Error finalising cipher data: pad block corrupted in Helm AuthHub
Article ID: 254986
Updated On:
Products
Issue/Introduction
When running the Helm command to install AuthHub, the command doesn't end and gives these errors:
# helm install "ssp" -n sspdev "ssp_helm_charts/ssp" --set ssp.ingress.host="ssp.mypoc" --set ssp.ingress.tls.secretName=ssp-general-tls --set ssp.global.ssp.registry.existingSecrets[0].name=ssp-registrypullsecret --set hazelcast-enterprise.image.pullSecrets[0]=ssp-registrypullsecret --set ssp.db.serviceHost=mysql.mysql.database.azure.com --set ssp.db.servicePort=3306 --set ssp.db.name=myserver --set ssp.db.user="myserver" --set ssp.db.password="password" --set ssp.db.sslMode=REQUIRED --set ssp.global.securityContext.fsGroup=$((SSP_FSGROUP)) --set ssp.global.securityContext.runAsGroup=$((SSP_GID)) --set ssp.global.securityContext.runAsUser=$((SSP_UID)) --set hazelcast-enterprise.securityContext.fsGroup=${SSP_FSGROUP} --set hazelcast-enterprise.securityContext.runAsGroup=${SSP_GID} --set hazelcast-enterprise.securityContext.runAsUser=${SSP_UID} --set ssp.deployment.size="demo" --set hazelcast-enterprise.cluster.memberCount=1
{"timestamp":"2022-11-23T12:13:17.647159Z","type":"log","level":"info","thread":"main","msg":"Client with the name:SSP already exist. Skip creation and AZpolicy updation"}
{"timestamp":"2022-11-23T12:13:17.674941Z","type":"log","level":"error","thread":"main","msg":"Error while decrypting data using Master Encryption Key. Message 'org.bouncycastle.crypto.InvalidCipherTextException: Error finalising cipher data: pad block corrupted'."}
{"timestamp":"2022-11-23T12:13:17.675316Z","type":"log","level":"error","thread":"main","msg":"Unable to decrypt Tenant key"}
{"timestamp":"2022-11-23T12:13:17.675809Z","type":"log","level":"fatal","thread":"main","msg":"Failed initialization. Exception 'null'. Unable to continue. Stack trace '[java.base/java.lang.String.<init>(String.java:614), com.broadcom.layer7authentication.admin.service.SystemTenantInitializer.initInfraClientData(SystemTenantInitializer.java:306), com.broadcom.layer7authentication.admin.service.SystemTenantInitializer.doInit(SystemTenantInitializer.java:136), com.broadcom.layer7authentication.admin.service.GlobalBootStrapDataInitializer.doInit(GlobalBootStrapDataInitializer.java:104), com.broadcom.layer7authentication.admin.service.SecurityBootStrapService.initialize(SecurityBootStrapService.java:37), com.broadcom.layer7authentication.admin.service.SecurityBootStrap.onApplicationEvent(SecurityBootStrap.java:180), com.broadcom.layer7authentication.admin.service.SecurityBootStrap.onApplicationEvent(SecurityBootStrap.java:43), org.springframework.context.event.SimpleApplicationEventMulticaster.doInvokeListener...
{"timestamp":"2022-11-23T12:13:17.678026Z","type":"log","level":"info","thread":"hz.ShutdownThread","msg":"[10.100.2.132]:7105 [dev] [5.1.2] Running shutdown hook... Current state: ACTIVE"}
{"timestamp":"2022-11-23T12:13:18.056026Z","type":"log","level":"info","thread":"SpringApplicationShutdownHook","msg":"Closing JPA EntityManagerFactory for persistence unit 'default'"}
and
I1123 12:09:23.017575 12926 request.go:665] Waited for 1.127024923s due to client-side throttling, not priority and fairness, request: GET:https://api.mypoc.myserver.mydomain.io:6443/apis/helm.openshift.io/v1beta1?timeout=32s
W1123 12:09:26.639946 12926 warnings.go:70] policy/v1beta1 PodDisruptionBudget is deprecated in v1.21+, unavailable in v1.25+; use policy/v1 PodDisruptionBudget
W1123 12:09:27.997111 12926 warnings.go:70] autoscaling/v2beta2 HorizontalPodAutoscaler is deprecated in v1.23+, unavailable in v1.26+; use autoscaling/v2 HorizontalPodAutoscaler
W1123 12:09:28.055069 12926 warnings.go:70] autoscaling/v2beta2 HorizontalPodAutoscaler is deprecated in v1.23+, unavailable in v1.26+; use autoscaling/v2 HorizontalPodAutoscaler
Cause
At first glance, it seems that the installation is run with an already existing database as per the error messages:
Error while decrypting data using Master Encryption Key. Message 'org.bouncycastle.crypto.InvalidCipherTextException: Error finalising cipher data: pad block corrupted'."}
{"timestamp":"2022-11-23T12:13:17.675316Z","type":"log","level":"error","thread":"main","msg":"Unable to decrypt Tenant key"}
It might not be the first installation tentative and an existing database is in use.
From the documentation, MEK is a prerequisite (1).
Resolution
Use the MEK to deploy with an existing database (2).
Additional Information
(1)
The Master Encryption Key is a prerequisite for the deployment of VIP
Authentication Hub. See Master Encryption Key section
(2)
Deploying VIP Authentication Hub
New deployment with existing database
The MEK is the key to unlock the Authentication Hub database. If you
are pointing to a replicated instance of an existing Authentication
Hub database or restoring an existing database from a backup, ensure
to use that database's MEK.
[...omitted for brevity...]
2. Create a new Authentication Hub deployment, pointing to the
database of the existing deployment and to the MEK secret
created in the previous step, by adding the following parameter
to the Authentication Hub helm chart install command:
--set ssp.keys.mek.existingSecret="<name of the Kubernetes Secret containing MEK.key>
[...omitted for brevity...]
3. Deploy the VIP Authentication Hub Helm (ssp) chart.
[...omitted for brevity...]
At this point, it is important to create a backup of the MEK which
has been used during the deployment of Authentication Hub because it
is the only key that can be used to decrypt the solution's encrypted
data stored in the Authentication Hub database. See Backing-up and
Restoring the MEK section.
Feedback
