BoleslawMynarsk (Customer) asked a question.
Running on v7.5.2 P07. I see following in aveksaServer.log: Error in decryption method=ManagePasswordTypeProperties
The full line in the error log is:
"01/17/2024 08:09:45.609 ERROR (default task-936) [com.aveksa.server.utils.PasswordTypePropertyHandler] Error in decryption method=ManagePasswordTypeProperties java.lang.IllegalStateException: An issue with handling encryption was encountered" - example from today.
I believe I started to see these after migrating from 7.2.1+ to v7.5.2.
Is there any documentation/How-To on how to prevent these messages from appearing?
RSA Governance & Lifecycle encrypts all stored passwords in the products using a key unique to that deployment. Most these are passwords associated with collectors, but all passwords are encrypted including things like email server's password etc. The encryption keys are called KEK keys. The error message indicates the KEK key for a particular password was not found.
I believe the only way to get this error is if the KEK keys are missing. This can only happen if the database was imported from another server and the KEK keys were not imported at the same time.
If the KEK keys are not recoverable then the passwords will never be recoverable, and you will always get this error (for that password). In addition there will be a failure for that collector or component where the password is un-decryptable.
The resolution is to import the KEK keys from the other system. This will resolve all occurrences of this error.
If the KEK keys are not recoverable (the database export was done a long time ago) there is no solution to this error except to enter new passwords everywhere they are used in the product. When a new password is saved it will be encrypted with the new (current) KEK keys.
Unfortunately (at this time) the error message in 7.5.2 does not say what components password was un-decryptable. We actually do not want to suppress these error messages as they are sometimes useful as this can help us understand collector failures that might be related to missing passwords. You can sometimes infer what collector is failing by the context of this error message in relation to other log messages.
Curious:
Are the KEK keys, the ones that are stored in "<ACM install directory>/security" ?
(usually as xxx.key files)
I sometimes get extra key files in the security folders... and try to backup them all... and send them to all ACM-nodes in the cluster...
Yes.
@BoleslawMynarsk (Customer) Most of the time we see this in QA/DEV where there really was not a concerted effort to retain the files or the passwords.
The key point is that for certain if the password is not decryptable that collector (or component) is already not working and there are other symptoms other than the error message that are more actionable to resolving the problem.
If you have this error and you don't have any problems, then its a collector that is not being used. The messages can be ignored in that use case.