Support Article

Invalid Keystore type, Specify a JKS or PKCS12 keystore

SA-29476

Summary



From the SFTP server, the user has generated private and public RSA key files, id_rsa and id_rsa.pub, respectively. But the Pega 7.2 FTP Server form does not allow uploading the private key file in the Keystore record for SSH FTP (SFTP) that the FTP Server references. It accepts only the file types JKS or PKCS12. In an earlier release of the Pega 7 Platform, the RSA private key for the SFTP connection could be uploaded to a Keystore record and that Keystore record could be referenced from the FTP Server record without any issue.

Error Messages



Unable to load keystore: Invalid Keystore type. Specify a JKS or PKCS12 keystore.


Steps to Reproduce

  1. Create a Linux user for the SFTP server, for example, sftpuser, and do not require a password.
  2. On the SFTP server, generate the RSA public and private key pair.
  3. Run the command ssh-keygen -t rsa to generate the RSA private and public key files, id_rsa and id_rsa.pub, respectively.
  4. Copy the content of the public key file id_rsa.pub into the file authorized_keys2, located in the user home folder, /home/sftpuser/.ssh/authorized_keys2.
  5. Log in to Pega 7.2.
  6. Under Integration-Resources, create a new FTP Server record.
  7. Type the Host name : <SFTP Hostname>
  8. Type the Port number: 22
  9. Under Authentication, select Use authentication.
  10. Create an Authentication profile, for example, myuser.
  11. Type the SFTP server user name sftpuser and do not type a password.
  12. Under Protocol, select the option SSH FTP (SFTP).
  13. Under Keystore, type a name, for example, mykeystore, and create the rule.
  14. Upload the private key file id_rsa and enter some arbitrary values for the Keystore fields Type and Password.
  15. Try to save the record.
  16. See the error.


Root Cause



A backwards compatibility defect in Pegasystems' code or rules
Pega 7.2 added validation to keystore instances to store only JKS and PKCS12 file types.
Now keystore instances created prior to Pega 7.2 cannot be used to save RSA private keys for SSH FTP, and the test for connectivity fails.
Releases prior to Pega 7.2 store RSA private keys in a Rule-File-Binary record; this is no longer the case for Pega 7.2.

Resolution


At design time only, perform the following local-change to work around the Pega 7.2 limitation:
  1. Do a private checkout of the Validate activity in the class Data-Admin-Security-Keystore and comment out Step 3.
  2. Save the Validate activity.
  3. In the Keystore record, upload the RAS private key id_rsa as it stands (no changes).
  4. Type arbitrary values for the Keystore fields Type and Password.
  5. Save the Keystore record.
  6. Save the FTP Server record.
  7. ​Test SFTP connectivity.
  8. Delete the privately checked-out Validate activity, which you checked out in Step 1.

Important: This local change is a design-time change. After the private key is uploaded, SFTP connectivity will succeed.

Published October 21, 2016 - Updated April 18, 2017


100% found this useful

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.