KB Article #180327
How to manually update EBICS Gateway certificates after PassPort 2019 certificate renewal ?
Problem
How to manually update EBICS Gateway certificates after PassPort 2019 certificate renewal ?
Resolution
Here are the steps required to upgrade the PassPort root certificate that was qualified on EBICS Gateway 3.4.
You can make the modifications on the EBICS Gateway side, without causing any harm, long before making changes on the the PassPort side. However, as soon as PassPort is upgraded and started, EBICS Gateway must have been modified so that it behaves correctly.
On the EBICS Gateway side:
- Stop EBICS Gateway.
On the PassPort side:
- Stop PassPort.
- Upgrade PassPort to 4.6.0 SP19 or SP20.
- Restart PassPort.
On the EBICS Gateway side:
- Back up the folder
/data/conf/passport
- Inside this folder, rename the certificate in
passport_trustore.jks
, alias passportca to any other alias
You can use any tool, such as keytool:keytool -changealias -alias "passportca" -destalias "passportca1" -keystore passport_truststore.jks -storepass <Password>
- Import the new certificate (provided below) under the alias passportca to
data/conf/passport/passport_truststore.jks
and trust it. DO NOT REMOVE OTHER ALIASES
For example:keytool -import -file newCert.cer -keystore passport_truststore.jks -alias passportca -storepass <Password>
*By default <Password> is axway*
-----BEGIN CERTIFICATE----- MIIDmDCCAoCgAwIBAgIIMJ2Psp+51uYwDQYJKoZIhvcNAQELBQAwUjELMAkGA1UE BhMCUk8xEjAQBgNVBAcTCUJ1Y2hhcmVzdDEOMAwGA1UEChMFQXh3YXkxDDAKBgNV BAsMA1ImRDERMA8GA1UEAxMIUGFzc1BvcnQwHhcNMTkwMzE0MDAwMDAwWhcNMjkw MzEzMjM1OTU5WjBSMQswCQYDVQQGEwJSTzESMBAGA1UEBxMJQnVjaGFyZXN0MQ4w DAYDVQQKEwVBeHdheTEMMAoGA1UECwwDUiZEMREwDwYDVQQDEwhQYXNzUG9ydDCC ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANH0Q/N+lvc9YZrgzPdHInDJ 2YrW04u6LywN7M0uGTp/V2h83bZwyGfm0gNq2esfGFzqs4WMM3AYvv32jVLL/1er HmWCZIsbVED0iFSzcEqZAMcqp8GXR9t1xjNTt9uRSgx2mBHK+SrvqkPY5tKjx/72 qBG4TZSSWDXXhvSSkRKM+QbWiiUZ4e5ikrfdCctQy8BqpHeWNys+vYMpAjhB0SvY OBbjCdPwPG3QRBiaWfM9pKPyWMWz2ZxtOyCwNdBEtMoPi4KBExTvdPeGajz+2DdF j0acBeXQyN7es0m73qMGycJw+1Q9INVblKSD1WbCLZN6k4uuiHv/CiqC4fRoyVUC AwEAAaNyMHAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU4OE1fuCA7b/nP9CL uKP/XAlWXZEwCwYDVR0PBAQDAgEGMBEGCWCGSAGG+EIBAQQEAwIABzAeBglghkgB hvhCAQ0EERYPeGNhIGNlcnRpZmljYXRlMA0GCSqGSIb3DQEBCwUAA4IBAQBp+A29 hN9plFaW1vW84Sv/HBcBOUGBkoskpjTz4XLkgP+rHUSR8hokhbdy/AtcwjIZWIv/ 41GzDAiFdkl2nvdf/TiMofCLXaRqF6VTlg2jIbwWApSOZngutzMJ4yu89i9nFxv1 EulvRFecmpy9a2RO1ID0XPocUH0a/5tp8jm2qFepPA4XgTsX+tdfoP/NIeXOgHlD z/oCL10YDIKxmAbo9fzTHku8uldjXQQJJPflGhhIEp+Yad92HzNmTCC/LxZmODmR k/2ipaNcr59ltmd6HsfwbRwBKmU5+XhLTp1N9hn63yJoXN9AeWcoF3DiqImr/F0z eCSB3mLAth1tVI32 -----END CERTIFICATE-----
4. Restart EBICS Gateway
Note: If any inconsistency occurs between PassPort and EBICS Gateway, you may experience:
1. At startup:
<timeStamp>
SEVERE [com.axway.bl.license.DatabaseLayerServiceImp] (MSC service
thread 1-7) PassportClient IOException: Keystore was tampered with, or
password was incorrect:
com.axway.fex.security.provider.service.AxSecurityProviderException:
PassportClient IOException: Keystore was tampered with, or password was
incorrect
at
com.axway.fex.security.provider.passportv2.PassportConnector.initPassportClient(PassportConnector.java:265)
[bankrechner.jar:]
at com.axway.fex.security.provider.passportv2.PassportConnector.<init>(PassportConnector.java:96) [bankrechner.jar:]
at com.axway.fex.security.provider.passportv2.PassportConnector.getInstance(PassportConnector.java:124) [bankrechner.jar:]
at com.axway.bl.license.DatabaseLayerServiceImp.initPassport(DatabaseLayerServiceImp.java:64) [bankrechner.jar:]
