How to change the Spotfire Server keystore password from default password "changeit" for HTTPS as well as X.509 client certificates.

Summary:
This article explains how to change the keystore password from default password "changeit" for HTTPS as well as X.509 client certificates.

Details:

If you change the password of the keystore located under <Spotfire Server Install>\tomcat\certs to something other than the default password "changeit" and also update server.xml with the new password you see the below error in the server.log file

================================
ERROR 2021-09-08T16:28:49,183+0530 [*Initialization*] security.unitrust.ConnectUnifiedStores: Failed to setup keystore for path C:\tibco\tss\10.10.6\tomcat\certs\keystore_spotfire.jks.
java.io.IOException: Keystore password was incorrect
=======================================

Spotfire Server will try to merge all keystores into memory and will then use the password in javax.net.ssl.trustStorePassword to load them. So, all keystores need to have the same password.
 

Resolution:
In order to change the password completely and get rid of these error messages, you would have to add the following parameter to uiconfig.bat and config.bat files and also in the java options (service.bat) file:

-Djavax.net.ssl.trustStorePassword="certificate password"
 
After adding this parameter, uiconfig.bat (<Spotfire Server Install>\tomcat\spotfire-bin\uiconfig.bat) will look as below:
 
start "TSS Configuration UI" "%JAVA_HOME%\bin\javaw" -Xms256m -Xmx4096m --add-opens=java.base/java.nio=ALL-UNNAMED -classpath "%CLASSPATH%" -Dcatalina.base="%TSS_HOME%" -Dlog.dir="%TSS_HOME%\logs" -Dlog4j.configurationFile="%TSS_HOME%\spotfire-config\log4j2-tools.xml" -Djavax.net.ssl.trustStorePassword="Passw03d@123" com.spotfire.server.tools.confui.ConfigurationMain %*
 
The config.bat  (<Spotfire Server Install>\tomcat\spotfire-bin\config.bat) will look as below:
 
"%JAVA_HOME%\bin\java" -Xms256m -Xmx4096m --add-opens=java.base/java.nio=ALL-UNNAMED -classpath "%CLASSPATH%" -Dcatalina.base="%TSS_HOME%" -Dlog.dir="%TSS_HOME%\logs" -Dlog4j.configurationFile="%TSS_HOME%\spotfire-config\log4j2-tools.xml" -Djavax.net.ssl.trustStorePassword="Passw03d@123" com.spotfire.server.config.tool.ConfigApp %*
 
To make the changes in the service.bat file follow the below steps:

============================================

1. On the command line, go to the <Spotfire Server Install>/tomcat/bin directory.
2. Enter the following command: service.bat remove
3. Then locate the ----JvmOptions and add the following "Djavax.net.ssl.trustStorePassword="certificate password" within this parameter line.
4. Save and close the file.
5. Run the following command: service.bat install

====================================
 
After changing the password at all three locations, you will also have to change the cacert password and make it the same as the new password otherwise you will get the below error:

==============================
ERROR 2021-09-06T20:03:41,640+0530 [*Initialization*] security.unitrust.ConnectUnifiedStores: Could not created unified trust store.
java.security.KeyStoreException: problem accessing trust store
============================================
 
The following command can be used to change the cacerts password:

<Spotfire Server Install>\jdk\bin\keytool -storepasswd -new Pass30d@123 -cacerts