Invalid keystore password or keystore password was incorrect

Product: Radiant One FID

Version: All recent versions with either internal zookeeper or external zookeeper ensemble.

Definitions:

Keystore: Secure storage for cryptographic keys and certificates.
VDSUtility.exe: (.sh for Linux) Utility for encrypting sensitive password values for Radiant One configurations.
serverCertKeyPassword: Zookeeper property for managing certificate key password at node level.
Keytool:  Radiant One utility tool.
InstanceManager.exe: (.sh for Linux) VDS Instance Manager command line utility.

Purpose:

This KB Article guides users through resolving Jetty SSL keystore password errors in Radiant One FID, including workarounds if standard procedures fail. It especially addresses issues where password mismatches persist after keystore configuration and shows how to correct them at Zookeeper node property level.

Procedure:

Standard Steps

1. Verify Password Equivalence

   • Run the command to ensure keystore and certificate key passwords match:

     keytool -keypasswd -keystore <rli.keystore location> -storepass <password> -alias rli -keypass <password>
     
     Where <keystore password> and <cert key password> must be the same.

   • If you encounter:

     keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect

     The passwords do not match—ensure both passwords are correct.

2. Encrypt Correct Password
   • Use the utility:
     radiantone\vds\bin>VDSUtility.exe
   • Select option 9 and enter the correct certificate password to generate an encrypted value e.g., {AES}kkn3uio71r7O02oGk0rLE0nolKdT|/CIaF327IQ6x8ZXdECINmEJG/wgAKwU8OcnnebNx+Rv/
3. Update Jetty SSL Keystore Password

   • Modify radiantone\vds\vds_server\conf\jetty\config.properties.   Save the config.properties file after the change.

     jetty.ssl.keystore.password={AES}kkn3uio71r7O02oGk0rLE0nolKdT|/CIaF327IQ6x8ZXdECINmEJG/wgAKwU8OcnnebNx+Rv/

4. Update or correct Keystore Password

   • For keysotre or JKS types of certificates run the following command:
      

     instanceManager.exe -u -n vds_server -F <RLI_HOME>\vds_server\conf\keystorename.keystore -t JKS -P <Keystore Password>
     
     e.g., instanceManager.sh -u -n vds_server -F C:\RadiantOne\vds\vds_server\conf\manufid.keystore -t JKS -P mypassword123

   • For PKCS12 types of certificates
      

     instanceManager.exe -u -n vds_server -F C:\RadiantOne\vds\vds_server\conf\keystorename.pfx -t PKCS12 -P <Keystore Password>
     
     e.g., instanceManager.sh -u -n vds_server -F C:\RadiantOne\vds\vds_server\conf\manufid.pfx -t PKCS12 -P mypassword123

5. Restart the Node
   • Restart Radiant One FID. Control Panel should become available and the VDS server should start successfully.

If Standard Steps Fail

If, after following the standard steps, you still see errors such as:

ERROR com.rli.slapd.server.aa:850 - The secure SSL/TLS channel is set but the settings fails to initialize it:
java.io.IOException: java.lang.Exception: Failed in loading keystore: java.io.IOException: keystore password was incorrect

A- Corrective Action via Zookeeper Control Panel 

1. Access Zookeeper Node Properties
   • Navigate to any node, open Control Panel > Zookeeper Tab.
   • Path: /radiantone/v2/[clustername]/nodes/registry/[cloudID of node].
2. Update "serverCertKeyPassword" Property
   • Find the property serverCertKeyPassword. Click Edit mode.

   • Update it with the correct encrypted password (using the output from VDSUtility.exe, option 9). 
     e.g.

     "serverCertKeyPassword" : "{AES}q7HRX|LAsqu5y7tHzi4+nymaU9yL60WegDlo/4MciunfbSj1PwTM+WAlQovvqPqe/a+9O4zz/",

   • Save.
3. Restart FID Services
   • After updating, restart the FID node.

After implementing this corrective action, Control Panel should become available and the VDS server should start successfully.

A- Corrective Action via Zookeeper Inspector

NOTE: If you are using external zookeeper ensemble follow this guide to run zookeeper Inspector and then follow this steps.  How to run ZooInspector on External Zookeeper Architectures

1. Access Zookeeper Node Properties
   • Navigate to any node, open Zookeeper Inspector by running <RLI_HOME>\apps\zookeeper\contrib\ZooInspector\run.cmd (run.sh for Linux)
   • Once the application is open click in the play button. Enter the admin password (zookeeper admin password setup during installation steps of FID)  in Authentication Data in the connection settings.
   • When connected go to path: /radiantone/v2/[clustername]/nodes/registry/[cloudID of node].
2. Update "serverCertKeyPassword" Property
   • Find the property serverCertKeyPassword.

   • Update it with the correct encrypted password (using the output from VDSUtility.exe, option 9).
     e.g.

     "serverCertKeyPassword" : "{AES}q7HRX|LAsqu5y7tHzi4+nymaU9yL60WegDlo/4MciunfbSj1PwTM+WAlQovvqPqe/a+9O4zz/",

   • Click in the Save button.
   • Confirm to save.
     e.g.
     
3. Restart FID Services
   • After updating, restart the FID node.

After implementing this corrective action, Control Panel should become available and the VDS server should start successfully.

Additional notes and resources:

• If you face persistent password issues, reconfirm the password used to create the certificate and keystore, or consider creating a new keystore with known valid credentials.  
• Changing the default keystore
• High Level Guide to SSL Change Renewal
• Changing the Default Trust Store Password in Radiant One FID
• Debugging SSL Certificate Replacement Errors
• Replacing the Default Self-Signed Certificate

• How To Renew Self-Signed Certificate