The BlackBerry Administration Service page does not open due to an invalid "web.keystore" file

Article ID: KB18260

Type: Support Content

Last Modified: 06-17-2014

 

Product(s) Affected:

  • BlackBerry Enterprise Server for Microsoft Exchange
  • BlackBerry Enterprise Server for IBM Domino
CollapseEnvironment
  • BlackBerry Enterprise Server 5.0 to 5.0 SP3
  • DT 207561
  • DT 262557
CollapseOverview

The BlackBerry Administration Service page cannot be displayed. The BlackBerry Administration Service Application Server service is continuously restarting after a couple of minutes, and the following entries appear in the BlackBerry Administration Service Application Server ( ServerName_BBAS-AS_##_YYYYMMDD_####.txt) log file:

(05/13 10:28:12:503):{main} [org.apache.coyote.http11.Http11Protocol] [ERROR] Error initializing endpoint
java.io.IOException: Keystore was tampered with, or password was incorrect

CollapseResolution

If the above error occurs, follow the steps below:

1. Reconfigure the BlackBerry Administration Service services to run as the Windows account that ran the BlackBerry Enterprise Server installation software:

  1. Click on Start > Run and the type in services.msc.
  2. Right click on BlackBerry Administration Service - Application Server and select Properties.
  3. Switch to the Log on tab.
  4. Change the account the service logs on as to the account used to run BlackBerry Enterprise Server installation software.
  5. Apply the changes.
  6. Repeat steps 2 through 5 for the BlackBerry Administration Service - Native Code Container service.

2. Import the current web keystore password into the user section of the registry for the Windows account that currently runs the BlackBerry Administration Service services:

The user used to install or upgrade the BlackBerry Enterprise Server will have the proper information in its registry keys. This registry information can be moved to the registry settings for another Windows user if BlackBerry Administration Service services have been altered.

  1. Take a full backup of the Windows registry.
  2. Log into the server running the BlackBerry Administration Service as the user which was last used to run BlackBerry Enterprise Server setup software.
  3. Click Start -> Run and type regedit.
  4. Navigate to the following key:

    HKEY_CURRENT_USER\Software\Research In Motion\BlackBerry Enterprise Server

  5. Right-click the BlackBerry Administration Service key and choose Export.
  6. Save the file with an appropriate file name to the root of c:\. Make sure the Export range is set to Selected branch.
  7. Log off the current Windows user, and log back in as the user that the BlackBerry Administration Service services currently run as.
  8. Navigate to the root of c:\ in Windows Explorer and double click the .reg file created in step 5.
  9. Select Yes in the warning message to put the webkeystore password into the HKEY_CURRENT_USER section of the currently logged in user, which should fix the issue.

Note: If the exact user which would have the proper webkeystore password in the registry is not known, you should be able search the HKEY_USERS section of the Windows registry for WebKeyStorePass to help identify the user. See the Additional Information section of this article for further details.

CollapseAdditional Information

The error appears when the password stored in the web.keystore file does not match the corresponding password in the Windows registry. This usually occurs because the service account used to run the BlackBerry Administration Service services has been changed in the Windows Services console. During setup of BlackBerry Enterprise Server software, the web keystore password is created, and the Windows registry updated with the appropriate data. Because the BlackBerry Administration Service uses the HKEY_USER section of the Windows registry to store the web keystore password, the only user that will have the proper password and be able to run the BlackBerry Administration Service services is the user that was used to install the BlackBerry Enterprise Server.

Note: The proper way to change the account that any BlackBerry Enterprise Server service runs as is to log in as the desired user to the server and reinstall the BlackBerry Enterprise Server software. Manually changing the account can lead to problems. Other than the services which are configured automatically to run as Local System, all BlackBerry Enterprise Server services on a given server should be running as the same domain account which has the proper local and domain/SQL permissions. The domain account which is logged in when running the BlackBerry Enterprise Server installation software is used to configure the appropriate BlackBerry Enterprise Server services. For more information about the installation requirements, see the Installation and Configuration Guide for the appropriate version of the BlackBerry Enterprise Server, from the Documentation for Administrators.

The webkeystorepassword is stored in 2 places. It is the password associated with the self signed SSL certificate used by the BlackBerry Administration Service for secure web traffic. The current webkeystore exists in:

  1. The Windows registry.
  2. The web.keystore file in the BlackBerry Administration Service install directory.

The password accessed by the BlackBerry Administration Service from the registry must match the password in the web.keystore file. The keystore password is stored in, and read by the BlackBerry Administration Service services, from the HKEY_USERS section of the registry. The user that runs the BlackBerry Administration Service services determines the section of the registry that this information is pulled from. Each Windows user account that uses the server will have a couple of registry keys in the HKEY_USERS section. A string of numbers is used to identify individual users in the HKEY_USERS location. You will not find the user's name. When the currently logged in Windows user accesses the registry in the regedit application, the software related key of their HKEY_USERS data is displayed in the HKEY_CURRENT_USER key for convenience.

It is possible that there may be multiple user keys in HKEY_USERS that contain a WebKeyStorePass string value, depending on the history of activity on the server. In such a case, the current password would reside in the user data for the users that was most recently used to install or update the BlackBerry Enterprise Server software. If the proper password can be determined, and moved into the HKEY_CURRENT_USER section of the registry while logged in as the current user that runs the BlackBerry Administration Service services, the passwords should match and the BlackBerry Administration Service should finish loading. If the proper web.keystore password can't be identified in the registry, please use the Internal Notes to manually recreate the web.keystore file.

For further information on how to use the keytool, please consult the Oracle website and search for the string "keytool - Key and Certificate Management Tool".

Disclaimer

By downloading, accessing or otherwise using the Knowledge Base documents you agree:

   (a) that the terms of use for the documents found at www.blackberry.com/legal/knowledgebase apply to your use or reference to these documents; and

   (b) not to copy, distribute, disclose or reproduce, in full or in part any of the documents without the express written consent of RIM.


Visit the BlackBerry Technical Solution Center at www.blackberry.com/btsc.