× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. JAVA400-L
  3. September 2023

Re: Solution to "Invalid keystore format" (cross-posted to Tomcat Users List at Apache, and Java 400 List at Midrange)

FYI: Java 17 is available on IBM i 7.4 and up. Now, I'm not sure if
you'll find it on the original media shipped with a system or if you'll
have to download it from ESS, but it's available.
https://www.ibm.com/support/pages/node/1117869

On Mon, Sep 11, 2023 at 12:31 PM James H. H. Lampert via JAVA400-L <
java400-l@xxxxxxxxxxxxxxxxxx> wrote:

Ladies and Gentlemen of Both Lists:

Last Friday evening, I ran into a problem updating SSL/TLS keystores on
two customer boxes, and spent three hours yesterday, finding the cause,
doping out a way to salvage the certs they'd paid for, and doping out a
solution to keep it from happening in the future.

It seems that with the new keystores (generated on my Mac, initially
created with Keytool, and then maintained with Keystore Explorer), they
were getting:

> Throwable occurred: java.io.IOException: Invalid keystore format
> at com.ibm.crypto.provider.JavaKeyStore.engineLoad(Unknown Source)
> at java.security.KeyStore.load(KeyStore.java:414)

I put them back on their old keystores, and cycled Tomcat again, to get
them back up, and then spent three hours working the problem yesterday
(Sunday) afternoon.

It turns out that the default keytool on my new Mac is the one from Java
17. And the customer boxes are running Tomcat under much older JVMs,
because there's always a significant time lag before any given JVM makes
it to an IBM Midrange box.

So I was able to salvage one of the certs (and its CA reply, and its
chain) by moving the cert to a keystore generated on my *old* Mac (with
Java 8 as the default JVM), and then re-signing and re-chaining it in
KSE. And I tested the KS on our V6 box, to make *sure* it worked.

I then looked for a way, since my new Mac *has* a Java 8 JVM (it's just
not the default), to conveniently use that JVM's Keytool, and came up
with a wrapper BASH script to do the job. I tested the wrapper script by
using it to generate their new keystore.

Key takeaway (no pun intended) here: if you get an "Invalid keystore
format" in Tomcat (or presumably anything else that uses Java
Keystores), when generating a keystore on one box for use on another,
*look for a difference in JVM.*

--
JHHL
--
This is the Java Programming on and around the IBM i (JAVA400-L) mailing
list
To post a message email: JAVA400-L@xxxxxxxxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: https://lists.midrange.com/mailman/listinfo/java400-l
or email: JAVA400-L-request@xxxxxxxxxxxxxxxxxx
Before posting, please take a moment to review the archives
at https://archive.midrange.com/java400-l.


As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.