Thursday, July 4, 2013

com.rsa.jsafe.JSAFE_PaddingException: Could not perform unpadding: invalid pad byte

When enrolling a domain, I get com.rsa.jsafe.JSAFE_PaddingException: Could not perform unpadding: invalid pad byte (see Oracle Doc "ID 1505142.1").

This the stacktrace: 
weblogic.security.internal.encryption.EncryptionServiceException: com.rsa.jsafe.JSAFE_PaddingException: Could not perform unpadding: invalid pad byte.
        at weblogic.security.internal.encryption.JSafeEncryptionServiceImpl.decryptBytes(JSafeEncryptionServiceImpl.java:136)
        at weblogic.security.internal.encryption.JSafeEncryptionServiceImpl.decryptBytes(JSafeEncryptionServiceImpl.java:169)
        at weblogic.security.internal.encryption.ClearOrEncryptedService.decryptBytes(ClearOrEncryptedService.java:126)
        at weblogic.management.scripting.NodeManagerService.decrypt(NodeManagerService.java:285)
        at weblogic.management.scripting.NodeManagerService.nmEnrollMachine(NodeManagerService.java:311)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:597)
        at org.python.core.PyReflectedFunction.__call__(Unknown Source)
        at org.python.core.PyMethod.__call__(Unknown Source)
        at org.python.core.PyObject.__call__(Unknown Source)
        at org.python.core.PyInstance.invoke(Unknown Source)
        at org.python.pycode._pyx76.nmEnroll$89(:1443)

In fact, even when I start the admin I get a similar exception: 

 com.rsa.jsafe.JSAFE_PaddingException: Could not perform unpadding: invalid pad byte.
        at com.rsa.jsafe.c.a(Unknown Source)
        at com.rsa.jsafe.JSAFE_SymmetricCipher.decryptFinal(Unknown Source)
        at weblogic.security.internal.encryption.JSafeEncryptionServiceImpl.decryptBytes(JSafeEncryptionServiceImpl.java:124)
        at weblogic.security.internal.encryption.JSafeEncryptionServiceImpl.decryptString(JSafeEncryptionServiceImpl.java:184)
        at weblogic.security.internal.encryption.ClearOrEncryptedService.decrypt(ClearOrEncryptedService.java:96)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:597)
        at weblogic.descriptor.DescriptorManager$SecurityServiceImpl$SecurityProxy._invokeServiceMethod(DescriptorManager.java:173)
        at weblogic.descriptor.DescriptorManager$SecurityServiceImpl$SecurityProxy.decrypt(DescriptorManager.java:192)
        at weblogic.descriptor.DescriptorManager$SecurityServiceImpl.decrypt(DescriptorManager.java:114)
        at weblogic.descriptor.internal.AbstractDescriptorBean._decrypt(AbstractDescriptorBean.java:1092)
        at weblogic.management.configuration.SecurityConfigurationMBeanImpl.getCredential(SecurityConfigurationMBeanImpl.java:736)
        at weblogic.security.internal.ServerPrincipalValidatorImpl.getSecret(ServerPrincipalValidatorImpl.java:88)
        at weblogic.security.internal.ServerPrincipalValidatorImpl.sign(ServerPrincipalValidatorImpl.java:67)
        at weblogic.security.service.PrivilegedActions$SignPrincipalAction.run(PrivilegedActions.java:62)
        at java.security.AccessController.doPrivileged(Native Method)
        at weblogic.security.service.SecurityServiceManager.createServerID(SecurityServiceManager.java:1096)
        at weblogic.security.service.SecurityServiceManager.getServerID(SecurityServiceManager.java:1109)
        at weblogic.security.service.SecurityServiceManager.sendASToWire(SecurityServiceManager.java:600)
        at weblogic.server.channels.ChannelService.resetQOS(ChannelService.java:286)
        at weblogic.server.channels.ChannelService.start(ChannelService.java:252)
        at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
        at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
        at weblogic.work.ExecuteThread.run(ExecuteThread.java:178)
Oracle doc suggests that this is due to "This exception could be thrown when the key WLS is using to decrypt is different from that used to encrypt it in the first place." (?????)

As suggested, I remove the password from the config.xml, but then I get:

<BEA-000362> <Server failed. Reason: [Management:141266]Parsing Failure in config.xml: java.lang.IllegalArgumentException: In production mode, it's not allowed to set a clear text value to the property: NodeManagerPasswordEncrypted of SecurityConfigurationMBean>

After many hours I discovered that the WLS servers were configured to use a non existing JKS file store. Instead of refusing to create the domain (as I would prefer), WebLogic probably writes the encoded passwords in some other funny way. No clue really. Anyway setting the right JKS solved the problem.

Posted by vernetto at 12:15 PM
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)