NetWorker: java.io.IOException: Invalid keystore format
Summary: Unable to list or modify NetWorker AUTHC or NetWorker Web User Interface (NWUI) keystore files using java keytool.
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Symptoms
The NetWorker Authentication (AUTHC) server or NetWorker Web User Interface (NWUI) server include Java Runtime Environment (JRE). Typically this is facilitated using the NetWorker Runtime Environment (NRE).
Linux: /opt/nre/java/latest
Windows: C:\Program Files\NRE\java\jre#.#.#_###
NOTE: There is no "latest" symbolic link on Windows hosts. Depending on which NRE version is installed, the JRE path includes the JRE version included with the NRE version.
When using the keytool command to review NetWorker authc/NWUI keystore files, a java error appears:
[root@nsr bin]# keytool -list -keystore /nsr/authc/conf/authc.keystore Enter keystore password: keytool error: java.io.IOException: Invalid keystore format
This error appears even when running the keytool command directly from the NRE java bin directory.
NetWorker Server Keystore Files:
Linux:
-
/nsr/authc/conf/authc.keystore/nsr/authc/conf/authc.truststore/opt/nsr/authc-server/conf/authc.truststore/opt/nre/java/latest/lib/security/cacerts
Windows:
-
C:\Program Files\EMC NetWorker\nsr\authc-server\conf\authc.truststoreC:\Program Files\EMC NetWorker\nsr\authc-server\tomcat\conf\authc.keystoreC:\Program Files\NRE\java\jre##.#_###\lib\security\cacerts
NetWorker Web User Interface (NWUI) Files:
Linux:
-
/nsr/nwui/monitoring/app/conf/nwui.keystore/opt/nre/java/latest/cacerts
Windows:
-
C:\Program Files\EMC NetWorker\nwui\monitoring\app\conf\nwui.keystoreC:\Program Files\NRE\java\jre#.#.#_###\lib\security\cacerts
Cause
There is another version of Oracle Java Runtime Environment (JRE) installed on the host. The Oracle JRE installation is interfering with NRE.
Resolution
It is recommended to use the NetWorker Runtime Environment (NRE) with NetWorker applications. The NetWorker server's AUTHC installation log identifies what "Java Path" was used:
Linux:
/opt/nsr/authc-server/logs/install.log
[root@nsr ~]# cat /opt/nsr/authc-server/logs/install.log | grep "Java Path" Java Path Yes /opt/nre/java/latest Java Path Yes /opt/nre/java/latest Java Path Yes /opt/nre/java/latestWindows:
%LOCALAPPDATA%\Temp\NetWorker_YYYYMMDDHHmmSS_#_AuthC.log
JAVAHOME = C:\Program Files\NRE\java\jre1.8.0_471Alternatively, from an Administrative command prompt run:
echo %NSR_JAVA_HOME%
Or Administrative PowerShell prompt:
$env:NSR_JAVA_HOME
Example:
C:\Users\Administrator.NETWORKER>echo %NSR_JAVA_HOME% C:\Program Files\NRE\java\jre1.8.0_471 PS C:\Users\Administrator.NETWORKER> $env:NSR_JAVA_HOME C:\Program Files\NRE\java\jre1.8.0_471
Use a command-line variable to force keytool usage from NRE:
NOTE: These variables only apply to the current shell or prompt. Once the session is closed, they are cleared.
Linux:
keytool=/opt/nre/java/latest/bin/keytool
Example:
[root@nsr ~]# keytool=/opt/nre/java/latest/bin/keytool
Run all keytool commands using the variable:
[root@nsr ~]# $keytool Key and Certificate Management Tool Commands: -certreq Generates a certificate request -changealias Changes an entry's alias -delete Deletes an entry -exportcert Exports certificate -genkeypair Generates a key pair -genseckey Generates a secret key -gencert Generates certificate from a certificate request -importcert Imports a certificate or a certificate chain -importpass Imports a password -importkeystore Imports one or all entries from another keystore -keypasswd Changes the key password of an entry -list Lists entries in a keystore -printcert Prints the content of a certificate -printcertreq Prints the content of a certificate request -printcrl Prints the content of a CRL file -storepasswd Changes the store password of a keystore Use "keytool -command_name -help" for usage of command_name
Windows:
Use the NSR_JAVA_HOME to run commands from the NRE bin directory.
