Highlighted
Respected Contributor.
Respected Contributor.
205 views

Identity Application not starting after upgrade from 4.6.4 to 4.8 with CryptoUtils related error

Jump to solution

Hi all,

After upgrading Identity Application from 4.6.4 to 4.8, the Application would not start.

IDM-4.8;  OS: RHEL-7.6

Catalina keeps presenting the same error message starting with:
Jun 26, 2020 1:27:07 PM org.apache.catalina.core.StandardContext loadOnStartup
SEVERE: Servlet [RefreshTokenServlet] in web application [/idmadmin] threw load() exception
java.lang.IllegalArgumentException
at com.netiq.ism.obfuscate.CryptoUtils.decipher(CryptoUtils.java:117)
at com.netiq.ism.config.impl.ConfigurationImpl.decode(ConfigurationImpl.java:759)
at com.netiq.ism.config.impl.ConfigurationImpl.getString(ConfigurationImpl.java:408)
at com.netiq.idmdash.context.RefreshTokenServlet.createSslSocketFactory(RefreshTokenServlet.java:148)

Please check out attached files for logs and more details.


keystore (idm.jks in PKCS12 format & normal tomcat keystore) have been recreated severally, and pub-key imported, yet no luck.


A new idm-jks has been created, and the idea suggested by @klasen  in ( https://community.microfocus.com/t5/Identity-Manager-User/idm-jksPurpose-of-new-Keystore-in-IDM-4-72/td-p/2686721 ) has been tried.

Attempts to launch the configupdate.sh also fails, as it presents similar error message:
configupdate]# ./configupdate.sh
Jun 26, 2020 4:47:42 PM com.netiq.internal.installer.idm.ldap.RunStateImpl dump
FINE: [CFG] Environment:
help=false
install=false
sso-apps=rpt,ua
reporting-admins-app=ua, ,
is_prov=true
edition=ADVANCED
provider_url=jnp://localhost:1099
file=/opt/netiq/idm/apps/tomcat/webapps/IDMProv.war
extFile=/opt/netiq/idm/apps/UserApplication/IDMPwdMgt.war
stop_deployer=false
use_ssl=true
use_console=false
read_pwd=true
debug=true
installDir=/opt/netiq/idm/apps/UserApplication
silent=null
force-no-userapp=false
force-no-reporting=false
reporting-config=system
force-no-ig=false
force-no-osp=false
no-save=false
no-nam-oauth=false
socket-connect-timeout=5000
socket-read-timeout=5000
dbDriver=null
dbUrl=null
dbUser=null
dbPassword=<not provided>
app-versions=ig#3.6.0,rpt#6.6.0,ua#4.8.0
java.lang.IllegalArgumentException
at com.netiq.ism.obfuscate.CryptoUtils.decipher(CryptoUtils.java:100)
at com.netiq.ism.config.impl.ConfigurationImpl.decode(ConfigurationImpl.java:842)
at com.netiq.ism.config.impl.ConfigurationImpl.getString(ConfigurationImpl.java:424)
at com.netiq.internal.installer.idm.ldap.IsmConfig.getValueInternal(IsmConfig.java:398)
at com.netiq.internal.installer.idm.ldap.UaConfigBase.getValue(UaConfigBase.java:265)
at com.netiq.internal.installer.idm.ldap.def.TruststoreDefinition.<init>(TruststoreDefinition.java:54)
at com.netiq.internal.installer.idm.ldap.LdapParameters.<init>(LdapParameters.java:81)
at com.netiq.internal.installer.idm.ldap.LdapParameters.<init>(LdapParameters.java:62)
at com.netiq.internal.installer.idm.ldap.UserAppAdapter.initialize(UserAppAdapter.java:274)
at com.netiq.internal.installer.idm.ldap.UaConfigBase.initializeAdapters(UaConfigBase.java:72)
at com.netiq.internal.installer.idm.ldap.IsmConfig.<init>(IsmConfig.java:134)
at com.netiq.internal.installer.idm.ldap.IdmConfigSource.getConfig(IdmConfigSource.java:106)
at com.netiq.internal.installer.idm.ldap.LdapConfig.<init>(LdapConfig.java:265)
at com.netiq.internal.installer.idm.ldap.LdapConfig.main(LdapConfig.java:168).

 

The idmdash, idmadmin folders and content of tomcat/temp/ as well as tomcat/work have been deleted in several attempts, yet the issue persists.

