CustomConnector -TCFPropertySource.getProperty Error retrieving password

book

Article ID: 191896

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

Error while starting up tomcat during the custom connector setup.

28-May-2020 22:57:38.985 INFO [Thread-7] org.apache.coyote.AbstractProtocol.destroy Destroying ProtocolHandler ["http-nio-127.0.0.1-18080"]
28-May-2020 22:57:50.832 SEVERE [main] com.ca.pam.extensions.tcfcryptoutil.TCFPropertySource.getProperty Error retrieving password
 java.lang.NullPointerException
  at com.ca.pam.extensions.tcfcryptoutil.util.ObfuscateTCF.unObfuscate(ObfuscateTCF.java:61)
  at com.ca.pam.extensions.tcfcryptoutil.TCFPropertySource.getProperty(TCFPropertySource.java:58)
  at org.apache.tomcat.util.IntrospectionUtils.getProperty(IntrospectionUtils.java:317)
  at org.apache.tomcat.util.IntrospectionUtils.replaceProperties(IntrospectionUtils.java:282)
  at org.apache.tomcat.util.digester.Digester.updateAttributes(Digester.java:1967)
  at org.apache.tomcat.util.digester.Digester.startElement(Digester.java:1186)
  at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.startElement(Unknown Source)
  at com.sun.org.apache.xerces.internal.parsers.AbstractXMLDocumentParser.emptyElement(Unknown Source)
  at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanStartElement(Unknown Source)
  at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl$FragmentContentDriver.next(Unknown Source)
  at com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(Unknown Source)
  at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown Source)
  at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(Unknown Source)
  at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(Unknown Source)
  at com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(Unknown Source)
  at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(Unknown Source)
  at com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.parse(Unknown Source)
  at org.apache.tomcat.util.digester.Digester.parse(Digester.java:1478)
  at org.apache.catalina.startup.Catalina.load(Catalina.java:566)
  at org.apache.catalina.startup.Catalina.load(Catalina.java:607)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
  at java.lang.reflect.Method.invoke(Unknown Source)
  at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:303)
  at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:473)

...

28-May-2020 22:57:54.925 SEVERE [main] org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to initialize component [Connector[HTTP/1.1-8443]]
 org.apache.catalina.LifecycleException: Protocol handler initialization failed
  at org.apache.catalina.connector.Connector.initInternal(Connector.java:1041)
  at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
  at org.apache.catalina.core.StandardService.initInternal(StandardService.java:533)
  at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
  at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1057)
  at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
  at org.apache.catalina.startup.Catalina.load(Catalina.java:584)
  at org.apache.catalina.startup.Catalina.load(Catalina.java:607)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
  at java.lang.reflect.Method.invoke(Unknown Source)
  at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:303)
  at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:473)
 Caused by: java.lang.IllegalArgumentException: keystore password was incorrect
  at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:99)
  at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71)
  at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:216)
  at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1141)
  at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1154)
  at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581)
  at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:74)
  at org.apache.catalina.connector.Connector.initInternal(Connector.java:1038)
  ... 13 more
 Caused by: java.io.IOException: keystore password was incorrect
  at sun.security.pkcs12.PKCS12KeyStore.engineLoad(Unknown Source)
  at sun.security.provider.KeyStoreDelegator.engineLoad(Unknown Source)
  at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(Unknown Source)
  at java.security.KeyStore.load(Unknown Source)
  at org.apache.tomcat.util.security.KeyStoreUtil.load(KeyStoreUtil.java:69)
  at org.apache.tomcat.util.net.SSLUtilBase.getStore(SSLUtilBase.java:217)
  at org.apache.tomcat.util.net.SSLHostConfigCertificate.getCertificateKeystore(SSLHostConfigCertificate.java:206)
  at org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:283)
  at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:247)
  at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:97)
  ... 20 more
 Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
  ... 30 more

Cause

It is a result of failing to get the password for the keypair used for https or the keystore password.

Environment

Release : 3.3

Component : PRIVILEGED ACCESS MANAGEMENT

Resolution

Before proceeding, ensure that you are using 64bit JDK for initial deployment tests.

There can be 2 places to check.

1. catalina.properties and encrypted password.

Ensure the encrypted password is correctly set.
Encrypted password is the output from configTCF command

For example:
C:\customconnector8\configTCF>configTCF.cmd -Dcommand=encryptPassword -Dpassword=password
May 31, 2020 4:58:07 PM com.ca.pam.extensions.tcfcryptoutil.util.ObfuscateTCF obfuscate
INFO: Encrypted string is: 0nzl74MIycVng9uz4fZbbmz495zSNbRHb7HqQCxjnUQ=
Encrypted password is: 0nzl74MIycVng9uz4fZbbmz495zSNbRHb7HqQCxjnUQ=

catalina.properties file need following appended to it.

org.apache.tomcat.util.digester.PROPERTY_SOURCE=com.ca.pam.extensions.tcfcryptoutil.TCFPropertySource
tomcat.keystore.pwd=0nzl74MIycVng9uz4fZbbmz495zSNbRHb7HqQCxjnUQ=

2. server.xml with absolute filepath to java keystore

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" xpoweredBy="false" sslProtocol="TLS" clientAuth="false" keystorePass="${tomcat.keystore.pwd}" keystoreFile="C:\keystore\customconnector.jks" SSLEnabled="true" secure="true" scheme="https" maxThreads="200"/>


Side note:
In case if you had tomcat configured with 32bit JDK and later you replaced the JDK to 64bit, it is recommended to re-install tomcat.
Depending on the existing and selected JDK bit-level, tomcat service configures itself to match it and does not seem to work when the JDK bit-level changes.
This applies to tomcat installer for windows.