TIBCO Administration Serverstartup fails with the exception "javax.crypto.BadPaddingException:" in a manually SSL enabled domain using the PKCS12 keystore type and obfuscated keystore password.
Article ID: KB0086491
Updated On:
| Products | Versions |
|---|---|
| TIBCO Administrator | - |
| Not Applicable | - |
Description
Resolution:
Description:
===========
While enabling SSL for the TIBCO Administration domain using the keystoretype as PCKCS12, if the keystore password is specified as clear text in the server.xml file under <TIBCO_HOME>/Administrator/domain/<Domain_Name>/tomcat/conf directory, the admin starts fine. However, if an obfuscated password is used for the keystore password the admin startup fails.
Environment:
===========
TIBCO Administrator(TM) 5.x.x
TIBCO Runtime Agent(TM) 5.x.x
All OS
Symptoms:
===========
org.apache.coyote.http11.Http11NioProtocol - Failed to initialize end point associated with ProtocolHandler ["http-nio-8443"]
java.io.IOException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded
at sun.security.pkcs12.PKCS12KeyStore.engineLoad(Unknown Source)
Cause:
===========
Encrypting the password using the obfuscate utility uses the 3DES algorithm. The above error happens when the customer does not specify the correct protocol, SSLImplementation OR ciphersClass elements in the connector string:
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
SSLEnabled="true"
acceptCount="10"
clientAuth="false"
disableUploadTimeout="true"
enableLookups="false"
maxHttpHeaderSize="8192"
maxThreads="150"
minSpareThreads="25"
maxSpareThreads="75"
scheme="https"
secure="true"
sslProtocol="TLS"
keystoreType="PKCS12"
keystoreFile="C:/tibco/cfg/domain/administrator/MBDA_ESB_FR_DEV/SSL/TIBCODC.p12"
keystorePass="#!l0Vurw9ObSNc+ZXXuU6mej0wAV0/qtQKAP0Cr3cFiHc="
SSLImplementation="com.tibco.security.tomcat.TibcoJSSEImplementation"
ciphersClass="AtLeast128Bit" />
Resolution:
==========
To avoid the error consider the following two points.
1). Always use SSLImplementationName (instead of SSLImplementation) and ciphersClass elements as follows:
SSLImplementationName="com.tibco.security.tomcat.TibcoJSSEImplementation" ciphersClass="AtLeast128Bit"
Notice the name of the element is SSLImplementationName and not SSLImplementation.
2). Sometimes if "org.apache.coyote.http11.Http11NioProtocol" does not work for "protocol" element, use "HTTP/1.1".
The Connector String should look like the following:
<Connector port="8443"
protocol="HTTP/1.1"
SSLEnabled="true"
acceptCount="10"
clientAuth="false"
disableUploadTimeout="true"
enableLookups="false"
maxHttpHeaderSize="8192"
maxThreads="150"
minSpareThreads="25"
maxSpareThreads="75"
scheme="https"
secure="true"
sslProtocol="TLS"
keystoreType="PKCS12"
keystoreFile="C:/tibco/cfg/domain/administrator/MBDA_ESB_FR_DEV/SSL/TIBCODC.p12"
keystorePass="#!l0Vurw9ObSNc+ZXXuU6mej0wAV0/qtQKAP0Cr3cFiHc="
SSLImplementationName="com.tibco.security.tomcat.TibcoJSSEImplementation"
ciphersClass="AtLeast128Bit" /
NOTE:Obfuscated keystorepass must be used when SSLImplementationName is present. Adding SSLImplementation may cause Admin to fail to start if keystorepass is plain text.
Issue/Introduction
Feedback
