Server Fails To Start With "SRVE0146E: Keystore was tampered with"
 Technote (troubleshooting)
 
Problem(Abstract)
The server fails to start. Either message may be seen in SystemOut.log:

SRVE0146E: Failed to Start Transport on host *, port 9443. The most likely cause is that the port is already in use. Please ensure that no other applications are using this port and restart the server. com.ibm.ws.webcontainer.exception.TransportException: Failed to start transport https: java.io.IOException: Keystore was tampered with, or password was incorrect

JSAS0011E: SSLConfiguration.validateSSLConfig¨ Java Exception. Exception =
java.io.IOException: Keystore was tampered with, or password was incorrect

 
Cause
The keyfile and trustfile passwords in security.xml do not match true passwords in the key files and/or trust files.

To find out what ssl repertoires are in use for the ports on your server, open the server.xml file and look for the <transports> tag:


Example:
<transports xmi:type="applicationserver.webcontainer:HTTPTransport"
xmi:id="HTTPTransport_2" external="false" sslEnabled="true"
sslConfig="myhost/DefaultSSLSettings">
<address xmi:id="EndPoint_2" host="*" port="9443"/>
</transports>

Note: server.xml is located in <install_root> config/cells/<cellname>nodes/<nodename>/servers/<servername>

After you find the name of your ssl repertoire in server.xml, you can make the necessary changes in a different file, the security.xml. The security.xml contains the settings for the sslConfig:
For example, the setting for "myhost/DefaultSSLSettings" can be located in the <repertoire> tag:
<repertoire xmi:id="SSLConfig_1" alias="myhost/DefaultSSLSettings">
<setting xmi:id="SecureSocketLayer_1"
keyFileName="${USER_INSTALL_ROOT}/etc/DummyServerKeyFile.jks"
keyFilePassword="{xor}Lz4sLCgwLTs=" keyFileFormat="JKS"
trustFileName="/usr/WebSphere5/AppServer1/etc/DummyServerTrustFile.jks"
trustFilePassword="{xor}Lz4sLCgwLTs=" trustFileFormat="JKS"
clientAuthentication="false" securityLevel="HIGH"
enableCryptoHardwareSupport="false">

The keyFilePassword and trustFilePassword shown above must match the actual passwords in the associated *.jks files, or the error message "keystore was tampered with" will occur.


Note: security.xml is located in <install_root>/config/cells/<cellname>

 
Resolving the problem
The keyFilePassword and trustFilePassword in security.xml are encoded, so it's not possible to tell what the password really is by looking at the security.xml file.
If using the unaltered default key files and trust files (dummy files) that were shipped with WebSphere, and you are certain that no one has changed the passwords from "WebAS", then do the following to resolve the problem:
  1. Stop WebSphere
  2. Make a backup copy of security.xml
  3. Open security.xml in a text editor and edit keyFilePassword and trustFilePassword to "{xor}CDo9Hgw=" Leave security disabled for now.
  4. Save the changes to security.xml and start the server.
  5. If the server starts and you can open the console, you can then mark the box to enable security and restart WebSphere.

If you are not using the default key files and trust files or the password is not the default "WebAS" password, then do the following to reset the security.xml file correctly.
  1. Stop dmgr and all nodes
  2. Change the first occurrence of "enabled=true" in security.xml to "enabled=false"
  3. If you are running Network Deployment edition make the change in the deploymentmanger security.xml otherwise make the change in the AppServer security.xml.
  4. Restart WebSphere dmgr or appserver
  5. Enable global security from the admin console and apply the change.
  6. This will confirm that the passwords you are using are correct.
  7. Stop WebSphere
  8. Restart WebSphere to complete the re-enablement of security.
  9. Synchronize all changes with the nodes.
 
 
Cross Reference information
Segment Product Component Platform Version Edition
Application Servers Runtimes for Java Technology Java SDK
 
 


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > Security
Operating system(s): Windows
Software version: 5.1.1
Software edition:
Reference #: 1173404
IBM Group: Software Group
Modified date: Feb 6, 2006