Support Questions

Find answers, ask questions, and share your expertise

Ranger error "Keystore was tampered with, or password was incorrect"

avatar
New Contributor

Hi, we get the following Ranger error - maybe you can help me to fix it as soon as possible?! (We activated MIT Kerberos). Thanks in advance!

How can I check that the password of the keystore file is correct? And where can I change it?

Feb 17, 2020 4:29:56 PM org.apache.ranger.server.tomcat.EmbeddedServer start
INFO: Provided Kerberos Credential : Principal = rangeradmin/pdeluh0004392.hub.deluh.example.com@RDDL.PROD.EXAMPLE.COM and Keytab = /etc/security/keytabs/rangeradmin.service.keytab
Feb 17, 2020 4:29:56 PM org.apache.ranger.server.tomcat.EmbeddedServer$1 run
INFO: Starting Server using kerberos credential
Feb 17, 2020 4:29:57 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["http-bio-6182"]
Feb 17, 2020 4:29:57 PM org.apache.coyote.AbstractProtocol init
SEVERE: Failed to initialize end point associated with ProtocolHandler ["http-bio-6182"]
java.io.IOException: Keystore was tampered with, or password was incorrect
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:785)
at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56)
at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224)
at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70)
at java.security.KeyStore.load(KeyStore.java:1445)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:497)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocketFactory.java:381)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:654)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:594)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:539)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:255)
at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:400)
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:728)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:452)
at org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:978)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:560)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:840)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:135)
at org.apache.catalina.startup.Tomcat.start(Tomcat.java:370)
at org.apache.ranger.server.tomcat.EmbeddedServer.startServer(EmbeddedServer.java:271)
at org.apache.ranger.server.tomcat.EmbeddedServer.access$100(EmbeddedServer.java:44)
at org.apache.ranger.server.tomcat.EmbeddedServer$1.run(EmbeddedServer.java:253)
at org.apache.ranger.server.tomcat.EmbeddedServer$1.run(EmbeddedServer.java:249)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.Subject.doAs(Subject.java:360)
at org.apache.ranger.server.tomcat.EmbeddedServer.start(EmbeddedServer.java:249)
at org.apache.ranger.server.tomcat.EmbeddedServer.main(EmbeddedServer.java:68)
Caused by: java.security.UnrecoverableKeyException: Password verification failed
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:783)
... 30 more

2 ACCEPTED SOLUTIONS

avatar
Master Collaborator

To work further on this you need to verify the ranger Keystore and Truststore password. 

To do that please use the below command. 
>> Keytool -list -keystore /Path/to/the/keystore

The above command will ask for the password, if you enter the right password it will show the data else not. You need to use the same configuration under the ranger configuration.

 

View solution in original post

avatar
Master Collaborator

@noekmc 

 

Change the keystore password: Use the following command to change the keystore password:

 

keytool -storepasswd -keystore /path/to/keystore.jks 

View solution in original post

4 REPLIES 4

avatar
Master Collaborator

To work further on this you need to verify the ranger Keystore and Truststore password. 

To do that please use the below command. 
>> Keytool -list -keystore /Path/to/the/keystore

The above command will ask for the password, if you enter the right password it will show the data else not. You need to use the same configuration under the ranger configuration.

 

avatar
Expert Contributor

It seems a wrong configuration/password is passed in ranger configuration which is unable to open the keystore using the same.

 

$JAVA_HOME/keytool -list -keystore <keystore path with .keystore.jks> -storepass <password>

 

Check with the above command if you are able to list the keystore contents using the password you pass above. Ensure the same is configured in the ranger configuration.

avatar
Explorer

How can i ingress/changed  keystore password  by terminal ?

avatar
Master Collaborator

@noekmc 

 

Change the keystore password: Use the following command to change the keystore password:

 

keytool -storepasswd -keystore /path/to/keystore.jks