To increase security, you can change the passwords of the vSphere Replication appliance keystore. If you copy the keystores from the appliance to another machine, you must change the passwords before the copy operation.

The keystore passwords might be stored in an access restricted configuration file. vSphere Replication has the following keystores:
  • /opt/vmware/hms/security/hms-keystore.jks, which contains the vSphere Replication appliance private key and certificate.
  • /opt/vmware/hms/security/hms-truststore.jks, which contains additional CA certificates besides the ones that Java already trusts.

Procedure

  1. To change the password for the hms-keystore.jks keystore, open the remote console of your vSphere Replication virtual machine and log in as root.
  2. Obtain the current keystore password.
    # /opt/vmware/hms/bin/hms-configtool -cmd list | grep keystore
    
    Example of the output hms-keystore-password = old_password
  3. Change the keystore password.
     # /usr/java/default/bin/keytool -storepasswd -storepass old_password -new new_password -keystore /opt/vmware/hms/security/hms-keystore.jks
  4. Change the vSphere Replication appliance private key password.
    The following command is a long, single command and must be run at once. There are breaks in the command for better visibility. Verify that the command returns a success message.
    # /usr/java/default/bin/keytool -keypasswd -alias jetty -keypass
    old_password -new new_password -storepass new_password -keystore
    /opt/vmware/hms/security/hms-keystore.jks
  5. Update the configuration with the new password.
    /opt/vmware/hms/bin/hms-configtool -cmd reconfig -property 'hms-keystore-password=new_password'
  6. Update the tomcat server.xml file with the new password.
    sed -i -- 's/old_password/new_password/g' /var/opt/apache-tomcat/conf/server.xml
  7. Reboot the appliance for the changes to take effect.
    # reboot
  8. Use a supported browser to log in to the vSphere Replication VAMI.
    The URL for the VAMI is https:// vr-appliance-address:5480.
  9. On the VR tab, click Configuration, and click Save and Restart Service.

What to do next

If you want to change the truststore passwords of the vSphere Replication appliance, see Change the Truststore Passwords of the vSphere Replication Appliance.