Topic
  • 10 replies
  • Latest Post - ‏2013-11-20T03:33:42Z by BodenMorrison
SystemAdmin
SystemAdmin
9855 Posts

Pinned topic com.ibm.itim.util.EncryptionException: CTGIMO036E 处理加密请求时发生错误

‏2012-06-02T12:47:49Z |
<Trace Level="MIN">
<Time Millis="1338290099945"> 2012.05.29 19:14:59.945+08:00</Time>
<Server Format="IP">yztim-web-a</Server>
<ProductId>CTGIM</ProductId>
<Component>com.ibm.itim.dataservices.ldap</Component>
<ProductInstance>myserver</ProductInstance>
<LogText><![CDATA[Failed to decrpt a value that is expected to be encrypted B@11881188. See enrole.properties for a list of attributes that are expected to beencrypted.]></LogText>
<Source FileName="com.ibm.itim.dataservices.ldap.LdapUtil" Method="decryptPasswordAttribute"/>
<Thread>WebContainer : 73</Thread>
<Exception><![CDATA[com.ibm.itim.util.EncryptionException: CTGIMO036E 处理加密请求时发生错误。发生了以下错误。
错误:Given final block not properly padded
at com.ibm.itim.util.EncryptionManager.decrypt(EncryptionManager.java:880)
at com.ibm.itim.util.EncryptionManager.decrypt(EncryptionManager.java:850)
at com.ibm.itim.dataservices.ldap.LdapUtil.decryptPasswordAttribute(LdapUtil.java:301)
at com.ibm.itim.dataservices.ldap.LdapUtil.getObjectAttributes(LdapUtil.java:121)
at com.ibm.itim.cache.ldap.LdapCacheDAO.searchSingle(LdapCacheDAO.java:102)
at com.ibm.itim.cache.ldap.LdapCacheDAO.search(LdapCacheDAO.java:54)
at com.ibm.itim.cache.was.WasDistributedCacheImpl.get(WasDistributedCacheImpl.java:114)
at com.ibm.itim.cache.was.WasDistributedCacheCoordinator.get(WasDistributedCacheCoordinator.java:47)
at com.ibm.itim.dataservices.ldap.LdapDaoCachedImpl.read(LdapDaoCachedImpl.java:76)
at com.ibm.itim.dataservices.model.domain.PersonSearch.lookup(PersonSearch.java:141)
at sun.reflect.GeneratedMethodAccessor512.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:618)
at com.ibm.itim.apps.impl.ManagedObjectImplBean.getData(ManagedObjectImplBean.java:223)
at com.ibm.itim.apps.impl.EJSRemoteStatelessenroleejb_ManagedObjectImplHome_81918f0c.getData(Unknown Source)
at com.ibm.itim.apps.impl._ManagedObjectImpl_Stub.getData(_ManagedObjectImpl_Stub.java:280)
at com.ibm.itim.apps.identity.PersonMO$1.run(PersonMO.java:130)
at com.ibm.itim.apps.impl.websphere.WebSpherePlatformContextImpl.doAs(WebSpherePlatformContextImpl.java:114)
at com.ibm.itim.apps.identity.PersonMO.getData(PersonMO.java:121)
at com.ibm.itim.ui.impl.PersonSearchImpl.getPersonByDNStr(PersonSearchImpl.java:493)
at com.ibm.itim.ui.impl.AccountImpl.getOwner(AccountImpl.java:570)
at com.ibm.itim.ui.listener.account.AccountFilterFindByServiceListener.getTableRow(AccountFilterFindByServiceListener.java:189)
at com.ibm.itim.ui.listener.AbstractFilterFindListener.prepareResultsTable(AbstractFilterFindListener.java:459)
at com.ibm.itim.ui.listener.AbstractFilterFindListener.commandPerformed(AbstractFilterFindListener.java:371)
at com.ibm.itim.ui.listener.account.AccountFilterFindByServiceListener.commandPerformed(AccountFilterFindByServiceListener.java:134)
at com.ibm.itim.ui.view.service.ManageServicesAccountsView.refreshAccountsTable(ManageServicesAccountsView.java:134)
at com.ibm.itim.ui.listener.service.ManageServicesAccountsListener.handleEvent(ManageServicesAccountsListener.java:119)
at com.ibm.itim.ui.listener.AbstractManageResourceListener.commandPerformed(AbstractManageResourceListener.java:72)
at com.ibm.psw.wcl.core.CommandHandler.handleCommand(Unknown Source)
