Security Scan shows: Certificate Trust Store (Java) Uses Default or Weak Password Details

Summary: A security scan identified the Java trust store (cacerts) on the DPA server for using the default password "changeit" and permissive file permissions, creating a credential exposure risk. ...

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Symptoms

The security scan provided by Bladelogic reported the following for the Data Protection Advisor Application server:

Certificate Trust Store (Java) Uses Default or Weak Password Details: Directory Permissions: -rwxrwxr-x Directory Owner: apollosuperuser Directory Owner Group: dpaservices
Technical Detail: /app/emc/dpa/services/_jre/lib/security/cacerts

 

Cause

The password for the cacerts trust store was not strong enough as it was using the default one.

 

Resolution

In order to get a stronger password, both the cacerts truststore and its alias password were changed using the following steps.

On the Application server:

  1. cd "C:\Program Files\EMC\DPA\services_jre\bin"

  2. Change the cacerts trust store password with the following command.

    keytool.exe -storepasswd -keystore "C:\Program Files\EMC\DPA\services_jre\lib\security\cacerts"
    Note: The old password is "changeit." Enter new password when prompted.

  3. Add the new line below, with the new password, at the end of file C:\Program Files\EMC\DPA\services_jre\lib\security\java.security:

    javax.net.ssl.trustStorePassword=<new password>

  4. Change the new cacerts alias password with the command below.

    keytool.exe -keypasswd -keystore "C:\Program Files\EMC\DPA\services_jre\lib\security\cacerts" -storepass PASSWORD -alias <cacerts alias> -keypass changeit -new PASSWORD

    Where PASSWORD is the new password created in step 2.

  5. Restart DPA Application.

For additional security, the cacerts file permissions were also changed to 444.

After these changes, the Security Scan software no longer detected the security alert

 

Additional Information

The cacerts is not the keystore (apollo.keystore) that DPA typically uses which is located in /opt/emc/dpa/services/standalone/configuration. Instead, the cacerts is a separate trust store (keystore) which contains a collection of trusted certificate authority (CA) certificates. Oracle includes the cacerts file with its SSL support in the Java™ Secure Socket Extension (JSSE) tool kit and JDK.

For current self-signed certificate, DPA does not rely on trust store. However, there may be other third parties where we could rely on this trust store when accessing remote endpoints (that is ESRS, backup applications, or databases). If the certificate of the remote application is signed by CA, it is verified with this trust store.

 

Products

Data Protection Advisor
Article Properties
Article Number: 000168756
Article Type: Solution
Last Modified: 06 فبراير 2026
Version:  4
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.