JCEEncryption:: failed to decrypt data error when accessing the admin console in OpenAM 13.x
The purpose of this article is to provide assistance if you encounter an "ERROR: JCEEncryption:: failed to decrypt data" when accessing the OpenAM console.
Archived
This article has been archived and is no longer maintained by ForgeRock.
Symptoms
The following error is shown in the IdRepo debug log when this happens:
amSDK:01/28/2016 10:37:25:166 AM JST: Thread[localhost-startStop-1,5,main]: TransactionId[b3fea1eb-aaad-4d20-9b66-941b90e78ad8-2] ERROR: JCEEncryption:: failed to decrypt data javax.crypto.BadPaddingException: Given final block not properly padded at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:966) at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:824) at com.sun.crypto.provider.PBES1Core.doFinal(PBES1Core.java:416) at com.sun.crypto.provider.PBEWithMD5AndDESCipher.engineDoFinal(PBEWithMD5AndDESCipher.java:316) at javax.crypto.Cipher.doFinal(Cipher.java:2165) at com.iplanet.services.util.JCEEncryption.pbeDecrypt(JCEEncryption.java:251) at com.iplanet.services.util.JCEEncryption.decrypt(JCEEncryption.java:149) at com.iplanet.services.util.Crypt.decode(Crypt.java:350) at com.iplanet.services.util.Crypt.decode(Crypt.java:375) at com.iplanet.services.ldap.LDAPUser.getPasswd(LDAPUser.java:117) at com.iplanet.services.ldap.ServerInstance.getPasswd(ServerInstance.java:128)You may see the following message in the browser when accessing the OpenAM console:
Authentication service is not initialized. Contact your system administrator.Note
You may also notice "ERROR: JCEEncryption:: Unsupported version: -98" errors in the IdRepo log. This is a known issue: OPENAM-3009 (IdRepo - JCEEncryption 98 ). If you are not experiencing any functional problems, you can safely ignore these messages.
Recent Changes
Upgraded to OpenAM 13.
Causes
This error can occur for one of the following reasons depending on your version of OpenAM:
- OpenAM 13.0 only: When OpenAM starts, the configuration manager (DSConfigMgr) is first initialized with the password values from the bootstrap file; these are used as placeholders and are encrypted with the bootstrap encryption key. The actual server configuration is subsequently loaded from the OpenDJ config store, the JCEEncryption password is set to the correct value for this site and the encryption key is updated to the one specified in the AM_ENC_KEY property (set when you configure OpenAM). DSConfigMgr is then reinitialized to a new instance with the actual configuration data. However, since the SMS ServerConfigurationFactory caches the DSConfigMgr instance when it is first requested, it's a race as to which version of the configuration manager is retrieved. If the first copy is retrieved with the placeholder passwords, OpenAM is unable to decrypt the passwords from the actual configuration since it is using the wrong encryption key. This is a known issue: OPENAM-8214 (JCEEncryption errors are recorded during/after upgrading to 13).
- All versions of OpenAM: The encryption key is corrupt, which means the directory manager's password (which is stored in the bootstrap file) cannot be decrypted. The encryption key is specified in the AM_ENC_KEY property when you configure OpenAM.
Solution
The solution depends on your version of OpenAM.
OpenAM 13.0
You should first ensure your encryption key is correct using one of the following approaches:
- Re-create the bootstrap file as described in How do I re-create a bootstrap file for OpenAM 13.x if the bootstrap file has become corrupt?
- Reinstall OpenAM and specify the encryption key in the AM_ENC_KEY property in the Configuration file. You must remove OpenAM software properly before reinstalling.
If you still see the error after restarting the web application container in which OpenAM runs, it means you are encountering the known issue. This can be resolved by upgrading to OpenAM 13.5 or later; you can download this from BackStage.
Other versions of OpenAM
You should correct your encryption key using one of the following options:
- Re-create the bootstrap file as described in How do I re-create a bootstrap file for OpenAM 13.x if the bootstrap file has become corrupt?
- Reinstall OpenAM and specify the encryption key in the AM_ENC_KEY property in the Configuration file. You must remove OpenAM software properly before reinstalling.
Note
Restarting the web application container in which OpenAM runs will clear the "Authentication service is not initialized. Contact your system administrator." message shown in the browser.
See Also
How do I re-create a bootstrap file for OpenAM 13.x if the bootstrap file has become corrupt?
OpenAM Installation Guide › Removing OpenAM Software
Related Training
N/A
Related Issue Tracker IDs
OPENAM-8215 (Guice provision errors during upgrade to 13)
OPENAM-8214 (JCEEncryption errors are recorded during/after upgrading to 13)