at com.ibm.psw.wcl.core.form.AWInputComponent$EInputComponentCommandListener.commandPerformed(Unknown Source)
at com.ibm.psw.wcl.core.form.WForm.callInputCommandListeners(Unknown Source)
at com.ibm.psw.wcl.core.form.WForm.handleCommand(Unknown Source)
at com.ibm.psw.wcl.core.form.WForm$EFormCallback.handleTrigger(Unknown Source)
at com.ibm.psw.wcl.core.trigger.Trigger.process(Unknown Source)
at com.ibm.psw.wcl.core.trigger.TriggerManager.processTrigger(Unknown Source)
at com.ibm.psw.wcl.core.trigger.TriggerManager.handleRequest(Unknown Source)
at com.ibm.psw.wcl.core.WclFacade.handleRequest(Unknown Source)
at com.ibm.itim.ui.controller.ITIMControlServlet.handleWithWCL(ITIMControlServlet.java:696)
at com.ibm.itim.ui.controller.ITIMControlServlet.doGet(ITIMControlServlet.java:238)
at com.ibm.itim.ui.controller.ITIMControlServlet.doPost(ITIMControlServlet.java:658)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:763)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:856)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1213)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1154)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:145)
at com.ibm.itim.ui.impl.customform.SubFormLegacyFilter.doFilter(SubFormLegacyFilter.java:118)
at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:190)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:130)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain._doFilter(WebAppFilterChain.java:87)
at com.ibm.ws.webcontainer.filter.WebAppFilterManager.doFilter(WebAppFilterManager.java:848)
at com.ibm.ws.webcontainer.filter.WebAppFilterManager.doFilter(WebAppFilterManager.java:691)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:654)
at com.ibm.ws.wswebcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:526)
at com.ibm.ws.webcontainer.webapp.WebApp.handleRequest(WebApp.java:3574)
at com.ibm.ws.webcontainer.webapp.WebGroup.handleRequest(WebGroup.java:269)
at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:831)
at com.ibm.ws.wswebcontainer.WebContainer.handleRequest(WebContainer.java:1478)
at com.ibm.ws.webcontainer.channel.WCChannelLink.ready(WCChannelLink.java:133)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:450)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleNewRequest(HttpInboundLink.java:508)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.processRequest(HttpInboundLink.java:296)
at com.ibm.ws.http.channel.inbound.impl.HttpICLReadCallback.complete(HttpICLReadCallback.java:102)
at com.ibm.ws.tcp.channel.impl.AioReadCompletionListener.futureCompleted(AioReadCompletionListener.java:165)
at com.ibm.io.async.AbstractAsyncFuture.invokeCallback(AbstractAsyncFuture.java:217)
at com.ibm.io.async.AsyncChannelFuture.fireCompletionActions(AsyncChannelFuture.java:161)
at com.ibm.io.async.AsyncFuture.completed(AsyncFuture.java:136)
at com.ibm.io.async.ResultHandler.complete(ResultHandler.java:196)
at com.ibm.io.async.ResultHandler.runEventProcessingLoop(ResultHandler.java:751)
at com.ibm.io.async.ResultHandler$2.run(ResultHandler.java:881)
at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1551)
Caused by: javax.crypto.BadPaddingException: Given final block not properly padded
at com.ibm.crypto.provider.AESCipher.engineDoFinal(Unknown Source)
at com.ibm.crypto.provider.AESCipher.engineDoFinal(Unknown Source)
at javax.crypto.Cipher.doFinal(Unknown Source)
at com.ibm.itim.util.EncryptionManager.decrypt(EncryptionManager.java:869)
... 69 more
]]></Exception>
</Trace>