UA driver and RRSD have been restarted too.

Please am I missing something ?

Any ideas, clues or pointers  would be greatly appreciated.

 

 

Labels (1)
1 Solution

Accepted Solutions
Highlighted
Knowledge Partner
Knowledge Partner

Re: Identity Application not starting after upgrade from 4.6.4 to 4.8 with CryptoUtils related error

Jump to solution

That JVM version looks fine. I forget what the official version is supposed to be, But the thought I had would have been in a much earlier JVM so I doubt that is the issue.

Looking at the stack trace, it looks like it is trying to read the password for the KeyStore for LDAP connections.

I would look at the encrypted values in the ism-configuration.properties and maybe redo them.

Configupdate.sh in GUI mode just does it for you, and I guess in console mode as well.

This looks like an issue with the KeyStore password for LDAP and possibly LDAP password, so just reenter those values.

Now I ran into a bizarre issue where I was adding a password in the GUI and the value was concatenated to the exitsing value, instead of replaceing it.

You can see this as the password encrypted string is based on the MasterKey, so did you perhaps lose that during teh upgrade?  Or change it?   I am told, and the format is salt:password and both are base64 encoded.  So if there is a very long line, with more than 1 colon, then you may have the concat issue. In which case, edit the file, delete the values, and then in configupdate.sh reenter them.

 

View solution in original post

0 Likes
5 Replies
Highlighted
Knowledge Partner
Knowledge Partner

Re: Identity Application not starting after upgrade from 4.6.4 to 4.8 with CryptoUtils related error

Jump to solution

What is the Java version that User App is using?  Did it properly get updated? This feels like an older JVM causing the issue.

 

0 Likes
Highlighted
Respected Contributor.
Respected Contributor.

Re: Identity Application not starting after upgrade from 4.6.4 to 4.8 with CryptoUtils related error

Jump to solution
Hi @geoffc,
here are the details:
bin]# java -version
openjdk version "1.8.0_192"
OpenJDK Runtime Environment (Zulu 8.33.0.1-linux64) (build 1.8.0_192-b01)
OpenJDK 64-Bit Server VM (Zulu 8.33.0.1-linux64) (build 25.192-b01, mixed mode)


Do I make any modifications or any further checks and adjustments to be done ?

Thanks for anticipated clues.
Highlighted
Knowledge Partner
Knowledge Partner

Re: Identity Application not starting after upgrade from 4.6.4 to 4.8 with CryptoUtils related error

Jump to solution

That JVM version looks fine. I forget what the official version is supposed to be, But the thought I had would have been in a much earlier JVM so I doubt that is the issue.

Looking at the stack trace, it looks like it is trying to read the password for the KeyStore for LDAP connections.

I would look at the encrypted values in the ism-configuration.properties and maybe redo them.

Configupdate.sh in GUI mode just does it for you, and I guess in console mode as well.

This looks like an issue with the KeyStore password for LDAP and possibly LDAP password, so just reenter those values.

Now I ran into a bizarre issue where I was adding a password in the GUI and the value was concatenated to the exitsing value, instead of replaceing it.

You can see this as the password encrypted string is based on the MasterKey, so did you perhaps lose that during teh upgrade?  Or change it?   I am told, and the format is salt:password and both are base64 encoded.  So if there is a very long line, with more than 1 colon, then you may have the concat issue. In which case, edit the file, delete the values, and then in configupdate.sh reenter them.

 

View solution in original post

0 Likes
Highlighted
Respected Contributor.
Respected Contributor.

Re: Identity Application not starting after upgrade from 4.6.4 to 4.8 with CryptoUtils related error

Jump to solution
Hi @geoffc,
Thanks for the pointers. After concerted checks, it was obvious the path was pointing to an older java, and it was part of the problem. For other weird reason, it was found out in the ism-config file that the one of the usual keystore password : 'changeit' was not encrypted, as it was there in plain text, and made it tricky to notice.
In summary, the pointers have been vital. Thanks a million @geoffc.
Highlighted
Knowledge Partner
Knowledge Partner

Re: Identity Application not starting after upgrade from 4.6.4 to 4.8 with CryptoUtils related error

Jump to solution

Glad to hear it helped. I was totally guessing  🙂 

Sometimes you win, sometimes you lose.  🙂

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.