search cancel

Custom Connector Server is not reading Encryption Key from keystore

book

Article ID: 216335

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

On Tomcat startup, the logs show that the Encryption key cannot be found and when initiating a test from the PAM client, the Tomcat logs show the "Encryption Key cannot be null" error.

I've already confirmed that the Keystore was generated properly using the configTCF command and the Key copied form the PAM client is the same as well. 

28-May-2021 15:02:16.426 SEVERE [main] com.ca.pam.extensions.tcfcryptoutil.util.WindowsRegistry.readRegistry Exception while gettng registry entry: Cannot run program "reg": CreateProcess error=5, Access is denied
28-May-2021 15:02:16.426 SEVERE [main] com.ca.pam.extensions.framework.util.ExtensionEncryption.decryptKeyStorePassword Error decrypting password: null
28-May-2021 15:02:16.426 INFO [main] com.ca.pam.extensions.framework.util.ExtensionEncryption.retrieveEncryptionKey Retrieve the encryption key
28-May-2021 15:02:16.442 SEVERE [main] com.ca.pam.extensions.framework.util.ExtensionEncryption.init Encryption Key does not exist

28-May-2021 15:59:12.740 SEVERE [https-jsse-nio-8443-exec-4] com.ca.pam.extensions.tcfcryptoutil.util.WindowsRegistry.readRegistry Exception while gettng registry entry: Cannot run program "reg": CreateProcess error=5, Access is denied
28-May-2021 15:59:12.740 SEVERE [https-jsse-nio-8443-exec-4] com.ca.pam.extensions.framework.util.ExtensionEncryption.decryptKeyStorePassword [b9e52b50-a107-4090-a6e1-46acf04fd9ba] [PAMTargetConnector] Error decrypting password: null
28-May-2021 15:59:12.740 INFO [https-jsse-nio-8443-exec-4] com.ca.pam.extensions.framework.util.ExtensionEncryption.retrieveEncryptionKey Retrieve the encryption key
28-May-2021 15:59:12.990 SEVERE [https-jsse-nio-8443-exec-4] com.ca.pam.extensions.framework.util.ExtensionAuthenticationFilter.validateAuthToken [b9e52b50-a107-4090-a6e1-46acf04fd9ba] [PAMTargetConnector] Authorization header cannot be decrypted: 
 org.jose4j.lang.InvalidKeyException: The key must not be null.
  at org.jose4j.jwx.KeyValidationSupport.notNull(KeyValidationSupport.java:72)

Environment

Release : 3.4

Component : PRIVILEGED ACCESS MANAGEMENT

Cause

This issue here was 2 part

1. The with the format in the extension_framwork.properties file was not formated properly

extension.keystore.file=C:\Program Files\Apache Software Foundation\Tomcat 9.0\tcf\KeyStore

2. The tomcat services were started with localhost which does not have the access required for the crypto library

com.ca.pam.extensions.tcfcryptoutil.util.WindowsRegistry.readRegistry Exception while gettng registry entry: Cannot run program "reg": CreateProcess error=5, Access is denied

Resolution

The steps to resolve were 

1. in the extension_framwork.properties file updated as follows adding required "\"

extension.keystore.file=C:\\Program Files\\Apache Software Foundation\\Tomcat 9.0\\tcf\\KeyStore

2. Using a local administrative user to start the tomcat services