Bouncycastle error in Non Fips enabled for Cipher RC2128CBCPKCS5PaddingHandler flooding the server.log
Article ID: 268855
Updated On:
Products
Issue/Introduction
The client is bothered by the repetitive errors below that keep appearing in the server.log when a user authenticates in the IM under Jboss on Windows
YYYY-mm-dd hh:mm:ss,634 ERROR [com.netegrity.crypto.RC2128CBCPKCS5PaddingHandler] (default task-2) org.bouncycastle.crypto.internal.io.StreamIOException: Error closing stream:
YYYY-mm-dd hh:mm:ss WARN [ims.LLSDK.baseobject] (default task-2) Exception has occurred while attempting to decrypt untagged data declared as encrypted.
No reporter server deployed
It is possible to inhibit the message in log4j_jboss.xml but the client prefers to solve the problem instead of hiding the message.
Environment
Release : 14.4
Cause
Some password field of some IM connection is not well encrypted and needs to be corrected.
It is not easy to find out without activating DEBUG for the category im and ims and also in this case two separate categories that you can try to debug because in this case they are the ones reporting errors
ims.idmutils.crypto
ims.LLSDK.baseobject
Resolution
We need to enable Identity Manager DEBUG to know the root cause of the error.
1. Virtual Appliance environment
You can use the logging_v2.jsp page to enable DEBUG for im and ims categories as follows:
Access the URL
http://<IM-Server-FQDN>/iam/im/logging_v2.jsp. See "Additional Information" section about the correct URL
In the Category field type im and change from ALL to DEBUG and hit the Set button
In the Category field type ims and change from ALL to DEBUG and hit the Set button
At the bottom of the page click the Update button
Wait the problem happens again and skip to step 4 below
To disable the DEBUG
In the Category field type im and change from DEBUG to WARN and hit the Set button
In the Category field type ims and change from DEBUG to WARN and hit the Set button
At the bottom of the page click the Update button
2. Standalone environment
The Identity Manager was installed on Windows, Linux etc, you can follow the steps below:
1. include in your log4_jboss.xml these new two categories in your im servers (backup your original before)
<logger additivity="false" level="DEBUG" name="ims.idmutils.crypto">
<AppenderRef ref="rollingLogger"/>
<AppenderRef ref="Console" />
</logger>
<logger additivity="false" level="DEBUG" name="ims.LLSDK.baseobject">
<AppenderRef ref="rollingLogger"/>
<AppenderRef ref="Console" />
</logger>
2. Also change im and ims category to DEBUG in the same file.
3. Restart IM
4. Review the server.log few lines before the "ERROR [com.netegrity.crypto.RC2128CBCPKCS5PaddingHandler]" will find something as this example:
YYYY-mm-dd hh:mm:ss,532 DEBUG [ims.jdbc.JDBCManagedObjectProvider] (default task-2) SELECT "CONNECTION"."UNIQUE_NAME", "PROTOCOL", "PORT", "HOSTNAME", "JDBC_SELECT_METHOD", "CONNECTION_TYPE", "CONNECTION_DESCRIPTION", "JDBC_DATABASE_TYPE", "USER_ID", "LDAP_SEARCH_ROOT", "CONNECTION_NAME", "JDBC_DRIVER_CLASS", "LDAP_SECURE_CONNECTION_FLAG", "LDAP_CLEAR_TEXT_PASSWORD", "JDBC_ODBC_DATABASE_NAME", "DEFAULT_CONNECTION", "PASSWORD" FROM "CONNECTION" WHERE "DEFAULT_CONNECTION"=? AND "ENV_OID"=? (true,3)
5. Make a select in the above case in the table called CONNECTION.
It wasn't the specific connection of that select but we discovered that there were two of them in the list of CONNECTIONS without encrypting the PASSWORD field.
6. Updated the Snapshot Database connection rtpParamConn password and also the password for Administrator user from one another jdbc that was not encrypted correctly.
7. After finishing the troubleshooting rollback log4_jboss.xml to stop DEBUG, restart IM
Additional Information
If the logging page is unavailable, please, see the documentation below to enable it.
For the Virtual Appliance 14.4 version, see the "Modify Identity Manager Application Log Level" section
For the Virtual Appliance 14.5 version
Feedback
