ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.
PIM Pwextractor error: Could not perform unpadding: invalid pad byte
Article ID: 109691
Updated On:
Products
CA Virtual Privilege Manager
CA Privileged Identity Management Endpoint (PIM)
CA Privileged Access Manager (PAM)
Issue/Introduction
When trying to return cleartext passwords from the pwextractor utility in PIM an error like the one below is received. Even though the utility continues on and claims to successfully complete. When reviewing the output file it only contains the CSV style header information and no information about accounts.
Sample Error:
Sample file contents:
Sample Error:
Starting passwords extraction for ACCOUNT_PASSWORD...... 2018-08-02 16:14:58,021 (com.netegrity.crypto.AESCBCPKCS5PaddingHandler) ERROR - Exception caught while encrypting. 2018-08-02 16:14:58,023 (com.netegrity.crypto.AESCBCPKCS5PaddingHandler) ERROR - ; com.rsa.jsafe.JSAFE_PaddingException: Could not perform unpadding: invalid p ad byte. Successfully completed password extraction to file is: c:\production_accounts_pa sswd Signed file successfully to c:\production_accounts_passwd.sig Press any key to continue . . .
Sample file contents:
%[email protected]!~CLEAR_TEXT% %[email protected][email protected]!~PASSWORD_LAST_MODIFIED_DATE
Cause
The problem here is related to the password decryption.This error is usually caused by using the incorrect KIPSkey.dat file when running the pwextractor command. It may also be caused by attempting to use a corrupted FIPSkey.dat file.
Environment
Any PIM version
Resolution
To resolve this issue you need to make sure you are using the correct FIPSkey.dat.
- Check to ensure you are connecting to the correct database.
- Check to ensure you are running the command from the correct host.
- If you have a Load Balancing ENTM server set up you can try using the key from there.
- If you have a backup of the key or host then you can try recovering the key from the backup.
Additional Information
PWEXTRACTOR documentation:
https://docops.ca.com/ca-privileged-identity-manager/12-9-01/EN/reference/reference-guide/pwextractor-utility-extract-privileged-account-passwords
https://docops.ca.com/ca-privileged-identity-manager/12-9-01/EN/reference/reference-guide/pwextractor-utility-extract-privileged-account-passwords
Feedback
Yes
No
Powered by
