Skip to main content

This content has been archived and is no longer being updated. Links may not function; however, this content may be relevant to outdated versions of the product.

Support Article

Invalid Keystore type, Specify a JKS or PKCS12 keystore



From the SFTP server, the user has generated private and public RSA key files, id_rsa and, respectively. But the Pega 7.2 FTP Server form does not allow uploading the private key file in the Keystore record for SSH FTP (SFTP) that the FTP Server references. It accepts only the file types JKS or PKCS12. In an earlier release of the Pega 7 Platform, the RSA private key for the SFTP connection could be uploaded to a Keystore record and that Keystore record could be referenced from the FTP Server record without any issue.

Error Messages

Unable to load keystore: Invalid Keystore type. Specify a JKS or PKCS12 keystore.

Steps to Reproduce

  1. Create a Linux user for the SFTP server, for example, sftpuser, and do not require a password.
  2. On the SFTP server, generate the RSA public and private key pair.
  3. Run the command ssh-keygen -t rsa to generate the RSA private and public key files, id_rsa and, respectively.
  4. Copy the content of the public key file into the file authorized_keys2, located in the user home folder, /home/sftpuser/.ssh/authorized_keys2.
  5. Log in to Pega 7.2.
  6. Under Integration-Resources, create a new FTP Server record.
  7. Type the Host name : <SFTP Hostname>
  8. Type the Port number: 22
  9. Under Authentication, select Use authentication.
  10. Create an Authentication profile, for example, myuser.
  11. Type the SFTP server user name sftpuser and do not type a password.
  12. Under Protocol, select the option SSH FTP (SFTP).
  13. Under Keystore, type a name, for example, mykeystore, and create the rule.
  14. Upload the private key file id_rsa and enter some arbitrary values for the Keystore fields Type and Password.
  15. Try to save the record.
  16. See the error.

Root Cause

A backwards compatibility defect in Pegasystems' code or rules
Pega 7.2 added validation to keystore instances to store only JKS and PKCS12 file types.
Now keystore instances created prior to Pega 7.2 cannot be used to save RSA private keys for SSH FTP, and the test for connectivity fails.
Releases prior to Pega 7.2 store RSA private keys in a Rule-File-Binary record; this is no longer the case for Pega 7.2.


At design time only, perform the following local-change to work around the Pega 7.2 limitation:
  1. Do a private checkout of the Validate activity in the class Data-Admin-Security-Keystore and comment out Step 3.
  2. Save the Validate activity.
  3. In the Keystore record, upload the RAS private key id_rsa as it stands (no changes).
  4. Type arbitrary values for the Keystore fields Type and Password.
  5. Save the Keystore record.
  6. Save the FTP Server record.
  7. ​Test SFTP connectivity.
  8. Delete the privately checked-out Validate activity, which you checked out in Step 1.

Important: This local change is a design-time change. After the private key is uploaded, SFTP connectivity will succeed.

Published April 18, 2017 - Updated October 8, 2020

Was this useful?

100% found this useful

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.

Did you find this content helpful?

Want to help us improve this content?

We'd prefer it if you saw us at our best.

Pega Community has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice
Contact us