Solutions
ForgeRock Identity Platform
Does not apply to Identity Cloud

DS (All versions) fails to start when using a JKS keystore from an earlier version

Last updated Jun 15, 2021

The purpose of this article is to provide assistance if DS fails to start when using a JKS keystore, which was likely copied from an earlier version of OpenDJ. You will see "An error occurred while trying to load the keystore contents from file /path/to/ds/keystore: IOException(DerInputStream.getLength(): lengthTag=109, too big.)" message when this happens.


Symptoms

The following error is shown when DS fails to start:

category=CORE severity=NOTICE msgID=139 msg=The Directory Server has sent an alert notification generated by class org.opends.server.core.DirectoryServer (alert type org.opends.server.DirectoryServerShutdown, alert ID org.opends.messages.core-141): The Directory Server has started the shutdown process. The shutdown was initiated by an instance of class org.opends.server.core.DirectoryServer and the reason provided for the shutdown was An error occurred while trying to start the Directory Server: InitializationException: An error occurred while attempting to initialize the SSL context for use in the LDAP Connection Handler: An error occurred while trying to load the keystore contents from file /path/to/ds/keystore: IOException(DerInputStream.getLength(): lengthTag=109, too big.) (id=org.opends.messages.extension-62) (LDAPConnectionHandler.java:416 LDAPConnectionHandler.java:114 ConnectionHandler.java:134 AdministrationConnector.java:95 ConnectionHandlerConfigManager.java:240 ConnectionHandlerConfigManager.java:203 DirectoryServer.java:1546 DirectoryServer.java:1317 DirectoryServer.java:4210)

Recent Changes

Installed DS 5 or later, and used a keystore from an earlier version of OpenDJ.

Causes

The default keystore format in DS 5 and later is PKCS#12. If you use a different keystore type (such as a JKS keystore from an earlier version of OpenDJ) DS will fail to start due to the keystore incompatibility.

The default keystore type in OpenDJ 3.x was JKS. Changes were made in DS 5 to simplify the default keystore and truststore configuration; this included changing the default keystore format to PKCS#12. See DS 5 Important Changes to Existing Functionality (setup tool) for further information.

Solution

This issue can be resolved using one of the following approaches:

  • Convert your existing JKS keystore to PKCS#12 using keytool, for example: $ keytool -importkeystore -srckeystore [existing_JKS_keystore] -srcstoretype JKS -srcstorepass password -destkeystore new-keystore -deststoretype PKCS12 -deststorepass password -destkeypass password
  • Change the Default Key Manager to JKS using dsconfig, for example:
    • DS 7.1 and later: $ ./dsconfig set-key-manager-provider-prop --provider-name "Default Key Manager" --set key-store-type:JKS --hostname ds1.example.com --port 4444 --bindDN uid=admin --bindPassword password --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePassword:file /path/to/ds/config/keystore.pin --no-prompt
    • DS 7: $ ./dsconfig set-key-manager-provider-prop --provider-name "Default Key Manager" --set key-store-type:JKS --hostname ds1.example.com --port 4444 --bindDN uid=admin --bindPassword password --usePkcs12TrustStore /path/to/ds/config/keystore --trustStorePasswordFile /path/to/ds/config/keystore.pin --no-prompt
    • Pre-DS 7: $ ./dsconfig set-key-manager-provider-prop --provider-name "Default Key Manager" --set key-store-type:JKS --hostname ds1.example.com --port 4444 --bindDn "cn=Directory Manager" --bindPassword password --trustAll --no-promptYou can now continue to use the JKS keystore with DS.

If the DS server is unable to start successfully because of a keystore change, you can run the dsconfig command using the --offline option in DS 6 and later.

See Also

SSL in DS

Cryptographic Keys 

Related Training

N/A

Related Issue Tracker IDs

N/A


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.