Solutions

Given final block not properly padded error when starting IDM/OpenIDM (All versions)

Last updated Dec 21, 2018

The purpose of this article is to provide assistance if you encounter a "javax.crypto.BadPaddingException: Given final block not properly padded" error when starting IDM/OpenIDM.


2 readers recommend this article

Symptoms

The following error is shown when starting IDM/OpenIDM:

SEVERE: OpenICF Provisioner Service configuration has errors
org.forgerock.json.JsonException: org.forgerock.json.crypto.JsonCryptoException: javax.crypto.BadPaddingException: Given final block not properly padded
	at org.forgerock.json.crypto.JsonCryptoTransformer.transform(JsonCryptoTransformer.java:52)
	at org.forgerock.json.JsonValue.applyTransformers(JsonValue.java:444)
	at org.forgerock.json.JsonValue.<init>(JsonValue.java:294)
	at org.forgerock.json.JsonValue.get(JsonValue.java:1200)
	at org.forgerock.json.JsonValue.copy(JsonValue.java:1080)
	at org.forgerock.json.JsonValue.copy(JsonValue.java:1080)
	at org.forgerock.openidm.crypto.impl.CryptoServiceImpl.decrypt(CryptoServiceImpl.java:256)
...
Caused by: org.forgerock.json.crypto.JsonCryptoException: javax.crypto.BadPaddingException: Given final block not properly padded
	at org.forgerock.json.crypto.simple.SimpleDecryptor.decrypt(SimpleDecryptor.java:92)
	at org.forgerock.json.crypto.JsonCryptoTransformer.transform(JsonCryptoTransformer.java:50)
	... 87 more
Caused by: javax.crypto.BadPaddingException: Given final block not properly padded

You may also see other variants of this error regarding the email service, for example:

WARNING: Configuration invalid, can not start external email client service.
org.forgerock.json.JsonException: org.forgerock.json.crypto.JsonCryptoException: javax.crypto.BadPaddingException: Given final block not properly padded
EVERE: Bundle: org.forgerock.openidm.external-email [71] [org.forgerock.openidm.external.email] The activate method has thrown an exception
org.apache.felix.log.LogException: org.forgerock.json.JsonException: org.forgerock.json.crypto.JsonCryptoException: javax.crypto.BadPaddingException: Given final block not properly padded

Recent Changes

Made changes to the keystore.

Used an existing configuration with a new instance of IDM/OpenIDM.

Restarted a cluster or added a new node to the cluster in OpenIDM 3.x or 4.x.

Causes

This error typically occurs when the key in the current keystore is different to the key previously used to encrypt an attribute within IDM/OpenIDM's configuration. The key used when generating the $crypto block is referenced by the key value and the certificate matching this alias; the key must not be changed in the keystore between encryption and decryption taking place. This issue affects configuration files such as provisioner configuration files (for example, provisioner.openicf-ldap.json) and external.email.json (these files are located in the /path/to/idm/conf directory) where some attributes are automatically encrypted along with any value that has been manually encrypted using the CLI tool and added to the configuration.

This mismatch in keys can happen when either: 

  • You have made changes to the keystore, or:
  • You have used the configuration from another IDM/OpenIDM instance. 

It can also happen in OpenIDM 3.x and 4.x if you fail to start the clustered-first node before any other nodes due to the way in which the keystore is loaded. See FAQ: Clusters in IDM/OpenIDM (Q. How does the keystore get loaded in a clustered environment?) for further information.

Solution

This issue can be resolved as follows depending on your cause:

  • You have made changes to the keystore - this can be resolved using one of the following methods:
    • Revert any changes to the IDM/OpenIDM keystore and return the previous key to its original location.
    • Remove the crypto blocks from the configuration files and replace them with clear text passwords per the Removing crypto blocks example below. The clear text password will be re-encrypted when IDM/OpenIDM reads the configuration with the current secret key in the keystore of the installation. You should do this for all configuration files that contain $crypto blocks.
  • You have used the configuration from another IDM/OpenIDM instance - this can be resolved using one of the following methods:
    • Copy the keystore from the original IDM/OpenIDM instance (the one from which you took the configuration) to the new instance.
    • Remove the crypto blocks from the configuration files and replace them with clear text passwords per the Removing crypto blocks example below. The clear text password will be re-encrypted when IDM/OpenIDM reads the configuration with the current secret key in the keystore of the installation. You should do this for all configuration files that contain $crypto blocks.
  • The clustered-first node was not the first node started - this can be resolved by ensuring you always start the clustered-first node first.

Removing crypto blocks example

You can remove crypto blocks as follows:

  1. Shutdown the IDM/OpenIDM instance.
  2. Update the configuration files to remove the $crypto blocks. For example, in an LDAP provisioner configuration file, you would change the following:
            "principal" : "cn=Directory Manager",
            "credentials" : {
                "$crypto" : {
                   "type" : "x-simple-encryption",
                   "value" : {
                       "cipher" : "AES/CBC/PKCS5Padding",
                       "stableId" : "openidm-sym-default",
                       "salt" : "cQT6VZXz9G91RV87dbLM+A==",
                       "data" : "YTpjLiT1igQ1ATrHIKcsiQ==",
                       "keySize" : 16,
                       "purpose" : "idm.config.encryption",
                       "iv" : "CaorpaRq6v410nPFRjmIXw==",
                       "mac" : "Q+GQGOQllGy4DPq8Ti88MQ=="
                   }
                }
            },
    
    To:
            "principal" : "cn=Directory Manager",
            "credentials" : "password",
    
    Where password is your actual DS/OpenDJ password for cn=Directory Manager in clear text.
  3. Restart the IDM/OpenIDM instance. The startup process will re-encrypt the password in the configuration files with the key in the instance keystore.

See Also

How do I change the default keystore password in OpenIDM 4.x?

How do I update the certificate alias for the signing key in the AM/OpenAM (All versions) keystore?

How do I hash the password for openidm-admin before the first startup of IDM/OpenIDM (All versions)?

FAQ: Clusters in IDM/OpenIDM

How do I manage configuration changes within a cluster in OpenIDM 3.x and 4.x?

Related Training

N/A

Related Issue Tracker IDs

N/A



Copyright and TrademarksCopyright © 2018 ForgeRock, all rights reserved.

Recommended Books

Loading...