NVE: keytool reports Algorithm not allowable in FIPS140 mode: PBE/PKCS12/SHA1/RC2/CBC/40

Summary: Using the java keytool utility on a NetWorker Virtual Edition (NVE) appliance reports "Algorithm not allowable in FIPS140 mode: PBE/PKCS12/SHA1/RC2/CBC/40"

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Symptoms

The Java keytool utility is used to manage certificates used by various NetWorker services.
Using the keytool command on a NetWorker Virtual Edition (NVE) appliance reports the following error:

keytool error: java.lang.SecurityException: Algorithm not allowable in FIPS140 mode: PBE/PKCS12/SHA1/RC2/CBC/40

Example:

nve:~/certs # keytool -importkeystore -destkeystore /nsr/authc/conf/authc.keystore -srckeystore /tmp/$hostname.tomcat.authc.p12 -srcstoretype PKCS12
Importing keystore /tmp/nve.saml.authc.p12 to /nsr/authc/conf/authc.keystore...
Enter destination keystore password:
Enter source keystore password:
keytool error: java.lang.SecurityException: Algorithm not allowable in FIPS140 mode: PBE/PKCS12/SHA1/RC2/CBC/40

Cause

The keytool command is being pulled from the /usr/bin path, which is symbolically linked to an Oracle Java install.

nve:~ # ls -lrt /usr/bin/keytool
lrwxrwxrwx 1 root root 25 May 31  2024 /usr/bin/keytool -> /etc/alternatives/keytool
nve:~ #
nve:~ # ls -lrt /etc/alternatives/keytool
lrwxrwxrwx 1 root root 49 Oct 25 11:13 /etc/alternatives/keytool -> /usr/lib/jvm/jre-1.8.0_421-oracle-x64/bin/keytool


The error is not observed when using the NetWorker Runtime Environment (NRE) java keytool utility:

nve:~ # ls -lrt /opt/nre/java/latest/bin/keytool 
-rwxr-xr-x 1 root root 8840 Oct 26 21:04 /opt/nre/java/latest/bin/keytool

nve:~/certs # /opt/nre/java/latest/bin/keytool -importkeystore -destkeystore /nsr/authc/conf/authc.keystore -srckeystore /tmp/$hostname.tomcat.authc.p12 -srcstoretype PKCS12
Importing keystore /tmp/nve.tomcat.authc.p12 to /nsr/authc/conf/authc.keystore...
Enter destination keystore password:
Enter source keystore password:
Existing entry alias emcauthctomcat exists, overwrite? [no]:  y
Entry for alias emcauthctomcat successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or cancelled

Resolution

When using keytool on NVE, ensure to specify the full path to the NetWorker Runtime Environment (NRE) keytool utility:

/opt/nre/java/latest/bin/keytool OPTIONS

Additional Information

NetWorker: How to Import or Replace Certificate Authority Signed Certificates for "Authc" and "NWUI" (Linux)
NetWorker: How to configure "AD over SSL" (LDAPS) from The NetWorker Web User Interface (NWUI)

Affected Products

NetWorker

Products

NetWorker Family
Article Properties
Article Number: 000270468
Article Type: Solution
Last Modified: 16 Dec 2025
Version:  3
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.