1. Advanced Management Console Installation and Configuration Guide
  2. AMC Keystore Migration from JKS to PKCS12

E AMC Keystore Migration from JKS to PKCS12

Java Key Store (JKS), a widely used key store implementation is being phased out in favor of Personal Information Exchange Syntax Standard (PKCS12), which is a more modern and widely supported key store format. It provides several advantages, including enhanced security, interoperability, and compatibility with modern applications and tools. Oracle recommends migration of keys and certificates from JKS to PKCS12.

This section details the steps involved in manual migration from JKS keystore to PKCS12.

Prerequisite

JDK 8u152 or above is required to run the Java keytool.

Migration Steps

Follow these steps to migrate from JKS keystore to PKCS12 keystore.

  1. Go to AMC agent installation ___location and access conf folder. 
    $cd ~/Java_AMC/conf
  2. Note down the following properties from AMCKeystore.properties file:
    • agent.keystore.password:<password>
    • signing.keystore.password:<password>
  3. To migrate AMC keystore to PKCS12 standard:
    1. Migrate AMCAgent.jks to PKCS12 using the following commands:
      $ sudo keytool -importkeystore -srckeystore AMCAgent.jks -destkeystore AMCAgent.jks -srcstoretype JKS -deststoretype PKCS12 -deststorepass <agent.keystore.password>
      $ Enter source keystore password: <agent.keystore.password>

      Expected result (ignore any warning message) : 

      Entry for alias **** successfully imported.
Import command completed: 1 entries successfully imported, 0 entries failed or cancelled
    2. Migrate AMCSigning.jks to PKCS12 using the following commands:
      $ sudo keytool -importkeystore -srckeystore AMCSigning.jks -destkeystore AMCSigning.jks -srcstoretype JKS -deststoretype PKCS12 -deststorepass <signing.keystore.password>
      $ Enter source keystore password: <signing.keystore.password>

      Expected result (ignore any warning message) : 

      Entry for alias **** successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or cancelled
  4. Restart the agent. 
    $ sudo ./AMCAgent.sh -restart
  5. Verify if the agent is working.
    • If the agent is working as expected, remove the temp keystore file (optional):
      $ sudo rm-fAMCAgent.jks.old
$ sudo rm-fAMCSigning.jks.old
$ sudo rm-fAMCAgent.jks.tmp #If available
$ sudo rm-fAMCSigning.jks.tmp #If available
    • If the agent is not working as expected, run the following commands and repeat steps 3 to 5:
      $ sudo mv AMCAgent.jks AMCAgent.jks.tmp
$ sudo mv AMCSigning.jks AMCSigning.jks.tmp
$ sudo mv AMCAgent.jks.old AMCAgent.jks
$ sudo mv AMCSigning.jks.old AMCSigning.jks