APAR status
Closed as documentation error.
Error description
When following the steps described in the IBM Storage Protect documentation for replacing the Operations Center self-signed certificate with a CA-signed one, this error is reported: keytool error: java.lang.Exception: Alias <NAME> does not exist This issue happens because the document "Creating a certificate signing request" is missing the step of creating the certificate keys. Without creating the keys first, the command that generates the signing request looks for an alias that doesn't exist, and therefore reports the error above. A similar problem can also be found in the document "Receiving the signed certificate by using keytool". In this document, the command used as an example to receive the signed certificate has a different alias from all the other commands, which can be misleading and result in the same error mentioned in this APAR. Additional Keywords: TS019552932, SP, STORAGE PROTECT, OC, OPERATIONS CENTER, CERTIFICATE AUTHORITY, SELF-SIGNED, CA-SIGNED Versions Affected: IBM Storage Protect Operations Center 8.1.25 and above on all supported platforms
Local fix
The correct steps to replace the self-signed certificate are described below. The commands in each step are just examples of the expected keytool commands. 1 - Create the new keys. keytool -genkeypair -alias signedcert -keyalg RSA -keysize 2048 -keystore gui-truststore.jks -validity 365 -dname "CN=myhost.example.com" 2 - Create the signing request. keytool -certreq -keystore gui-truststore.jks -keysize 2048 -sigalg SHA256WithRSA -dname "CN=myhost.example.com" -file certreq.csr -alias signedcert -ext "SAN=IP:192.0.2.1,IP:192.0.2 .2,DNS:myhost.example.com,DNS:myhost 3 - Sign the request. 4 - Import the root/intermediate certificates that signed the request. keytool -import -file intermediate.crt -keystore gui-truststore.jks -alias ca-int keytool -import -file root.crt -keystore gui-truststore.jks -alias ca-root 5 - Receive the signed certificate. keytool -importcert -keystore gui-truststore.jks -file signed.crt -alias signedcert 6 - Delete the self-signed certificate. keytool -delete -keystore gui-truststore.jks -alias default 7 - Rename the signed certificate. keytool -changealias -keystore gui-truststore.jks -alias signedcert -destalias default
Problem summary
**************************************************************** * USERS AFFECTED: * * All IBM Storage Protect server users * **************************************************************** * PROBLEM DESCRIPTION: * * See error description. * **************************************************************** * RECOMMENDATION: * * Apply fixing level when available. This problem is currently * * projected to be fixed in level 8.2 Note that this is subject * * to change at the discretion of IBM * ****************************************************************
Problem conclusion
In IBM Documentation, the ?Creating a certificate signing request? topic is updated to correct keytool command to create certificate signning request. This updated help information topic will be published with the updated IBM Documentation for IBM Storage Protect server 8.2 in the following topic URL: https://www.ibm.com/docs/en/storage-protect/8.1.25?topic=browser s-creating-certificate-signing-request Affected platforms:
Temporary fix
Comments
APAR Information
APAR number
IT48344
Reported component name
TSM OPERATIONS
Reported component ID
5608E01UI
Reported release
81X
Status
CLOSED DOC
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2025-07-23
Closed date
2025-07-30
Last modified date
2025-07-30
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Applicable component levels
[{"Business Unit":{"code":"BU029","label":"Software"},"Product":{"code":"SSGSG7","label":"Tivoli Storage Manager"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"81X"}]
Document Information
Modified date:
30 July 2025