DPA: Want to change the Data Protection Advisor application keystore password

Summary: Want to change the Data Protection Advisor (DPA) application keystore password.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Symptoms

I would like to change the Data Protection Advisor (DPA) keystore password. Can this be done?

In some environments to adhere to security requirements it may be required to modify or set the DPA keystore's password.

 

Cause

The password for the DPA keystore can be changed by the administrator of the environment and installation.

 

Resolution

Before performing this configuration change, ensure that all the steps have been reviewed and understood completely. Performing the steps incorrectly (such as typing mistakes) can result in a situation where the DPA application may not start or the DPA UI is inaccessible using an HTTPS type connection.

To change the password of the DPA keystore, users should perform the following steps.

Note: The current password for the keystore (apollo.keystore) is required to perform these steps.

  1. Log in to the DPA application server as root or administrator

  2. Open a Command Prompt window if the server is Windows based.

  3. Browse to the directory: /opt/emc/dpa/services/standalone/configuration
    The path may vary if one has not installed to the default path.

  4. This directory should contain the following two files:

    • apollo.keystore
    • standalone.xml

  5. Before proceeding further, make copies of these two files and save them to a safe location.

    NOTE: If there are any mistakes or issues with the DPA application after this procedure, the original files can be reverted back to. This restores the configuration. If copies of these original files are not saved and mistakes are made that lead to the DPA application not starting or the DPA UI being inaccessible using HTTPS, there is no method to recover from this other than a re-installation of the DPA application.

  6. List the contents of the apollo.keystore with the following command:

    /opt/emc/dpa/services/_jre/bin/keytool -list -keystore apollo.keystore

  7. The output of the command looks similar to the output below. Enter the apollo.keystore password when prompted. (the default apollo.keystore password is "apollo")

    Enter keystore password:

Keystore type: JKS
Keystore provider: SUN
Your keystore contains 2 entries

apollokey, Jul 22, 2013, PrivateKeyEntry,
Certificate fingerprint (SHA1): 22:97:5A:5D:54:6A:55:43:FE:58:0A:74:89:35:01:86:BC:D1:E1:05

mykeyalias, Nov 17, 2018, PrivateKeyEntry,
Certificate fingerprint (SHA1): DF:7E:C1:F0:75:34:AD:84:D5:58:A7:C4:06:EA:36:64:4C:29:BC:25

  8. The output of this command shows that the keystore is configured currently with two (2) PrivateKeyEntry key-aliases, "apollokey" and "mykeyalias." Typically the keystore has one or two of these entries, but could have more sometimes. Take note of all listed PrivateKeyEntry key-aliases (their names) that are contained in the keystore.

  9. To change the password for a keystore, it requires that all PrivateKeyEntry key-aliases contained in the keystore also have their passwords changed to match the keystore. The order of changing the passwords is not important. You can change the keystore password first, or the PrivateKeyEntry key-aliases first.

  10. To change the password for the apollo.keystore, use the following command:

    /opt/emc/dpa/services/_jre/bin/keytool -storepasswd -keystore apollo.keystore

  11. In the output of this command, you first enter the current password for the apollo.keystore. Then enter the new password for the keystore. Lastly reenter the new password for the keystore.

    Enter keystore password:
New keystore password:
Re-enter new keystore password:

  12. Verify that the keystore password has changed as expected by again listing the contents of the apollo.keystore with the following command. The output should be identical to the previous run of the command.

    /opt/emc/dpa/services/_jre/bin/keytool -list -keystore apollo.keystore

  13. Next change the passwords for the key-aliases. The command for changing a single key-alias password is below

    NOTE: Again the new password must match the new password for the keystore.
    /opt/emc/dpa/services/_jre/bin/keytool -keypasswd -keystore apollo.keystore -alias apollokey

  14. In the output of this command, one first enters the current password for the apollo.keystore. Then after that there are two possible output variations.

    First variation

    Enter keystore password:
New key password for <apollokey>:
Re-enter new key password for <apollokey>:

    Second variation

    Enter keystore password:
Enter key password for <apollokey>
New key password for <apollokey>:
Re-enter new key password for <apollokey>:

  15. In the first variation, enter the new key-alias password and reenter it again. In the second variation, first enter the current key-alias password, then the new key-alias password and then reenter it again. Typically the current key-alias password is the original keystore's password. (the default apollo.keystore password is "apollo")

  16. This command must be performed for all PrivateKeyEntry key-aliases in the keystore. In our case, this means that the command must be run for both apollokey and mykeyalias.

  17. Next the key-alias password setting must be changed to the new password in the DPA application's configuration file "standalone.xml"

  18. Edit the standalone.xml file with a Text editor such as "vi" or "Notepad."

  19. Browse to the following line, which should be located towards the end of the file. Performing a search or find for "password" or "ssl" is one method to navigate there quickly.

    <ssl name="ssl" key-alias="${apollo.keystore.alias:apollokey}" password="apollo" certificate-key-file="${jboss.server.config.dir}/apollo.keystore" cipher-suite="TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA" protocol="TLSv1,TLSv1.1,TLSv1.2" verify-client="false"/>

  20. Modify the password on this line to match the new password you have set for the keystore and key-aliases. For example if the new password is "my1Pass00," then the modified line looks like this:

    <ssl name="ssl" key-alias="${apollo.keystore.alias:apollokey}" password="my1Pass00" certificate-key-file="${jboss.server.config.dir}/apollo.keystore" cipher-suite="TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA" protocol="TLSv1,TLSv1.1,TLSv1.2" verify-client="false"/>

  21. Save the standalone.xml file.

  22. Restart the DPA application.

NOTE: If the DPA application will not start or the DPA UI is inaccessible using HTTPS after this configuration change, then a mistake has been made in one or more of the steps. In these cases, the original files (apollo.keystore and standalone.xml) should be reverted back to. Reverting back to the original files restore the unmodified configuration. If copies of these original files have not saved beforehand and the DPA application does not start or the DPA UI is inaccessible using HTTPS, there is no method to recover from this other than a re-installation of the DPA application.

Contact Dell Technical Support for more information or assistance.

 

Affected Products

Data Protection Advisor

Products

Data Protection Advisor
Article Properties
Article Number: 000168558
Article Type: Solution
Last Modified: 27 Nov 2025
Version:  4
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.