search cancel

Error in SSO logs after updating Netops Portal certificate and private key

book

Article ID: 257478

calendar_today

Updated On:

Products

CA Performance Management - Usage and Administration DX NetOps

Issue/Introduction

After updating the NetOps Portal certificate and private key we see an error after restarting the services in the SsoConfig.log

java.security.PrivilegedActionException: null
    at java.security.AccessController.doPrivileged(Native Method) ~[?:?]
    at org.eclipse.jetty.xml.XmlConfiguration.main(XmlConfiguration.java:1857) [jetty-xml-9.4.40.v20210413.jar:9.4.40.v20210413]
    at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
    at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) ~[?:?]
    at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) ~[?:?]
    at java.lang.reflect.Method.invoke(Unknown Source) ~[?:?]
    at org.eclipse.jetty.start.Main.invokeMain(Main.java:218) [start.jar:9.4.40.v20210413]
    at org.eclipse.jetty.start.Main.start(Main.java:491) [start.jar:9.4.40.v20210413]
    at org.eclipse.jetty.start.Main.main(Main.java:77) [start.jar:9.4.40.v20210413]
    at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
    at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) ~[?:?]
    at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) ~[?:?]
    at java.lang.reflect.Method.invoke(Unknown Source) ~[?:?]
    at org.tanukisoftware.wrapper.WrapperSimpleApp.run(WrapperSimpleApp.java:349) [wrapper.jar:3.5.45]
    at java.lang.Thread.run(Unknown Source) [?:?]
Caused by: java.security.UnrecoverableKeyException: Get Key failed: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
    at sun.security.pkcs12.PKCS12KeyStore.engineGetKey(Unknown Source) ~[?:?]
    at sun.security.util.KeyStoreDelegator.engineGetKey(Unknown Source) ~[?:?]
    at java.security.KeyStore.getKey(Unknown Source) ~[?:?]
    at sun.security.ssl.SunX509KeyManagerImpl.<init>(Unknown Source) ~[?:?]
    at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(Unknown Source) ~[?:?]
    at javax.net.ssl.KeyManagerFactory.init(Unknown Source) ~[?:?]
    at org.eclipse.jetty.util.ssl.SslContextFactory.getKeyManagers(SslContextFactory.java:1243) ~[jetty-util-9.4.40.v20210413.jar:9.4.40.v20210413]
    at org.eclipse.jetty.util.ssl.SslContextFactory$Server.getKeyManagers(SslContextFactory.java:2267) ~[jetty-util-9.4.40.v20210413.jar:9.4.40.v20210413]
    at org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:372) ~[jetty-util-9.4.40.v20210413.jar:9.4.40.v20210413]
    at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:243) ~[jetty-util-9.4.40.v20210413.jar:9.4.40.v20210413]
    at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73) ~[jetty-util-9.4.40.v20210413.jar:9.4.40.v20210413]
    at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169) ~[jetty-util-9.4.40.v20210413.jar:9.4.40.v20210413]
    at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117) ~[jetty-util-9.4.40.v20210413.jar:9.4.40.v20210413]
    at org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:97) ~[jetty-server-9.4.40.v20210413.jar:9.4.40.v20210413]
    at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73) ~[jetty-util-9.4.40.v20210413.jar:9.4.40.v20210413]
    at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169) ~[jetty-util-9.4.40.v20210413.jar:9.4.40.v20210413]
    at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117) ~[jetty-util-9.4.40.v20210413.jar:9.4.40.v20210413]
    at org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:321) ~[jetty-server-9.4.40.v20210413.jar:9.4.40.v20210413]
    at org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:81) ~[jetty-server-9.4.40.v20210413.jar:9.4.40.v20210413]
    at org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:234) ~[jetty-server-9.4.40.v20210413.jar:9.4.40.v20210413]
    at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73) ~[jetty-util-9.4.40.v20210413.jar:9.4.40.v20210413]
    at org.eclipse.jetty.server.Server.doStart(Server.java:401) ~[jetty-server-9.4.40.v20210413.jar:9.4.40.v20210413]
    at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73) ~[jetty-util-9.4.40.v20210413.jar:9.4.40.v20210413]
    at org.eclipse.jetty.xml.XmlConfiguration.lambda$main$3(XmlConfiguration.java:1907) ~[jetty-xml-9.4.40.v20210413.jar:9.4.40.v20210413]
    ... 15 more