at com.axway.bl.license.DatabaseLayerServiceImp.<init>(DatabaseLayerServiceImp.java:55) [bankrechner.jar:]
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) [rt.jar:1.8.0_40]
at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source) [rt.jar:1.8.0_40]
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source) [rt.jar:1.8.0_40]
at java.lang.reflect.Constructor.newInstance(Unknown Source) [rt.jar:1.8.0_40]
at java.lang.Class.newInstance(Unknown Source) [rt.jar:1.8.0_40]
at de.businesslogics.bankrechner.BankingFeatures$MyDatbaseLayerService.<init>(BankingFeatures.java:108) [bankrechner.jar:]
at de.businesslogics.bankrechner.BankingFeatures.<clinit>(BankingFeatures.java:194) [bankrechner.jar:]
at de.businesslogics.bankrechner.order.PostProcessingBean.<clinit>(PostProcessingBean.java:121) [bankrechner.jar:]
at java.lang.Class.forName0(Native Method) [rt.jar:1.8.0_40]
at java.lang.Class.forName(Unknown Source) [rt.jar:1.8.0_40]
at org.jboss.invocation.proxy.AbstractProxyFactory.afterClassLoad(AbstractProxyFactory.java:91)
at org.jboss.invocation.proxy.AbstractClassFactory.defineClass(AbstractClassFactory.java:162)
at org.jboss.invocation.proxy.AbstractProxyFactory.getCachedMethods(AbstractProxyFactory.java:146)
at org.jboss.as.ee.component.ViewConfiguration.addViewInterceptor(ViewConfiguration.java:119)
at org.jboss.as.ee.component.NamespaceViewConfigurator.configure(NamespaceViewConfigurator.java:34)
at org.jboss.as.ee.component.DefaultComponentViewConfigurator.configure(DefaultComponentViewConfigurator.java:67)
at org.jboss.as.ee.component.deployers.EEModuleConfigurationProcessor.deploy(EEModuleConfigurationProcessor.java:92)
at org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:143)
at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1736)
at org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1698)
at org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1556)
at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1364)
at java.lang.Thread.run(Unknown Source) [rt.jar:1.8.0_40]
Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect
at sun.security.provider.JavaKeyStore.engineLoad(Unknown Source) [rt.jar:1.8.0_40]
at sun.security.provider.JavaKeyStore$JKS.engineLoad(Unknown Source) [rt.jar:1.8.0_40]
at java.security.KeyStore.load(Unknown Source) [rt.jar:1.8.0_40]
at
com.axway.fex.security.provider.passportv2.PassportRegistrationCallbackHandler.getKeyStore(PassportRegistrationCallbackHandler.java:618)
[bankrechner.jar:]
at
com.axway.fex.security.provider.passportv2.PassportRegistrationCallbackHandler.<init>(PassportRegistrationCallbackHandler.java:86)
[bankrechner.jar:]
at
com.axway.fex.security.provider.passportv2.PassportConnector.initPassportClient(PassportConnector.java:234)
[bankrechner.jar:]
... 30 more
Caused by: java.security.UnrecoverableKeyException: Password verification failed
... 36 more
2. The EBICS Gateway Server is still able to launch/run, but any attempt to display the login frame will generate following lines in the logs:
<TimeStamp> INFO [com.axway.fex.security.provider.passportv2.PassportConnector] (default task-1) login(admin,Synchrony)
<TimeStamp>
SEVERE
[com.axway.fex.security.provider.passportv2.PassportJAASLoginModule]
(default task-1) Failed to execute the login operation
<TimeStamp> SEVERE [com.axway.fex.security.provider.passportv2.PassportJAASLoginModule] (default task-1) abort invoked:
<TimeStamp> SEVERE [com.axway.fex.ebics.connector.passport.PassportRoles] (default task-1) abort invoked
Related articles
https://support.axway.com/kb/180293/language/en
https://support.axway.com/kb/180303/language/en