<Trace Level="MIN">
<Time Millis="1338290099966"> 2012.05.29 19:14:59.966+08:00</Time>
<Server Format="IP">yztim-web-a</Server>
<ProductId>CTGIM</ProductId>
<Component>com.ibm.itim.util</Component>
<ProductInstance>myserver</ProductInstance>
<LogText><![CDATAException during decryption]></LogText>
<Source FileName="com.ibm.itim.util.EncryptionManager" Method="decrypt(byte[],Cipher)"/>
<Thread>WebContainer : 73</Thread>
<Exception><![CDATA[javax.crypto.BadPaddingException: Given final block not properly padded
at com.ibm.crypto.provider.AESCipher.engineDoFinal(Unknown Source)
at com.ibm.crypto.provider.AESCipher.engineDoFinal(Unknown Source)
at javax.crypto.Cipher.doFinal(Unknown Source)
at com.ibm.itim.util.EncryptionManager.decrypt(EncryptionManager.java:869)
at com.ibm.itim.util.EncryptionManager.decrypt(EncryptionManager.java:850)
at com.ibm.itim.dataservices.ldap.LdapUtil.decryptPasswordAttribute(LdapUtil.java:301)
at com.ibm.itim.dataservices.ldap.LdapUtil.getObjectAttributes(LdapUtil.java:121)
at com.ibm.itim.cache.ldap.LdapCacheDAO.searchSingle(LdapCacheDAO.java:102)
at com.ibm.itim.cache.ldap.LdapCacheDAO.search(LdapCacheDAO.java:54)
at com.ibm.itim.cache.was.WasDistributedCacheImpl.get(WasDistributedCacheImpl.java:114)
at com.ibm.itim.cache.was.WasDistributedCacheCoordinator.get(WasDistributedCacheCoordinator.java:47)
at com.ibm.itim.dataservices.ldap.LdapDaoCachedImpl.read(LdapDaoCachedImpl.java:76)
at com.ibm.itim.dataservices.model.domain.PersonSearch.lookup(PersonSearch.java:141)
at sun.reflect.GeneratedMethodAccessor512.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:618)
at com.ibm.itim.apps.impl.ManagedObjectImplBean.getData(ManagedObjectImplBean.java:223)
at com.ibm.itim.apps.impl.EJSRemoteStatelessenroleejb_ManagedObjectImplHome_81918f0c.getData(Unknown Source)
at com.ibm.itim.apps.impl._ManagedObjectImpl_Stub.getData(_ManagedObjectImpl_Stub.java:280)
at com.ibm.itim.apps.identity.PersonMO$1.run(PersonMO.java:130)
at com.ibm.itim.apps.impl.websphere.WebSpherePlatformContextImpl.doAs(WebSpherePlatformContextImpl.java:114)
at com.ibm.itim.apps.identity.PersonMO.getData(PersonMO.java:121)
at com.ibm.itim.ui.impl.PersonSearchImpl.getPersonByDNStr(PersonSearchImpl.java:493)
at com.ibm.itim.ui.impl.AccountImpl.getOwner(AccountImpl.java:570)
at com.ibm.itim.ui.listener.account.AccountFilterFindByServiceListener.getTableRow(AccountFilterFindByServiceListener.java:189)
at com.ibm.itim.ui.listener.AbstractFilterFindListener.prepareResultsTable(AbstractFilterFindListener.java:459)
at com.ibm.itim.ui.listener.AbstractFilterFindListener.commandPerformed(AbstractFilterFindListener.java:371)
at com.ibm.itim.ui.listener.account.AccountFilterFindByServiceListener.commandPerformed(AccountFilterFindByServiceListener.java:134)
at com.ibm.itim.ui.view.service.ManageServicesAccountsView.refreshAccountsTable(ManageServicesAccountsView.java:134)
at com.ibm.itim.ui.listener.service.ManageServicesAccountsListener.handleEvent(ManageServicesAccountsListener.java:119)
at com.ibm.itim.ui.listener.AbstractManageResourceListener.commandPerformed(AbstractManageResourceListener.java:72)
at com.ibm.psw.wcl.core.CommandHandler.handleCommand(Unknown Source)