Caused by: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
    at com.sun.crypto.provider.CipherCore.unpad(Unknown Source) ~[?:?]
    at com.sun.crypto.provider.CipherCore.fillOutputBuffer(Unknown Source) ~[?:?]
    at com.sun.crypto.provider.CipherCore.doFinal(Unknown Source) ~[?:?]
    at com.sun.crypto.provider.PBES2Core.engineDoFinal(Unknown Source) ~[?:?]
    at javax.crypto.Cipher.doFinal(Unknown Source) ~[?:?]
    at sun.security.pkcs12.PKCS12KeyStore.lambda$engineGetKey$0(Unknown Source) ~[?:?]
    at sun.security.pkcs12.PKCS12KeyStore$RetryWithZero.run(Unknown Source) ~[?:?]
    at sun.security.pkcs12.PKCS12KeyStore.engineGetKey(Unknown Source) ~[?:?]
    at sun.security.util.KeyStoreDelegator.engineGetKey(Unknown Source) ~[?:?]
    at java.security.KeyStore.getKey(Unknown Source) ~[?:?]
    at sun.security.ssl.SunX509KeyManagerImpl.<init>(Unknown Source) ~[?:?]
    at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(Unknown Source) ~[?:?]
    at javax.net.ssl.KeyManagerFactory.init(Unknown Source) ~[?:?]
    at org.eclipse.jetty.util.ssl.SslContextFactory.getKeyManagers(SslContextFactory.java:1243) ~[jetty-util-9.4.40.v20210413.jar:9.4.40.v20210413]
    at org.eclipse.jetty.util.ssl.SslContextFactory$Server.getKeyManagers(SslContextFactory.java:2267) ~[jetty-util-9.4.40.v20210413.jar:9.4.40.v20210413]
    at org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:372) ~[jetty-util-9.4.40.v20210413.jar:9.4.40.v20210413]
    at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:243) ~[jetty-util-9.4.40.v20210413.jar:9.4.40.v20210413]
    at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73) ~[jetty-util-9.4.40.v20210413.jar:9.4.40.v20210413]
    at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169) ~[jetty-util-9.4.40.v20210413.jar:9.4.40.v20210413]
    at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117) ~[jetty-util-9.4.40.v20210413.jar:9.4.40.v20210413]
    at org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:97) ~[jetty-server-9.4.40.v20210413.jar:9.4.40.v20210413]
    at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73) ~[jetty-util-9.4.40.v20210413.jar:9.4.40.v20210413]
    at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169) ~[jetty-util-9.4.40.v20210413.jar:9.4.40.v20210413]
    at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117) ~[jetty-util-9.4.40.v20210413.jar:9.4.40.v20210413]
    at org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:321) ~[jetty-server-9.4.40.v20210413.jar:9.4.40.v20210413]
    at org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:81) ~[jetty-server-9.4.40.v20210413.jar:9.4.40.v20210413]
    at org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:234) ~[jetty-server-9.4.40.v20210413.jar:9.4.40.v20210413]
    at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73) ~[jetty-util-9.4.40.v20210413.jar:9.4.40.v20210413]
    at org.eclipse.jetty.server.Server.doStart(Server.java:401) ~[jetty-server-9.4.40.v20210413.jar:9.4.40.v20210413]
    at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73) ~[jetty-util-9.4.40.v20210413.jar:9.4.40.v20210413]
    at org.eclipse.jetty.xml.XmlConfiguration.lambda$main$3(XmlConfiguration.java:1907) ~[jetty-xml-9.4.40.v20210413.jar:9.4.40.v20210413]
    ... 15 more
INFO  | main                     | 2023-01-10 11:29:17,502 | org.apache.cxf.wsdl.service.factory.ReflectionServiceFactoryBean 
      | Creating Service {http://netqos.com/SingleSignOnWS}SingleSignOnWSSoapService from class com.netqos.singlesignonws.SingleSignOnWSSoap

Environment

Release : 22.2

Cause

In the PORTAL_HOME/sso/start.d/ssl.ini file, the private key password is incorrect:

# SSL
# define the port to use for secure redirection
jetty.ssl.port=8382
jetty.https.port=8382
jetty.httpConfig.securePort=8382
# Setup a keystore and truststore
jetty.sslContext.keyStoreType=JKS
jetty.sslContext.keyStorePath=etc/keystore
jetty.sslContext.trustStorePath=etc/keystore
# Setup passwords
jetty.sslContext.keyStorePassword=goodpassword
jetty.sslContext.keyManagerPassword=badpassword
jetty.sslContext.trustStorePassword=goodpassword

Resolution

Correct the private key password in the PORTAL_HOME/sso/start.d/ssl.ini file and restart the NetOps Portal services.

Additional Information

Refer to 'step 3' of the NetOps Performance Management documentation at  Update Single Sign-On Configuration and Restart the Services