The story of the new vCD cell and the incorrect keystore password


Matthias Eisner

Matthias Eisner

The starting situation explained: we have a VMware cloud director instance with three cell servers. On primary and two standby cells, from a database replication perspective. Cells were running on version 10.2.0 and I wanted to upgrade vCD to the latest version which is 10.3.2a.


Before starting the upgrade, I validated if all services are up and running and the whole vCD instance is healthy. I found out, that one standby cell was not replicating the database anymore. No problem at all, I just followed VMware’s standard procedure removing this standby cell from the instance firstly using the UI (for the vCD part) and secondly via the API for the database part. That was the easy part.

Next step I deployed a new cell using OVA with the same build number, powered it on, logged into VAMI and provided the NFS share. Still, easy and I felt happy about the ease of the whole process replacing a failed cell. Now a nice error message popped up saying “incorrect keystore password” and the wizard was not able to add the cell to the instance. The error message popped up after the initial database replication part. From the beginning it was obvious, that this is a vCD setup related issue.

Checking the log file provided in the error message (/opt/vmware/var/log/vcd/configure-vcd.log)also just showed the error message “incorrect keystore password”. I started comparing the password hashes in the on the NFS transfer share with the files on the different cells, tried using different Didn’t change the result, always received the same errormessage trying to add the new cell.

Checking the /opt/vmware/vcloud-director/logs/configure-2022-04-10-xxxx.log provided anew idea:

Cloud Director - configure.log

The last two lines in the log file show, that the password to the local keystore is wrong, which was a brand-new deployment. Reading a few kb articles showed, that the initial keystore password seem to have a relationship with the root password provided during the OVA deployment, being more precisely, it is the root password.

In the past, I replaced the initial self-signed certificates with proper ones and during this change, I changed the password for the keystore too. No idea how to build the hash or encrypted value for the password in the file I had finally an idea: I copied the certificate.ks file from a working cell to the new one and rerun the wizard in the VAMI and voila, it worked perfectly fine. This solved my problem, because the hashed / encrypted password in the file matched the password configure on the keystore. Another advantage was, I didn’t have to import the certificates on the new cell, because they were already in the provided certificate.ks file.

Thanks for reading and I hope this helps.





Thank you! Your message has been sent!
Oops! Something went wrong while submitting the form.