Support Article
CryptographicException during start up
SA-43608
Summary
A custom cipher has been successfully deployed in a developer environment.
However, when trying to apply the custom cipher to another environment, a CryptographicException is observed in the PegaRULES logfile during startup and the startup does not complete.
Error Messages
2017-08-30 17:10:01,085 [ocalhost-startStop-1] [ ] [ ] (ervlet.WebAppLifeCycleListener) ERROR - Exception during startup processingcom.pega.pegarules.pub.context.CryptographicException: Problem decrypting data
at com.pega.pegarules.exec.internal.util.crypto.PRCipherBase.decrypt(PRCipherBase.java:227)
at com.pega.pegarules.exec.internal.util.crypto.PRCryptoImpl.decrypt(PRCryptoImpl.java:747)
at com.pega.pegarules.exec.internal.util.crypto.PRCryptoImpl.decrypt(PRCryptoImpl.java:706)
at com.pega.pegarules.data.internal.access.DatabaseConfigurationImpl.retrieveEncryptedPassword(DatabaseConfigurationImpl.java:979)
at com.pega.pegarules.data.internal.access.DatabaseConfigurationImpl.retrieveEncryptedPassword(DatabaseConfigurationImpl.java:986)
at com.pega.pegarules.data.internal.access.DatabaseConfigurationImpl$Builder.setValuesFromDBName(DatabaseConfigurationImpl.java:1480)
at com.pega.pegarules.data.internal.access.DatabaseConfigurationImpl$Builder.buildFromDataAdminDbName(DatabaseConfigurationImpl.java:1739)
at com.pega.pegarules.data.internal.access.DatabaseConfigurationImpl$Builder.build(DatabaseConfigurationImpl.java:1690)
at com.pega.pegarules.data.internal.access.DatabaseConfigurationMap.addDbToMap(DatabaseConfigurationMap.java:338)
at com.pega.pegarules.data.internal.access.ConnectionManagerImpl.rebuildDBNameDefinitions(ConnectionManagerImpl.java:2838)
at com.pega.pegarules.data.internal.access.ConnectionManagerImpl.loadDatabaseConfigurationMap(ConnectionManagerImpl.java:581)
at com.pega.pegarules.data.internal.access.ConnectionManagerImpl.<init>(ConnectionManagerImpl.java:530)
at com.pega.pegarules.data.internal.PRDataProviderImpl.getConnectionManager(PRDataProviderImpl.java:607)
at com.pega.pegarules.data.internal.PRDataProviderImpl.isMultiTenantEnvironment(PRDataProviderImpl.java:1162)
at com.pega.pegarules.deploy.internal.archive.ParUtilsImpl.setStageDirectory(ParUtilsImpl.java:220)
at com.pega.pegarules.session.internal.engineinterface.etier.impl.EngineStartup.initEngine(EngineStartup.java:522)
at com.pega.pegarules.session.internal.engineinterface.etier.impl.EngineImpl._initEngine_privact(EngineImpl.java:172)
at com.pega.pegarules.session.internal.engineinterface.etier.impl.EngineImpl.doStartup(EngineImpl.java:145)
at com.pega.pegarules.web.servlet.WebAppLifeCycleListener._contextInitialized_privact(WebAppLifeCycleListener.java:313)
at com.pega.pegarules.web.servlet.WebAppLifeCycleListener.contextInitialized(WebAppLifeCycleListener.java:218)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at com.pega.pegarules.internal.bootstrap.PRBootstrap.invokeMethod(PRBootstrap.java:370)
at com.pega.pegarules.internal.bootstrap.PRBootstrap.invokeMethodPropagatingThrowable(PRBootstrap.java:411)
at com.pega.pegarules.boot.internal.extbridge.AppServerBridgeToPega.invokeMethodPropagatingThrowable(AppServerBridgeToPega.java:224)
at com.pega.pegarules.boot.internal.extbridge.AppServerBridgeToPega.invokeMethod(AppServerBridgeToPega.java:273)
at com.pega.pegarules.internal.web.servlet.WebAppLifeCycleListenerBoot.contextInitialized(WebAppLifeCycleListenerBoot.java:83)
at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4777)
at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5211)
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:725)
at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:701)
at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:714)
at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:581)
at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1683)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: javax.crypto.BadPaddingException: Given final block not properly padded
at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:966)
at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:824)
at com.sun.crypto.provider.DESedeCipher.engineDoFinal(DESedeCipher.java:294)
at javax.crypto.Cipher.doFinal(Cipher.java:2165)
at com.pega.pegarules.exec.internal.util.crypto.PRCipherBase.decrypt(PRCipherBase.java:225)
... 41 more
Steps to Reproduce
1. Import site specific cipher class jar file, created in developer environment.
2. Update prconfig.xml to reference custom cipher.
3. Start up environment.
Root Cause
Passwords and Text/Encrypted property types are encrypted using the defined cipher in prconfig.xml.This environment had previously been configured to use a sample cipher class which is intended to be customized prior to use:
<env name="crypto/sitecipherclass" value="com.pega.pegarules.exec.internal.util.crypto.PRCipherSampleBF>
This is not a default configuration, but the cipher sample is provided as an example to assist in setting up a site specific cipher class. A cipher setting is required to encrypt Passwords and Encrypted Text properties.
Prior to the custom site specific cipher class, Data-Admin-DB-Name external database connection rules had been created, and their passwords encrypted with the sample cipher class.
During startup, Pega attempts to create connections to all configured databases - PegaRULES, PegaDATA, and any other defined databases. If it cannot decrypt the passwords to connect to the database then it will fail to start up. In this case, the database password could not be decrypted due to the cipher being used for decryption not being the same as the cipher that was originally used to encrypt the password.
Resolution
Perform the following local change steps:
1. Shut down the server.
2. Revert the crypto/sitecipherclass configuration setting to its original (sample cipher) value.
3. Start the server.
4. Delete the Data-Admin-DB-Name rule instances which had been created with the old cipher.
5. Shut down the server.
6. Update the crypto/sitecipherclass configuration setting to the new site-specific cipher class.
7. Start up the server.
8. Recreate the Data-Admin-DB-Name rule instances. Their passwords will now be encrypted with the correct site-specific cipher class.
Note that any other instances (for example, work object properties of type encrypted text) that were created under the old site-specific cipher will no longer be readable when the cipher is updated, and will generate a similar error.
This will not prevent the server from operating - just prevent that work object from functioning.
Those work objects will need to be re-created.
Published January 5, 2018 - Updated October 8, 2020
Have a question? Get answers now.
Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.