This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SecurID® Governance & Lifecycle Knowledge Base

Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID Governance & Lifecycle experts.

AFX Server remains in a 'Not running' State with 'An issue with handling encryption was encountered' error on startup in RSA Identity Governance & Lifecycle

Article Number

000034797

Applies To

RSA Product Set: RSA Identity Governance & Lifecycle
RSA Version/Condition: 7.0.1, 7.0.2, 7.1.x
 

Issue

The AFX Server in RSA Identity Governance & Lifecycle remains in a Not running State in the user interface (AFX > Servers).
Image descriptionImage description

When starting AFX, the following errors are logged to the AFX log files:
 
/home/{afxuser}/AFX/esb/logs/esb.AFX-INIT.log:
2017-02-02 09:13:06.707 [INFO] org.mule.lifecycle.AbstractLifecycleManager:193 - Starting: 'connector.https.mule.default.dispatcher.697427580'. 
Object is: HttpsClientMessageDispatcher
2017-02-02 09:13:06.948 [INFO] com.aveksa.afx.server.init.SubmitInitializationRequestComponent:150 - Initialization response received
2017-02-02 09:13:06.951 [INFO] com.aveksa.afx.server.init.InitializationResponseProcessorComponent:37 - Processing initialization response
2017-02-02 09:13:06.975 [ERROR] com.aveksa.afx.server.init.InitializationResponseProcessorComponent:103 - Error processing initialization response
java.lang.IllegalStateException: An issue with handling encryption was encountered
	at com.aveksa.common.crypto.EncryptionMgr.decrypt(EncryptionMgr.java:501)
.....

Caused by: com.aveksa.common.crypto.EncryptionException: Value to be decrypted has no associated encryptor for its embedded key version: 
keyVersion[qG7]; Value[ENCAqG7(hvZ...)]
 -- Check that the security key file is not missing
	at com.aveksa.common.crypto.EncryptionMgr.decrypt(EncryptionMgr.java:495)
	... 53 more


/home/{faxuser}/AFX/esb/logs/mule_ee.log:

ERROR 2017-02-02 09:13:07,030 [WrapperListener_start_runner] org.mule.module.launcher.DefaultArchiveDeployer: 
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ Failed to deploy artifact '10_AFX-INIT', see below       +
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
org.mule.module.launcher.DeploymentInitException: EncryptionException: Value to be decrypted has no associated encryptor 
for its embedded key version: keyVersion[qG7]; Value[ENCAqG7(hvZ...)]
 -- Check that the security key file is not missing

Cause

This issue may occur if the encrypted configuration data for the AFX Server is encrypted with a different key than the system-wide encryption keys stored in /home/oracle/security. This may occur for a variety of reasons, including the following examples:
  • The database has been restored from a different system with different encryption keys.
  • One node in a multi-node cluster is incorrectly using different encryption keys than the SON node.
  • The AFX Server Archive has been exported from a different system than it was deployed on.
All passwords in the AFX configuration, including the default truststore password, are encrypted with the system encryption keys. If the keys do not match any encrypted data in the AFX configuration including the connector definitions, the errors will be generated.

The system-wide encryption keys were introduced in 7.0.1 and later versions. 
 

Resolution

Recover all encryption key files from the master key storage directory, /home/oracle/security, as per the instructions in the RSA Identity Governance & Lifecycle Database Setup and Management Guide for your version.

Workaround

If you elect not to recover the Encryption Key from the master key storage directory, then the AFX startup failure can be resolved by re-encrypting the AFX Default Truststore Password.

Under the AFX > Servers menu,
  1. Select the AFX Server instance that has failed.  
  2. Edit the AFX Server and navigate to the Default Truststore Password field.
  3. Enter the password changeit and save the changes.
Image descriptionImage description
  1. Restart the AFX Server from the command line as the afx user.
afx restart

This will ensure that the Default TrustStore is encrypted with the current keys.
 

NOTE:
If you have imported any AFX connectors from another system, you will have to edit each of the connectors and update any encrypted fields (passwords) by re-entering the password and saving the connector definition.

Tags (72)
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2020-12-12 09:38 AM
Updated by:
Administrator Administrator

Related Content

© 2023 RSA Security LLC or its affiliates. All rights reserved.