Security Scan shows: Certificate Trust Store (Java) Uses Default or Weak Password Details
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Symptoms
The security scan provided by Bladelogic reported the following for the Data Protection Advisor Application server:
Certificate Trust Store (Java) Uses Default or Weak Password Details: Directory Permissions: -rwxrwxr-x Directory Owner: apollosuperuser Directory Owner Group: dpaservices
Technical Detail: /app/emc/dpa/services/_jre/lib/security/cacerts
Cause
The password for the cacerts trust store was not strong enough as it was using the default one.
Resolution
In order to get a stronger password, both the cacerts truststore and its alias password were changed using the following steps.
On the Application server:
1. cd "C:\Program Files\EMC\DPA\services_jre\bin"
2. Change the cacerts trust store password with the following command.
keytool.exe -storepasswd -keystore "C:\Program Files\EMC\DPA\services_jre\lib\security\cacerts"
Note, the old password is "changeit". Enter new password when prompted.
3. Add the new line below, with the new password, at the end of file C:\Program Files\EMC\DPA\services_jre\lib\security\java.security:
javax.net.ssl.trustStorePassword=<new password>
4. Change the new cacerts alias password with command below.
keytool.exe -keypasswd -keystore "C:\Program Files\EMC\DPA\services_jre\lib\security\cacerts" -storepass PASSWORD -alias <cacerts alias> -keypass changeit -new PASSWORD
For additional security the cacerts file permissions were also changed to 444.
After these changes, the Security Scan software no longer detected the security alert.
On the Application server:
1. cd "C:\Program Files\EMC\DPA\services_jre\bin"
2. Change the cacerts trust store password with the following command.
keytool.exe -storepasswd -keystore "C:\Program Files\EMC\DPA\services_jre\lib\security\cacerts"
Note, the old password is "changeit". Enter new password when prompted.
3. Add the new line below, with the new password, at the end of file C:\Program Files\EMC\DPA\services_jre\lib\security\java.security:
javax.net.ssl.trustStorePassword=<new password>
4. Change the new cacerts alias password with command below.
keytool.exe -keypasswd -keystore "C:\Program Files\EMC\DPA\services_jre\lib\security\cacerts" -storepass PASSWORD -alias <cacerts alias> -keypass changeit -new PASSWORD
Where PASSWORD is the new password created in step 2.
5. Restart DPA Application.
For additional security the cacerts file permissions were also changed to 444.
After these changes, the Security Scan software no longer detected the security alert.
Additional Information
The cacerts is not the keystore (apollo.keystore) that DPA typically uses which is located in /opt/emc/dpa/services/standalone/configuration. Instead, the cacerts is a separate trust store (keystore) which contains a collection of trusted certificate authority (CA) certificates. Oracle includes the cacerts file with its SSL support in the Java™ Secure Socket Extension (JSSE) tool kit and JDK.
For current self-signed certificate DPA does not rely on trust store. However, there may be other third parties where we could rely on this trust store when accessing remote endpoints (i.e. ESRS, backup applications, or databases). If certificate of the remote application is signed by CA it will be verified with this trust store.
For current self-signed certificate DPA does not rely on trust store. However, there may be other third parties where we could rely on this trust store when accessing remote endpoints (i.e. ESRS, backup applications, or databases). If certificate of the remote application is signed by CA it will be verified with this trust store.
Products
Data Protection AdvisorArticle Properties
Article Number: 000168756
Article Type: Solution
Last Modified: 25 Apr 2025
Version: 3
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.