore has a typical configuration where no explicit key password is set, then you can just change the keystore password to change them both.
  • You can directly change the key password only in advanced scenarios where the key password is already different from the store password.
  • You are responsible for managing your passwords. Deploy currently does not include the password recovery feature.

When you are upgrading from version 8.1.0 or before, the plain text passwords in the server.xml file are replaced with the ${tomcat.key.password} and ${tomcat.keystore.password} variables, and the passwords are added to the secured-installed.properties file automatically.

  1. Stop the server.
  2. Open a command-line window, and go to the opt/tomcat/conf directory.
  3. Change the Tomcat keystore password by using the following command: 
    keytool -storepasswd -new newStorePassword -keystore tomcat.keystore -storepass changeit
  4. Change the Tomcat private key password by using the following command: 
    keytool -keypasswd -alias server -keystore tomcat.keystore -storepass changeit -keypass changeit
    Notes:
    • The default server alias is server.
    • In this example, the password for keystore is assumed to be the default password.
    • The passwords for the keypass and storepass attributes must be correct.
  5. You are prompted to enter a new password: 
    New key password for <server>:
Re-enter new key password for <server>:
    A warning message is displayed:
    The Java Keystore (JKS) keystore uses a proprietary format. If you are using 
JKS keystore, you must migrate to Personal Information Exchange Syntax 
Standard (PKCS12) which is an industry standard format using the following 
keytool command:
keytool -importkeystore -srckeystore opt/tomcat/conf/tomcat.keystore 
-destkeystore opt/tomcat/conf/tomcat.keystore -deststoretype pkcs12
  6. In a text editor, open the server-install\conf\server\secured-installed.properties file.
  7. Specify the new key and keystore password for the Tomcat in the following lines of code: 
    tomcat.key.password=newKeyPassword
tomcat.keystore.password=newKeystorePassword
  8. Start the server.
The Tomcat key and keystore passwords are changed and are obfuscated in the server-install/conf/server/secured-installed.properties file.