000039119 - "Unable to generate key for seed" error while accessing back-office application modules on JBoss 7.2.3 in RSA Adaptive Authentication (on Premise)

Document created by RSA Customer Support Employee on Aug 26, 2020
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000039119
Applies ToRSA Product Set: RSA Adaptive Authentication (OnPrem)
RSA Product/Service Type: Back Office Applications
RSA Version/Condition: 7.x
Issue

Customer reported that they are not able to access BackOffice application module Back-Office Applications and eFraudNetwork on JBoss Application Server 7.2.3 and the following error was observed in backoffice.log file: 




2020-01-14 10:15:40,983 ERROR [default task-1] [] [] [com.rsa.csd.security.impl.EncryptImpl] - <[Ljava.lang.StackTraceElement;@45a71d1d>
2020-01-14 10:15:40,984 ERROR [default task-1] [] [] [com.rsa.csd.config.GenConfigCommandBase] - <[Ljava.lang.StackTraceElement;@29d4e16a>
2020-01-14 10:15:40,984 ERROR [default task-1] [] [] [com.rsa.csd.config.AAOPGenConfigProxyImpl] - <Error getting parameter:>
com.rsa.csd.config.IGenConfigService$GenConfigException: java.lang.SecurityException: unable to generate key for seed:4nUV9hVrqF1SVhUX6IRTxDmlwRDO22XD
    at com.rsa.csd.config.GenConfigCommandBase.decryptParamValues(GenConfigCommandBase.java:430)
    at com.rsa.csd.config.GenConfigViewStagingCommand.execute(GenConfigViewStagingCommand.java:59)
    at com.rsa.csd.config.AAOPGenConfigProxyImpl.invoke(AAOPGenConfigProxyImpl.java:119)
    at com.rsa.csd.config.AAOPGenConfigProxyImpl$$FastClassBySpringCGLIB$$12b87dd4.invoke(<generated>)
    at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:204)
    at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.java:718)
    at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:157)
    at org.springframework.aop.aspectj.MethodInvocationProceedingJoinPoint.proceed(MethodInvocationProceedingJoinPoint.java:85)
    at com.rsa.csd.config.BusinessAuditTrailInterceptor.auditService(BusinessAuditTrailInterceptor.java:29)
    at sun.reflect.GeneratedMethodAccessor394.invoke(Unknown Source)



In the BackOffice UI, the below error message was observed: 



User-added image



 



Customer was not able to update or make any changes in the Back-Office Applications and eFraudNetwork module.




 

Cause

The cause of the issue can be any of the below:



  1. “com.rsa.jsafe.provider.JsafeJCE” parameter in the java.security file in Java.
  2. If "jboss.vfs.forceVfsJar" property is not set to true. For more information, see the issue JBAS-7882, “Wrong provider code base for security provider included in packed ear” on the JBoss website.
  3. The issue with the crypto.jar file. (File corrupt or issue in loading the file)
Resolution

With DEBUG mode logs and logs captured after replacing pmcore-7.3.0.6.0.jar file(with extra loggers) provided by Engineering team, we could identify the below errors: 



  1. java.security.NoSuchProviderException: JCE cannot authenticate the provider JsafeJCE.
  2. Caused by: java.lang.SecurityException: Cannot verify jar:vfs:/content/backoffice.war/WEB-INF/lib/cryptoj-6.1.3.jar!/

From the above, we notice that for the first time it created new CRYPTO-J JCE PROVIDER but JCE cannot authenticate the Provider JsafeJCE(which was created).



Recommended the customer to use the solution which exists in RSA link: https://community.rsa.com/docs/DOC-46343




<jboss-deployment-structure>
<deployment>
<dependencies>
<module name="org.jboss.ironjacamar.jdbcadapters"/>
</dependencies>
<resources>
<resource-root path="WEB-INF/lib/cryptoj-6.1.3.jar" use-physical-code-source="true"/>
</resources>
</deployment>
</jboss-deployment-structure>

 

After applying the changes and restarting the services, JBOSS could pick and load the cryptoj-6.1.3.jar file which resolved the issue.



Attachments

    Outcomes