000034622 - Error while importing RSA Identity Management and Governance Collector metadata: java.lang.IllegalStateException: An issue while handling encryption was encountered

Document created by RSA Customer Support Employee on Jan 5, 2017Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000034622
Applies ToRSA Product Set: Identity Management and Governance
RSA Version/Condition: 6.9.x, 7.0.x
 
IssueWhen importing a metadata file through the User Interface from Admin > Import/Export, that has been exported from another RSA Identity Management and Governance server, the export fails with the following error in the aveksaServer.log:
05/24/2016 04:17:44.121 ERROR (default task-47) [com.aveksa.server.export.ExportImportConverter] unmarshal
com.aveksa.server.runtime.ServerException: ExportedRoleDataCollector: error
        at com.aveksa.server.export.proxy.ProxyObject.toServerException(ProxyObject.java:148)
        at com.aveksa.server.export.proxy.ProxyObject.toServerException(ProxyObject.java:156)
        at com.aveksa.server.export.proxy.ExportedRoleDataCollector.normalizeAndPersist(ExportedRoleDataCollector.java:80)
        at com.aveksa.server.export.proxy.ProxyObject.unmarshall(ProxyObject.java:63)
        at com.aveksa.server.export.ExportImportConverter.unmarshal(ExportImportConverter.java:118)
        at com.thoughtworks.xstream.core.TreeUnmarshaller.convert(TreeUnmarshaller.java:72)
        at com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:66)
        at com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:50)
        at com.thoughtworks.xstream.core.TreeUnmarshaller.start(TreeUnmarshaller.java:134)
        at com.thoughtworks.xstream.core.AbstractTreeMarshallingStrategy.unmarshal(AbstractTreeMarshallingStrategy.java:32)
        at com.thoughtworks.xstream.XStream.unmarshal(XStream.java:1058)
        at com.thoughtworks.xstream.XStream.unmarshal(XStream.java:1030)
        at com.thoughtworks.xstream.XStream$2.readFromStream(XStream.java:1723)
        at com.thoughtworks.xstream.core.util.CustomObjectInputStream.readObjectOverride(CustomObjectInputStream.java:104)
        at java.io.ObjectInputStream.readObject(ObjectInputStream.java:364)
        at com.aveksa.server.export.ExportImportController.importMetadata(ExportImportController.java:114)
        at com.aveksa.gui.pages.admin.metadata.edit.general.ImportTablePage.processTable(ImportTablePage.java:65)
        at com.aveksa.gui.pages.admin.metadata.edit.general.ImportWizard.processTable(ImportWizard.java:139)
        at com.aveksa.gui.pages.admin.metadata.edit.CommonPromptPage.handleSubmit(CommonPromptPage.java:54)
        at com.aveksa.gui.pages.admin.metadata.edit.general.ImportPromptPage.handleSubmit(ImportPromptPage.java:55)
        at com.aveksa.gui.pages.base.data.wizard.StepWizardDialogData.handleRequest(StepWizardDialogData.java:113)
        at com.aveksa.gui.pages.PageManager.forwardRequest(PageManager.java:577)
        at com.aveksa.gui.pages.PageManager.handleRequest(PageManager.java:341)
        at com.aveksa.gui.pages.PageManager.handleRequest(PageManager.java:272)
        at com.aveksa.gui.core.MainManager.handleRequest(MainManager.java:177)
        at com.aveksa.gui.core.MainManager.doGet(MainManager.java:126)
        at com.aveksa.gui.core.MainManager.doPost(MainManager.java:412)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
        at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
        at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130)
        at com.aveksa.gui.core.filters.LoginFilter.doFilter(LoginFilter.java:53)
        at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
        at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
        at com.aveksa.gui.util.security.XSSFilter.doFilter(XSSFilter.java:20)
        at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
        at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
        at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85)
        at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:61)
        at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
        at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
        at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:56)
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51)
        at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45)
        at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:63)
        at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56)
        at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)
        at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70)
        at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:261)
        at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:247)
        at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:76)
        at io.undertow.servlet.handlers.ServletInitialHandler$1$1.run(ServletInitialHandler.java:172)
        at java.security.AccessController.doPrivileged(Native Method)
        at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:169)
        at io.undertow.server.Connectors.executeRootHandler(Connectors.java:197)
        at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:759)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
        at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.IllegalStateException: An issue with handling encryption was encountered
        at com.aveksa.common.crypto.EncryptionMgr.decrypt(EncryptionMgr.java:501)
        at com.aveksa.server.utils.PasswordTypePropertyHandler.convertPassword(PasswordTypePropertyHandler.java:93)
        at com.aveksa.server.utils.PasswordTypePropertyHandler.managePasswordTypeProperties(PasswordTypePropertyHandler.java:63)
        at com.aveksa.server.core.DataCollector.managePasswordTypeProperties(DataCollector.java:963)
        at com.aveksa.server.core.DataCollector.setBaseDataCollectorVO(DataCollector.java:387)
        at com.aveksa.server.core.RoleDataCollector.getRoleDataCollectorVO(RoleDataCollector.java:163)
        at com.aveksa.server.export.proxy.ExportedRoleDataCollector.normalizeAndPersist(ExportedRoleDataCollector.java:58)
        ... 64 more
Caused by: com.aveksa.common.crypto.EncryptionException: Value to be decrypted has no associated encryptor for its
embedded key version: keyVersion[XyZ]; Value[ENCAQcV(XyZ...)]
-- Check that the security key file is not missing
        at com.aveksa.common.crypto.EncryptionMgr.decrypt(EncryptionMgr.java:495)
        ... 70 more

CauseThe security mechanisms in RSA Identity Management and Governance have changed beginning in 6.9.1 to eliminate passwords stored in clear text and to improve encryption key handling to be more secure and robust. Due to these changes the import of exported metadata from a different server will fail.
WorkaroundThe solution for using the import option is to manually remove the encrypted password from the exported XML metadata file before importing and then setting the password through the user interface, once the object is imported in the new environment.
 
NotesImprovements are anticipated in future releases to give a warning to reenter the password and not fail with an error on the import.

Attachments

    Outcomes