Command Prompt Example:
"%NSR_JAVA_HOME%\bin\keytool.exe" OPTIONS
PowerShell Example:
& "$env:NSR_JAVA_HOME\bin\keytool.exe" OPTIONS
Examples:
C:\Users\Administrator.NETWORKER>"%NSR_JAVA_HOME%\bin\keytool.exe" Key and Certificate Management Tool Commands: -certreq Generates a certificate request -changealias Changes an entry's alias -delete Deletes an entry -exportcert Exports certificate -genkeypair Generates a key pair -genseckey Generates a secret key -gencert Generates certificate from a certificate request -importcert Imports a certificate or a certificate chain -importpass Imports a password -importkeystore Imports one or all entries from another keystore -keypasswd Changes the key password of an entry -list Lists entries in a keystore -printcert Prints the content of a certificate -printcertreq Prints the content of a certificate request -printcrl Prints the content of a CRL file -storepasswd Changes the store password of a keystore Use "keytool -command_name -help" for usage of command_name ............................................................................................................................................................................. PS C:\Users\Administrator.NETWORKER> & "$env:NSR_JAVA_HOME\bin\keytool.exe" Key and Certificate Management Tool Commands: -certreq Generates a certificate request -changealias Changes an entry's alias -delete Deletes an entry -exportcert Exports certificate -genkeypair Generates a key pair -genseckey Generates a secret key -gencert Generates certificate from a certificate request -importcert Imports a certificate or a certificate chain -importpass Imports a password -importkeystore Imports one or all entries from another keystore -keypasswd Changes the key password of an entry -list Lists entries in a keystore -printcert Prints the content of a certificate -printcertreq Prints the content of a certificate request -printcrl Prints the content of a CRL file -storepasswd Changes the store password of a keystore Use "keytool -command_name -help" for usage of command_name
If NetWorker uses the NetWorker Runtime Environment (NRE) and another Oracle Java Runtime Environment (JRE) is installed, remove the Oracle JRE package.
Linux:
WARNING: If the server is a NetWorker Virtual Edition (NVE), do not remove the Oracle JRE package.
- Check for another JRE install, the following commands can be used; however, consult with your Linux system administrator:
rpm -qa --last | grep jre find / -name java -type f
/opt/nre/java/jreX is the NetWorker Runtime Environment; however, other packages may appear:
/etc/alternatives /usr/bin/java /usr/lib/jreX
- If another JRE package is installed, consult with the Linux System Administrator if it can be removed.
rpm -e package_name
Windows:
- Open Windows Control Panel -> Programs and Features.
- Review the list for an Oracle Java Runtime Environment package (excluding NetWorker Runtime Environment).
- If Oracle Java Runtime Environment is installed, consult with the Windows System Administrator if it can be removed.
- Uninstall the Oracle Java Runtime Environment from the system.
- Open a new command prompt session to run keytool commands once Oracle JRE has been removed.
Additional Information
- NetWorker: How To Identify Which Server is the Authentication Server Used By NMC and NWUI
- NetWorker: How To configure LDAPS Authentication
- NetWorker: How to Import or Replace Certificate Authority Signed Certificates for "AUTHC" and "NWUI" (Linux)
- NetWorker: How to Import or Replace Certificate Authority Signed Certificates for "AUTHC" and "NWUI" (Windows)
Affected Products
NetWorkerProducts
NetWorker FamilyArticle Properties
Article Number: 000297934
Article Type: Solution
Last Modified: 23 Feb 2026
Version: 3
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.