at com.ibm.psw.wcl.core.form.AWInputComponent$EInputComponentCommandListener.commandPerformed(Unknown Source)
at com.ibm.psw.wcl.core.form.WForm.callInputCommandListeners(Unknown Source)
at com.ibm.psw.wcl.core.form.WForm.handleCommand(Unknown Source)
at com.ibm.psw.wcl.core.form.WForm$EFormCallback.handleTrigger(Unknown Source)
at com.ibm.psw.wcl.core.trigger.Trigger.process(Unknown Source)
at com.ibm.psw.wcl.core.trigger.TriggerManager.processTrigger(Unknown Source)
at com.ibm.psw.wcl.core.trigger.TriggerManager.handleRequest(Unknown Source)
at com.ibm.psw.wcl.core.WclFacade.handleRequest(Unknown Source)
at com.ibm.itim.ui.controller.ITIMControlServlet.handleWithWCL(ITIMControlServlet.java:696)
at com.ibm.itim.ui.controller.ITIMControlServlet.doGet(ITIMControlServlet.java:238)
at com.ibm.itim.ui.controller.ITIMControlServlet.doPost(ITIMControlServlet.java:658)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:763)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:856)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1213)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:1154)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:145)
at com.ibm.itim.ui.impl.customform.SubFormLegacyFilter.doFilter(SubFormLegacyFilter.java:118)
at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:190)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:130)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain._doFilter(WebAppFilterChain.java:87)
at com.ibm.ws.webcontainer.filter.WebAppFilterManager.doFilter(WebAppFilterManager.java:848)
at com.ibm.ws.webcontainer.filter.WebAppFilterManager.doFilter(WebAppFilterManager.java:691)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:654)
at com.ibm.ws.wswebcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:526)
at com.ibm.ws.webcontainer.webapp.WebApp.handleRequest(WebApp.java:3574)
at com.ibm.ws.webcontainer.webapp.WebGroup.handleRequest(WebGroup.java:269)
at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:831)
at com.ibm.ws.wswebcontainer.WebContainer.handleRequest(WebContainer.java:1478)
at com.ibm.ws.webcontainer.channel.WCChannelLink.ready(WCChannelLink.java:133)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:450)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleNewRequest(HttpInboundLink.java:508)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.processRequest(HttpInboundLink.java:296)
at com.ibm.ws.http.channel.inbound.impl.HttpICLReadCallback.complete(HttpICLReadCallback.java:102)
at com.ibm.ws.tcp.channel.impl.AioReadCompletionListener.futureCompleted(AioReadCompletionListener.java:165)
at com.ibm.io.async.AbstractAsyncFuture.invokeCallback(AbstractAsyncFuture.java:217)
at com.ibm.io.async.AsyncChannelFuture.fireCompletionActions(AsyncChannelFuture.java:161)
at com.ibm.io.async.AsyncFuture.completed(AsyncFuture.java:136)
at com.ibm.io.async.ResultHandler.complete(ResultHandler.java:196)
at com.ibm.io.async.ResultHandler.runEventProcessingLoop(ResultHandler.java:751)
at com.ibm.io.async.ResultHandler$2.run(ResultHandler.java:881)
at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1551)
]]></Exception>
</Trace>
Updated on 2012-07-19T23:00:57Z at 2012-07-19T23:00:57Z by harishreddy
  • yn2000
    yn2000
    1086 Posts

