KB Article #180327

How to manually update EBICS Gateway certificates after PassPort 2019 certificate renewal ?​

Problem

How to manually update EBICS Gateway certificates after PassPort 2019 certificate renewal ?



Resolution

Here are the steps required to upgrade the PassPort root certificate that was qualified on EBICS Gateway 3.4.

You can make the modifications on the EBICS Gateway side, without causing any harm, long before making changes on the the PassPort side. However, as soon as PassPort is upgraded and started, EBICS Gateway must have been modified so that it behaves correctly.


On the EBICS Gateway side:

  1. Stop EBICS Gateway.


On the PassPort side:

  1. Stop PassPort.
  2. Upgrade PassPort to 4.6.0 SP19 or SP20.
  3. Restart PassPort.

On the EBICS Gateway side:

  1. Back up the folder /data/conf/passport
  2. Inside this folder, rename the certificate in passport_trustore.jks, alias passportca to any other alias
    You can use any tool, such as keytool: keytool -changealias -alias "passportca" -destalias "passportca1" -keystore passport_truststore.jks -storepass <Password>
  3. Import the new certificate (provided below) under the alias passportca to data/conf/passport/passport_truststore.jks and trust it. DO NOT REMOVE OTHER ALIASES
    For example: keytool -import -file newCert.cer -keystore passport_truststore.jks -alias passportca -storepass <Password>

*By default <Password> is axway*

-----BEGIN CERTIFICATE-----
MIIDmDCCAoCgAwIBAgIIMJ2Psp+51uYwDQYJKoZIhvcNAQELBQAwUjELMAkGA1UE
BhMCUk8xEjAQBgNVBAcTCUJ1Y2hhcmVzdDEOMAwGA1UEChMFQXh3YXkxDDAKBgNV
BAsMA1ImRDERMA8GA1UEAxMIUGFzc1BvcnQwHhcNMTkwMzE0MDAwMDAwWhcNMjkw
MzEzMjM1OTU5WjBSMQswCQYDVQQGEwJSTzESMBAGA1UEBxMJQnVjaGFyZXN0MQ4w
DAYDVQQKEwVBeHdheTEMMAoGA1UECwwDUiZEMREwDwYDVQQDEwhQYXNzUG9ydDCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANH0Q/N+lvc9YZrgzPdHInDJ
2YrW04u6LywN7M0uGTp/V2h83bZwyGfm0gNq2esfGFzqs4WMM3AYvv32jVLL/1er
HmWCZIsbVED0iFSzcEqZAMcqp8GXR9t1xjNTt9uRSgx2mBHK+SrvqkPY5tKjx/72
qBG4TZSSWDXXhvSSkRKM+QbWiiUZ4e5ikrfdCctQy8BqpHeWNys+vYMpAjhB0SvY
OBbjCdPwPG3QRBiaWfM9pKPyWMWz2ZxtOyCwNdBEtMoPi4KBExTvdPeGajz+2DdF
j0acBeXQyN7es0m73qMGycJw+1Q9INVblKSD1WbCLZN6k4uuiHv/CiqC4fRoyVUC
AwEAAaNyMHAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU4OE1fuCA7b/nP9CL
uKP/XAlWXZEwCwYDVR0PBAQDAgEGMBEGCWCGSAGG+EIBAQQEAwIABzAeBglghkgB
hvhCAQ0EERYPeGNhIGNlcnRpZmljYXRlMA0GCSqGSIb3DQEBCwUAA4IBAQBp+A29
hN9plFaW1vW84Sv/HBcBOUGBkoskpjTz4XLkgP+rHUSR8hokhbdy/AtcwjIZWIv/
41GzDAiFdkl2nvdf/TiMofCLXaRqF6VTlg2jIbwWApSOZngutzMJ4yu89i9nFxv1
EulvRFecmpy9a2RO1ID0XPocUH0a/5tp8jm2qFepPA4XgTsX+tdfoP/NIeXOgHlD
z/oCL10YDIKxmAbo9fzTHku8uldjXQQJJPflGhhIEp+Yad92HzNmTCC/LxZmODmR
k/2ipaNcr59ltmd6HsfwbRwBKmU5+XhLTp1N9hn63yJoXN9AeWcoF3DiqImr/F0z
eCSB3mLAth1tVI32
-----END CERTIFICATE-----

4. Restart EBICS Gateway


Note: If any inconsistency occurs between PassPort and EBICS Gateway, you may experience:

