Skip to main content

This content has been archived and is no longer being updated. Links may not function; however, this content may be relevant to outdated versions of the product.

Support Article

CryptographicException during start up



A custom cipher has been successfully deployed in a developer environment.

However, when trying to apply the custom cipher to another environment, a CryptographicException is observed in the PegaRULES logfile during startup and the startup does not complete.

Error Messages

2017-08-30 17:10:01,085 [ocalhost-startStop-1] [ ] [ ] (ervlet.WebAppLifeCycleListener) ERROR - Exception during startup processing Problem decrypting data
at com.pega.pegarules.exec.internal.util.crypto.PRCipherBase.decrypt(
at com.pega.pegarules.exec.internal.util.crypto.PRCryptoImpl.decrypt(
at com.pega.pegarules.exec.internal.util.crypto.PRCryptoImpl.decrypt(
at com.pega.pegarules.deploy.internal.archive.ParUtilsImpl.setStageDirectory(
at com.pega.pegarules.session.internal.engineinterface.etier.impl.EngineStartup.initEngine(
at com.pega.pegarules.session.internal.engineinterface.etier.impl.EngineImpl._initEngine_privact(
at com.pega.pegarules.session.internal.engineinterface.etier.impl.EngineImpl.doStartup(
at com.pega.pegarules.web.servlet.WebAppLifeCycleListener._contextInitialized_privact(
at com.pega.pegarules.web.servlet.WebAppLifeCycleListener.contextInitialized(
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(
at sun.reflect.DelegatingMethodAccessorImpl.invoke(
at java.lang.reflect.Method.invoke(
at com.pega.pegarules.internal.bootstrap.PRBootstrap.invokeMethod(
at com.pega.pegarules.internal.bootstrap.PRBootstrap.invokeMethodPropagatingThrowable(
at com.pega.pegarules.boot.internal.extbridge.AppServerBridgeToPega.invokeMethodPropagatingThrowable(
at com.pega.pegarules.boot.internal.extbridge.AppServerBridgeToPega.invokeMethod(
at com.pega.pegarules.internal.web.servlet.WebAppLifeCycleListenerBoot.contextInitialized(
at org.apache.catalina.core.StandardContext.listenerStart(
at org.apache.catalina.core.StandardContext.startInternal(
at org.apache.catalina.util.LifecycleBase.start(
at org.apache.catalina.core.ContainerBase.addChildInternal(
at org.apache.catalina.core.ContainerBase.addChild(
at org.apache.catalina.core.StandardHost.addChild(
at org.apache.catalina.startup.HostConfig.deployDescriptor(
at org.apache.catalina.startup.HostConfig$
at java.util.concurrent.Executors$
at java.util.concurrent.ThreadPoolExecutor.runWorker(
at java.util.concurrent.ThreadPoolExecutor$
Caused by: javax.crypto.BadPaddingException: Given final block not properly padded
at com.sun.crypto.provider.CipherCore.doFinal(
at com.sun.crypto.provider.CipherCore.doFinal(
at com.sun.crypto.provider.DESedeCipher.engineDoFinal(
at javax.crypto.Cipher.doFinal(
at com.pega.pegarules.exec.internal.util.crypto.PRCipherBase.decrypt(
... 41 more

Steps to Reproduce

1. Import site specific cipher class jar file, created in developer environment.
2. Update prconfig.xml to reference custom cipher.
3. Start up environment.

Root Cause

Passwords and Text/Encrypted property types are encrypted using the defined cipher in prconfig.xml.

This environment had previously been configured to use a sample cipher class which is intended to be customized prior to use:

<env name="crypto/sitecipherclass" value="com.pega.pegarules.exec.internal.util.crypto.PRCipherSampleBF>

This is not a default configuration, but the cipher sample is provided as an example to assist in setting up a site specific cipher class. A cipher setting is required to encrypt Passwords and Encrypted Text properties.

Prior to the custom site specific cipher class, Data-Admin-DB-Name external database connection rules had been created, and their passwords encrypted with the sample cipher class.

During startup, Pega attempts to create connections to all configured databases - PegaRULES, PegaDATA, and any other defined databases. If it cannot decrypt the passwords to connect to the database then it will fail to start up. In this case, the database password could not be decrypted due to the cipher being used for decryption not being the same as the cipher that was originally used to encrypt the password.


Perform the following local change steps:

1. Shut down the server.
2. Revert the crypto/sitecipherclass configuration setting to its original (sample cipher) value.
3. Start the server.
4. Delete the Data-Admin-DB-Name rule instances which had been created with the old cipher.
5. Shut down the server.
6. Update the crypto/sitecipherclass configuration setting to the new site-specific cipher class.
7. Start up the server.
8. Recreate the Data-Admin-DB-Name rule instances. Their passwords will now be encrypted with the correct site-specific cipher class.

Note that any other instances (for example, work object properties of type encrypted text) that were created under the old site-specific cipher will no longer be readable when the cipher is updated, and will generate a similar error.

This will not prevent the server from operating - just prevent that work object from functioning.

Those work objects will need to be re-created.

Published January 5, 2018 - Updated October 8, 2020

Was this useful?

0% found this useful

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.

Did you find this content helpful?

Want to help us improve this content?

We'd prefer it if you saw us at our best.

Pega Community has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice
Contact us