After upgrading DX NetOps to version 25.4.2, the OneClick (OC) server does not fully start, and users cannot log in using SAML. 

The $SPECROOT/tomcat/log/catalina.log file shows the following errors related to password decryption in the SAML Single Sign-On (SSO) configuration.

One error might be this one. It means there is a character in the password in the fediz_config.xml file that has a character not supported for encrypted password strings.

ERROR com.aprisma.spectrum.app.sso.saml2.Saml2AuthenticatorHelper - password decryption failed, please check valid encrypted passwords provided in fediz_config.xml file
java.lang.IllegalArgumentException: Illegal base64 character 2d

Another might be this one. It means the expected encrypted password is to short, it doesn't have enough characters to form a valid encrypted password string.

ERROR com.aprisma.spectrum.app.sso.saml2.Saml2AuthenticatorHelper - password decryption failed, please check valid encrypted passwords provided in fediz_config.xml file
java.lang.IllegalArgumentException: Last unit does not have enough valid bits

All supported Network Observability DX NetOps Spectrum OneClick releases

The fediz_config.xml is normally edited by the OneClick server when using the OC admin site SAML configuration page. It would set an encrypted password string.

At some time in the servers past a new password was set with clear text that broke the integration.

The issue is resolved by using the CryptoWrapper Utility to encrypt the cacerts keystore password and updating the relevant configuration file.

1. Encrypt the password using the Broadcom CryptoWrapper utility.
   • Steps to run the script are found in the Encrypt Passwords Using the CryptoWrapper Utility documentation.
2. Replace the current cleartext version of the password in the fediz_config.xml file with the new encrypted version.
3. Stop and restart the tomcat web server services.