    Re: com.ibm.itim.util.EncryptionException: CTGIMO036E 处理加密请求时发生错误

    ‏2012-06-02T13:45:00Z  
    Aha... I see it. I see it. I see it. It was striked out...
    "See enrole.properties for a list of attributes that are expected to be encrypted"
    So, have you see the enrole.properties file?
    Rgds. YN.
  • harishreddy
    harishreddy
    5 Posts

    Re: com.ibm.itim.util.EncryptionException: CTGIMO036E 处理加密请求时发生错误

    ‏2012-07-19T23:00:57Z  
    Hi,

    I'm also getting the same error, were you able to resolve this ?
    Thanks
    Harish
  • Priya@i3
    Priya@i3
    2 Posts

    Re: com.ibm.itim.util.EncryptionException: CTGIMO036E 处理加密请求时发生错误

    ‏2013-10-10T06:50:59Z  

    Hi,

    Have you found the solution to this error?

  • franzw
    franzw
    339 Posts

    Re: com.ibm.itim.util.EncryptionException: CTGIMO036E 处理加密请求时发生错误

    ‏2013-10-10T07:36:40Z  
    • Priya@i3
    • ‏2013-10-10T06:50:59Z

    Hi,

    Have you found the solution to this error?

    This problem is normally something that exists because some entities in the ldap are encrypted by a different scheme/key than the system expects. This can e.g. happen if you copy a service from one system to another without resetting the password.

    I also believe this happens for migrated systems coming from ITIM 4.5.1 or earlier - but I am not completely sure why this happens (and as this is not a problem I have anymore I do not want to spend time investigating it...)

    You will have to find the offending entitiies - I have used the following procedure :

    1.Produce a complete ldif using db2ldif

    2.Search through the ldif to find the offending attributes

    3.Fix the passwords on the entities depending what password it is (sometimes it can be as simple as deleting the password attribute - but you need to understand what you are doing here...

    If you are lucky you get the offending password value in the message - then the search is easy (and that is the reason for using ldif - passwords are not searchable in ldap).

    Else you have to go through the list of all password attributes and find all instances and check if it wrong.

    HTH

    Regards

    Franz Wolfhagen

  • goonitsupport
    goonitsupport
    99 Posts

    Re: com.ibm.itim.util.EncryptionException: CTGIMO036E 处理加密请求时发生错误

    ‏2013-10-10T08:20:36Z  
    • franzw
    • ‏2013-10-10T07:36:40Z

    This problem is normally something that exists because some entities in the ldap are encrypted by a different scheme/key than the system expects. This can e.g. happen if you copy a service from one system to another without resetting the password.

    I also believe this happens for migrated systems coming from ITIM 4.5.1 or earlier - but I am not completely sure why this happens (and as this is not a problem I have anymore I do not want to spend time investigating it...)

    You will have to find the offending entitiies - I have used the following procedure :

    1.Produce a complete ldif using db2ldif

    2.Search through the ldif to find the offending attributes

    3.Fix the passwords on the entities depending what password it is (sometimes it can be as simple as deleting the password attribute - but you need to understand what you are doing here...

    If you are lucky you get the offending password value in the message - then the search is easy (and that is the reason for using ldif - passwords are not searchable in ldap).

    Else you have to go through the list of all password attributes and find all instances and check if it wrong.

    HTH

    Regards

    Franz Wolfhagen

    Yes this has happened to me on a number of occasions normally whilst building test systems and copying information between environments as Franz suggests. The 2 attributes that cause the problem I believe are ersynchpassword and erhistorical password. To resolve this I have just blitzed these attributes from the LDAP using TDI.

    Of course you may not have this luxury if you are in production. I believe that this is more of a problem in ISIM 6.0 than previous releases as it is less forgiving.

    Best regards,

    Updated on 2013-10-10T15:26:11Z at 2013-10-10T15:26:11Z by goonitsupport
  • Priya@i3
    Priya@i3
    2 Posts

    Re: com.ibm.itim.util.EncryptionException: CTGIMO036E 处理加密请求时发生错误

    ‏2013-10-10T12:47:26Z  
    • franzw
    • ‏2013-10-10T07:36:40Z

    This problem is normally something that exists because some entities in the ldap are encrypted by a different scheme/key than the system expects. This can e.g. happen if you copy a service from one system to another without resetting the password.

