Failed to start IBM Resilient due to the error "Keystore was tampered with, or password was incorrect"

[main] ERROR v=unknown  c.resilient.email.EmailServerDaemon - Failed to initialise Resilient Email daemon.
[main] ERROR v=unknown  c.i.r.camelservice.CamelService - Failed to load keystore file /crypt/certs/keystore

Cause

The default keystore (which is under /crypt/certs) password does not match the keyvault password for "keystore" secret. To start the Resilient server the two passwords have to be in sync.

Solution

If you do not know the current keystore password you can follow the steps below to create a new keystore.

1. Rename the file "/crypt/certs/keystore to "/crypt/certs/keystore.old" as a backup.

2. Create a new self-signed certificate using command:

sudo keytool -genkeypair -alias co3 -keyalg rsa -validity 3650 -keysize 2048 -sigalg sha256withrsa -storepass "$(sudo resutil keyvaultget -name keystore)" -keypass "$(sudo resutil keyvaultget -name keystore)" -keystore /crypt/certs/keystore

Circumstances might require the values set to be different from the values in the example command.

3. Verify the passwords for both the keyvault and the keystore are the same by command:

sudo keytool -list -v -keystore /crypt/certs/keystore -storepass "$(sudo resutil keyvaultget -name keystore)"

The command should return one entry with alias name "co3".

4. Restart the IBM Resilient service

sudo systemctl restart resilient

If you are on IBM Resilient v32 or a higher version, you also need to restart resilient-messaging service:

sudo systemctl restart resilient-messaging