3 Replies Latest reply on Jul 12, 2018 7:14 AM by Jeff Strauss

    Change default keystore password

    zen

      Environment:

      Tableau Services Manager command line version 20181.18.0510.1418.

      Tableau Server version 20181.18.0510.1418.

      Server: Ubuntu 18.04 LTS

       

      Hello,

       

      I'm trying to setup a Linux tableau Server on an Ubuntu Server, installed from repo and I'm following the instructions to setup LDAP over SSL.

       

      "The default password for the Java keystore is changeit"

       

      I tried to change this using the following command:

       

      keytool -storepasswd -keystore /etc/opt/tableau/tableau_server/tableauservicesmanagerca.jks

      #insert current password

      #then insert new password

      #then insert new password again

       

      after a while I tried a tsm command:

       

      # tsm security external-ssl list --username <USERNAME>

       

      and I got an error. I checked the log file and I saw:

       

      ...

      DEBUG com.tableausoftware.tabadmin.Tabadmin - Command line: tsm security external-ssl list ...

      DEBUG com.tableausoftware.certificates.LinuxCertManager - Loading certificates: /etc/opt/tableau/tableau_server/tableauservicesmanagerca.jks

      ERROR com.tableausoftware.tabadmin.cli.Console - java.io.IOException: Keystore was tampered with, or password was incorrect

      ...

       

      It seems that the tsm command is using the old changeit default password to access the jks

       

      I changed again the password of jks using changeit and it started working again as expected

       

      the output was

               ssl.enabled: false                                  

             ssl.protocols: all -SSLv2 -SSLv3  

       

      and log file was

       

      ...

      DEBUG com.tableausoftware.tabadmin.Tabadmin - Command line: tsm security external-ssl list ...

      DEBUG com.tableausoftware.certificates.LinuxCertManager - Loading certificates: /etc/opt/tableau/tableau_server/tableauservicesmanagerca.jks

      TRACE com.tableausoftware.tabadmin.cli.SessionHandlingRestOperations$RequestFactory - Setting cookie

      ...

       

       

      How do you safely change the default keystore password without breaking tsm command and other services? Do I need to edit additional config files?

       

      I checked inside /opt/tableu/ folder if some file contains the default password:

       

      # grep -r "changeit"

       

      and i found only this entry:

       

      tableau_server/packages/scripts.20181.18.0510.1418/after-install-common:  ${keytool} -importcert -noprompt -alias ${alias} -file ${crt} -storetype JKS -storepass changeit -keystore ${keystore}

       

      Any idea?

       

      Thank you in advance

        • 1. Re: Change default keystore password
          Jeff Strauss

          Did you happen to do a grep within the /var directory?  I think this is where the config files live at, and where it may be stored at.  Also, I wonder if you do a "tsm pending-changes apply" after updating the password using the keytool utility, if this will help subsequent commands.

          • 2. Re: Change default keystore password
            zen

            Hello Jeff,

             

            I tried your suggestions but I was unlucky

             

            About the pending-changes suggestion

             

            I tried to change again the password an tried to apply pending changes but this fails for the same error in logs.

             

            This command also fails:

             

            tsm pending-changes list

             

            I reverted using previous password then it started working again

             

            About using grep inside /var:

             

            I found this

             

            /var/lib/dpkg/info/ca-certificates-java.postinst:storepass='changeit'

             

            this file contains the same password. I think it's not related. I tried to change this file by using the same new password and I repeated the same procedure again. Same error.

            • 3. Re: Change default keystore password
              Jeff Strauss

              Have a look at this article that has some great detail.  Chances are that you need to manage the password via "tsm security" because it says that the passwords are stored encrypted.

               

              Manage Server Secrets