1. At startup:

<timeStamp> SEVERE [com.axway.bl.license.DatabaseLayerServiceImp] (MSC service thread 1-7) PassportClient IOException: Keystore was tampered with, or password was incorrect: com.axway.fex.security.provider.service.AxSecurityProviderException: PassportClient IOException: Keystore was tampered with, or password was incorrect
at com.axway.fex.security.provider.passportv2.PassportConnector.initPassportClient(PassportConnector.java:265) [bankrechner.jar:]
at com.axway.fex.security.provider.passportv2.PassportConnector.<init>(PassportConnector.java:96) [bankrechner.jar:]
at com.axway.fex.security.provider.passportv2.PassportConnector.getInstance(PassportConnector.java:124) [bankrechner.jar:]
at com.axway.bl.license.DatabaseLayerServiceImp.initPassport(DatabaseLayerServiceImp.java:64) [bankrechner.jar:]
at com.axway.bl.license.DatabaseLayerServiceImp.<init>(DatabaseLayerServiceImp.java:55) [bankrechner.jar:]
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) [rt.jar:1.8.0_40]
at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source) [rt.jar:1.8.0_40]
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source) [rt.jar:1.8.0_40]
at java.lang.reflect.Constructor.newInstance(Unknown Source) [rt.jar:1.8.0_40]
at java.lang.Class.newInstance(Unknown Source) [rt.jar:1.8.0_40]
at de.businesslogics.bankrechner.BankingFeatures$MyDatbaseLayerService.<init>(BankingFeatures.java:108) [bankrechner.jar:]
at de.businesslogics.bankrechner.BankingFeatures.<clinit>(BankingFeatures.java:194) [bankrechner.jar:]
at de.businesslogics.bankrechner.order.PostProcessingBean.<clinit>(PostProcessingBean.java:121) [bankrechner.jar:]
at java.lang.Class.forName0(Native Method) [rt.jar:1.8.0_40]
at java.lang.Class.forName(Unknown Source) [rt.jar:1.8.0_40]
at org.jboss.invocation.proxy.AbstractProxyFactory.afterClassLoad(AbstractProxyFactory.java:91)
at org.jboss.invocation.proxy.AbstractClassFactory.defineClass(AbstractClassFactory.java:162)
at org.jboss.invocation.proxy.AbstractProxyFactory.getCachedMethods(AbstractProxyFactory.java:146)
at org.jboss.as.ee.component.ViewConfiguration.addViewInterceptor(ViewConfiguration.java:119)
at org.jboss.as.ee.component.NamespaceViewConfigurator.configure(NamespaceViewConfigurator.java:34)
at org.jboss.as.ee.component.DefaultComponentViewConfigurator.configure(DefaultComponentViewConfigurator.java:67)
at org.jboss.as.ee.component.deployers.EEModuleConfigurationProcessor.deploy(EEModuleConfigurationProcessor.java:92)
at org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:143)
at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1736)
at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1698)
at org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1556)
at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1364)
at java.lang.Thread.run(Unknown Source) [rt.jar:1.8.0_40]
Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect
at sun.security.provider.JavaKeyStore.engineLoad(Unknown Source) [rt.jar:1.8.0_40]
at sun.security.provider.JavaKeyStore$JKS.engineLoad(Unknown Source) [rt.jar:1.8.0_40]
at java.security.KeyStore.load(Unknown Source) [rt.jar:1.8.0_40]
at com.axway.fex.security.provider.passportv2.PassportRegistrationCallbackHandler.getKeyStore(PassportRegistrationCallbackHandler.java:618) [bankrechner.jar:]
at com.axway.fex.security.provider.passportv2.PassportRegistrationCallbackHandler.<init>(PassportRegistrationCallbackHandler.java:86) [bankrechner.jar:]
at com.axway.fex.security.provider.passportv2.PassportConnector.initPassportClient(PassportConnector.java:234) [bankrechner.jar:]
... 30 more
Caused by: java.security.UnrecoverableKeyException: Password verification failed
... 36 more

2. The EBICS Gateway Server is still able to launch/run, but any attempt to display the login frame will generate following lines in the logs:

<TimeStamp> INFO [com.axway.fex.security.provider.passportv2.PassportConnector] (default task-1) login(admin,Synchrony)
<TimeStamp> SEVERE [com.axway.fex.security.provider.passportv2.PassportJAASLoginModule] (default task-1) Failed to execute the login operation
<TimeStamp> SEVERE [com.axway.fex.security.provider.passportv2.PassportJAASLoginModule] (default task-1) abort invoked:
<TimeStamp> SEVERE [com.axway.fex.ebics.connector.passport.PassportRoles] (default task-1) abort invoked


Related articles
https://support.axway.com/kb/180293/language/en
https://support.axway.com/kb/180303/language/en

Still need help?

If this information wasn't helpful to you, just drop us a line. We'll get back to you as soon as possible.