How to move TIBCO JasperReports® Server 7.5.0 encryption keystore files to a shared Linux folder

Problem

User has deployed TIBCO JasperReports^® Server 7.5.0 on a Linux server. By default, the server specific encryption key files are deployed under Linux Root directory. Due to server administration restrictions, non admin users are not allowed to access any components in Linux Root location. Therefore, when JasperReports^® Server 7.5.0 is started by a non admin user using root credential, the server startup will get an error caused by "KeystoreManager was never initialized or there are errors while instantiating the instance".  

Requriement

Users need to place the encryption keystore files to a shared Linux folder.

Solution 1

To plan ahead, user can deploy JasperReports Server 7.5.0 using WAR distribution package. In default_master.properties file, user can add the following two property settings to override the default directory:

ks=${KEYSTORE_PATH}
ksp=${KEYSTORE_PATH}

If user has a shared Linux folder such as /opt/keys/, then user should add the following to their default_master.properties file and run js-install script to redeploy JasperReports Server 7.5.0:

ks=/opt/keys
ksp=/opt/keys

For a redepolyment of a JRS WAR distribution, users also need to run the following ANT scripts to clean up keystore.init.properties in the buildomatic directory beofre running the js-install script.

js-ant clean-config
js-ant gen-config

If having a keystore.init.properties file directly under ..buildomatic directory, you need to delete it before running the installation. 

Solution 2

If not wanting to redeploy JasperReports Server 7.5 to meet this requirement, users can do the following to move already deployed keystore files from default Root folder to another shared location (such as /opt/keys/ folder) and reconfigure JasperReports Server 7.5.0 to recognize this new location to find and use its keys.

1.  Edit ../WEB-INF/classes/keystore.init.properties file and change the setting to point to shared folder. For example:

   ks=/opt/keys/
   ksp=/opt/keys/

2. Copy .jrsks (Java keystore) and .jrsksp (keystore properties) files from /Root to /opt/keys shared folder;

• Now the user should have two sets of these file pairs in both locations (/Root and /opt/keys). This is to ensure the user has a backup copy of the keystore files in the original location for system restore operation should the user mess up the manual procedure. Those two files must go together and synchronize with each other.  

1. Go to /opt/keys shared folder;
2. Make sure both files have the proper access permssion for the user who will start the server;
3. Do a Base64 decode to .jrsksp file. In our case, we used the following Linux command:

   cat ~/.jrsksp | openssl base64 -d
   
   

    

4. Edit the decoded .jrsksp file, locate ksPath setting, and change it from ksPath=/root/.jrsks to ksPath=/opt/keys/.jrsks
5. Save the change;
6. Use the following command to encode the file content

   base64 .jrsksp
   
   

    

7. Stop Tomcat;
8. Clean up work and temp folders under /apache-tomcat (this is not mandatory but it is always a good practice);
9. Start up Tomcat
10. Login to this JasperReports Server instance from a web browser and test the web application.

In addition, users need to configure related files under buildomatic directory if they need to run import/export utilities from commandline. For example: 

C:Jaspersoftjasperreports-server-7.5.0buildomaticconf_sourceieProkeystore.init.properties

TTC-20200330-1853218