Obtaining access to the keystore

Certificates are stored in a Java™ keystore. The keystore contents are protected with a password. To manipulate the certificates in the keystore, you must obtain access to the keystore.

About this task

The default self-signed certificate and keystore password are generated automatically during installation, so you are unlikely to know the initial password.

Complete the following procedure to replace the original keystore with a new keystore and a new self-signed certificate. The new keystore is protected by a password of your choice.

If you already know the keystore password, skip this procedure.

Procedure

  1. Stop the Data Protection for VMware vSphere GUI service.
  2. From the command line, change the directory to the keystore location.
    • On Linux: /opt/tivoli/tsm/tdpvmware/common/webserver/usr/servers/veProfile/resources/security/
    • On Windows: C:\IBM\tivoli\tsm\tdpvmware\webserver\usr\servers\veProfile\resources\security\
  3. Make a backup copy of the keystore file (key.jks) by renaming it or moving it to a different location.
  4. Create a new keystore and a new self-signed certificate by issuing the following command: 
    keytool -genkeypair -alias vekey -dname 
CN=fqdn,OU=Tivoli_Storage_Manager_for_VMware,O=IBM -keyalg RSA 
-sigalg SHA256withRSA -keysize 2048 -validity days -keystore 
key.jks -storepass password -keypass password
    Where:
    -dname CN=fqdn,OU=Tivoli_Storage_Manager_for_VMware,O=IBM
    fqdn is the DNS name or fully qualified domain name of the computer on which the Data Protection for VMware vSphere GUI is installed.
    -validity days
    The certificate validity period.
    -storepass password
    The keystore password. Ensure that you remember this password for future use.
    -keypass password
    The private key password for the certificate. This password must match the keystore password.
  5. Encode the keystore password by using the securityUtility tool. Issue the following command.
    • On Linux: /opt/tivoli/tsm/tdpvmware/common/webserver/bin/securityUtility encode
    • On Windows: C:\IBM\tivoli\tsm\tdpvmware\webserver\bin\securityUtility.bat encode
    Enter your keystore password when prompted and then save the output (for example, copy it to the clipboard).
  6. Open the bootstrap.properties file in an editor and set the veProfile.keystore.pswd property to the encoded value from the previous step. The bootstrap.properties file is in the following location:
    • On Linux: /opt/tivoli/tsm/tdpvmware/common/webserver/usr/servers/veProfile/
    • On Windows: C:\IBM\tivoli\tsm\tdpvmware\webserver\usr\servers\veProfile\
  7. Start the Data Protection for VMware vSphere GUI service.
Related reference:
Starting and running services for Data Protection for VMware