How to update certificate inside a keystore being used for authentication with REST Datasource?
Article ID: KB0072309
Updated On:
| Products | Versions |
|---|---|
| TIBCO Data Virtualization | All supported versions |
Description
Custom certificates may be needed while authenticating a REST endpoint URL while using the REST Data source in TDV. This certificate is imported in a Keystore which is in turn specified in the "Advanced" tab of the data source.
If the certificates present in the Keystore are expired, this will lead to a "PKIX Path Building Failed" error. A new certificate is needed which can then be used for successful authentication.
If the certificates present in the Keystore are expired, this will lead to a "PKIX Path Building Failed" error. A new certificate is needed which can then be used for successful authentication.
Issue/Introduction
This article describes the steps to update the keystore containing expired certificates that is currently being used by the REST Datasource.
Environment
All supported OS.
Resolution
To update the existing Keystore file with the new certificate, the below steps can be used:
Pre-req: Take a Backup of the Keystore before making any changes.
(1) Find and locate where the existing Keystore that is referenced on the REST data source is located.
(2) Perform a list on this data source using the below keytool command:
[TDV_Server_install]\JDK\bin\keytool -list -v -keystore <path_where_the_keystore_is_located>.jks -storepass <password_for_this_keystore>
Example:
C:\apps\tdv_80\JDK\bin\keytool -list -v -keystore C:\apps\tdv_80\conf\server\security\rest_db_keystore.jks -storepass changeit
(3) Delete the expired certificate using the below command: (get the alias for this command from the output of #2)
[TDV_Server_install]\jdk\bin>keytool -delete -alias <value_from_above_list> -keystore <path_where_the_keystore_is_located>.jks -storepass <password_for_this_keystore>
(4) Import the new certificate (.cer) into the Keystore
[TDV_Server_install]/jdk/bin/keytool -import -trustcacerts -alias <alias_for_new_cert> -file <path_where_new_cert_is_stored>.cer -keystore <path_where_the_keystore_is_located>.jks -storepass <password_for_this_keystore>
(5) Restart the TDV server.
Note: If you cannot find the location where the keystore is located, you can export it from the Studio using the options provided and then follow the above steps. (for the password, try the default one 'changeit' if you do not know the password)
Pre-req: Take a Backup of the Keystore before making any changes.
(1) Find and locate where the existing Keystore that is referenced on the REST data source is located.
(2) Perform a list on this data source using the below keytool command:
[TDV_Server_install]\JDK\bin\keytool -list -v -keystore <path_where_the_keystore_is_located>.jks -storepass <password_for_this_keystore>
Example:
C:\apps\tdv_80\JDK\bin\keytool -list -v -keystore C:\apps\tdv_80\conf\server\security\rest_db_keystore.jks -storepass changeit
(3) Delete the expired certificate using the below command: (get the alias for this command from the output of #2)
[TDV_Server_install]\jdk\bin>keytool -delete -alias <value_from_above_list> -keystore <path_where_the_keystore_is_located>.jks -storepass <password_for_this_keystore>
(4) Import the new certificate (.cer) into the Keystore
[TDV_Server_install]/jdk/bin/keytool -import -trustcacerts -alias <alias_for_new_cert> -file <path_where_new_cert_is_stored>.cer -keystore <path_where_the_keystore_is_located>.jks -storepass <password_for_this_keystore>
(5) Restart the TDV server.
Note: If you cannot find the location where the keystore is located, you can export it from the Studio using the options provided and then follow the above steps. (for the password, try the default one 'changeit' if you do not know the password)
Feedback
Yes
No
Powered by
