IG 4.2 - workflow-api: Unable to decrypt data because no keys have been supplied

Hi,
after upgrading from IG 3.7.2 to 4.2 I get an error on starting tomcat:

[SCHWERWIEGEND] 2024-01-31 13:19:17.771 [com.netiq.iac.workflow.jee.IacWorkflowServerInitListener] Error initializing logging
java.lang.IllegalStateException: Unable to decrypt data because no keys have been supplied.
        at com.netiq.ism.obfuscate.CryptoUtils.decrypt(CryptoUtils.java:437)
        at com.netiq.ism.obfuscate.CryptoUtils.decipher(CryptoUtils.java:403)
        at com.netiq.ism.config.impl.ConfigurationImpl.decode(ConfigurationImpl.java:835)
        at com.netiq.ism.config.impl.ConfigurationImpl.getString(ConfigurationImpl.java:417)
        at com.netiq.iac.common.logging.ArcLoggingConfigurator.getConfigString(ArcLoggingConfigurator.java:283)

Currently I think this happens because my system is missing configurations in ism-configuration.properties:

# fgrep wfe ism-configuration.properties
com.microfocus.wfe.consumer.url = https://abc:8443/api/wfi
com.microfocus.wfe.consumer.password._attr_obscurity = ENCRYPT

My working reference system lists:

# fgrep wfe ism-configuration.properties
com.microfocus.wfe.consumer.url = https://def:8443/api/wfi
com.microfocus.wfe.consumer.userId = workflow
com.microfocus.wfe.consumer.password._attr_obscurity = ENCRYPT
com.microfocus.wfe.consumer.password = [AES/GCM/NoPadding]6xXXX:r/Harr18/t2XXXc9fXXX==

Any ideas where this configuration is coming from? Can neither find it in configupdate.sh nore in configutil.sh.

regards
Daniel

  • 0

    hmmm.... my reference system does not have workflow-api.jar. So maybe this was not deleted on update and is unable to handle the new encrypted password values?

  • 0   in reply to 

    Hello,

    1) The workflow-api war is no longer a part of Identity Governance.  The 3.7.3 release is the last to include that war.

    2) When you upgraded 3.7.3 to 4.2
    a) Did you have External Workflow Service installed when this was 3.7.3?
    b) When you ran the IG 4.2 installer, did you select to upgrade all components (IG, RPT, Workflow Service)?
    c) When you ran the IG 4.2 installer, did you select to use the existing encryption key that was created during the OSP install or did you create a new one?

    Sincerely,
    Steven Williams
    Principal Enterprise Architect
    OpenText Cybersecurity

  • 0 in reply to   

    2a) The workflow engine was installed on the IG 3.7.3 application server

    2b) Yes, I selected "Full", thus all products were checked.

    2c) In IG 4.2 installer I selected the one which was generated by prior running OSP installer

  • 0 in reply to 

    Have you been able to solve this  ? I have upgraded IG 3.7.3 to 4.2 and I see the same issue with workflow engine.

  • 0   in reply to 

    Hello,
       At this point, I would suggest opening a Service Request with Support. We will need to get some information from your environment that should not be shared here.

    Sincerely,
    Steven Williams
    Principal Enterprise Architect
    OpenText Cybersecurity

  • 0 in reply to 

    As Steven said, "workflow-api.war" is no longer in use. So I "solved" it by removing the war-file Slight smile

    I had an error in IG which I _tought_ is related to this exception, but it turned out the error was something completely different. So having "workflow-api.war" still in webapps should not effect your IG, if I understood it correctly.

    regards
    Daniel

  • 0   in reply to 

    Hello Daniel,
    Are you saying in your set-up, that the workflow-api war was still in your tomcat/webapps after upgrading to 4.2? If yes, please outline the process and utilities that you utilized to upgrade from 3.7.3 to 4.2 as we have not seen this behavior in our testing.   Did you utilize the 4.2 version of the upgrade component helper scripts to update the tomcat version?

    Sincerely,
    Steven Williams
    Principal Enterprise Architect
    OpenText Cybersecurity

  • 0 in reply to   

    Hello Steven,
    exactly, workflow-api.war was still in tomcat/webapps after upgrading to 4.2.

    • updated the database server (postgres running on a different server)
    • updated ActiveMQ and Java (I am not sure if I also updated Tomcat) by using the upgrade helper scripts
    • updated OSP
    • updated IG

    Please also see  RE: IG 4.2 - workflow-api: Unable to decrypt data because no keys have been supplied

    regards
    Daniel

  • 0   in reply to 

    Hello Daniel,

        Thanks for the update and I will investigate.  Some of the customers that I directly work with did not experience (or at least they did not tell me) this situation when upgrading from 3.7.x to 4.2.

     Please be aware that the link you provided is to "this" thread.  Did you want to reference a different thread?

    Sincerely,
    Steven Williams
    Principal Enterprise Architect
    OpenText Cybersecurity

  • 0 in reply to   

    Hello Steven,

    Thanks for the suggestion, I will open a support ticket for this. It is the same case in my set-up that workflow-api.war was still in tomcat/webapps folder. Now I have tried removing this file as suggested by Daniel but in my case i still see the same error after restarting tomcat.

     
    While upgrading to 4.2 I followed this 

    - utilized the 4.2 version of the upgrade component helper scripts to update Tomcat, Java and ActiveMQ.

    - postgres is running on different server so upgraded separately. 

    - Upgraded OSP 

    - Upgraded IG

    - Upgraded Workflow by running the installer again.