    I also believe this happens for migrated systems coming from ITIM 4.5.1 or earlier - but I am not completely sure why this happens (and as this is not a problem I have anymore I do not want to spend time investigating it...)

    You will have to find the offending entitiies - I have used the following procedure :

    1.Produce a complete ldif using db2ldif

    2.Search through the ldif to find the offending attributes

    3.Fix the passwords on the entities depending what password it is (sometimes it can be as simple as deleting the password attribute - but you need to understand what you are doing here...

    If you are lucky you get the offending password value in the message - then the search is easy (and that is the reason for using ldif - passwords are not searchable in ldap).

    Else you have to go through the list of all password attributes and find all instances and check if it wrong.

    HTH

    Regards

    Franz Wolfhagen

    That's right, I have migrated records of a particular dn from one TDS to another TDS in different server. Since there are many records I am not sure how I can check all records. So is there any other way to avoid this situation where I can migrate a ldif file with all itim data from one server to another?

     

    Thanks

  • franzw
    franzw
    339 Posts

    Re: com.ibm.itim.util.EncryptionException: CTGIMO036E 处理加密请求时发生错误

    ‏2013-10-10T12:57:29Z  
    • Priya@i3
    • ‏2013-10-10T12:47:26Z

    That's right, I have migrated records of a particular dn from one TDS to another TDS in different server. Since there are many records I am not sure how I can check all records. So is there any other way to avoid this situation where I can migrate a ldif file with all itim data from one server to another?

     

    Thanks

    There is reason why this is not supported by IBM :-)

    There is no easy way to get the problem resolved without finding and deleting the offending attributes - you may be lucky that you get the password binary value from the trace log - then you can find the records vie e.g. ldif file.

    To avoid this in the future - filter out any passwords attributes or ensure that your systems are cryptografically synchronized i.e. using the same methods/keys/keystores for encryption.

    In general you should use either import/export, ISIM APPS API or WebServices to perform the migration - but I know - these methods are either not possible in general or very difficult to use.

    Regards

    Franz Wolfhagen

  • goonitsupport
    goonitsupport
    99 Posts

    Re: com.ibm.itim.util.EncryptionException: CTGIMO036E 处理加密请求时发生错误

    ‏2013-10-11T19:39:53Z  
    • franzw
    • ‏2013-10-10T12:57:29Z

    There is reason why this is not supported by IBM :-)

    There is no easy way to get the problem resolved without finding and deleting the offending attributes - you may be lucky that you get the password binary value from the trace log - then you can find the records vie e.g. ldif file.

    To avoid this in the future - filter out any passwords attributes or ensure that your systems are cryptografically synchronized i.e. using the same methods/keys/keystores for encryption.

    In general you should use either import/export, ISIM APPS API or WebServices to perform the migration - but I know - these methods are either not possible in general or very difficult to use.

    Regards

    Franz Wolfhagen

    In the past you used to supply an ISIM encryption seed during install for encrypting attributes. I don't believe ISIM 6.0 prompts for this so perhaps it is using WebSphere keys?

     

    So when I have had to move to a new WebSphere environment I get these errors (for instannce I recently reinstalled WAS because I couldn't get rid of IF003 which had broken many of the APIs).

    It is easy to delete the 2 attributes from all the entries in the LDAP but there may be other implications. I believe the problem that this may cause (I would need to test to confirm) is that when you create a new account it will complain that there is no password (if you are using synchronisation). So you may need to reset the person's password. I certainly think a change has been made here and the implications haven't beeen fully thought through. When this has happened to me I have been using the same LDAP server so it had nothing to do with LDAP encryption ( although I could be wrong, it was a little while ago).

    Of course good systems management and backup before any change is the order of the day (and good testing when complete).

  • franzw
    franzw
    339 Posts

    Re: com.ibm.itim.util.EncryptionException: CTGIMO036E 处理加密请求时发生错误

    ‏2013-10-11T20:01:04Z  

    In the past you used to supply an ISIM encryption seed during install for encrypting attributes. I don't believe ISIM 6.0 prompts for this so perhaps it is using WebSphere keys?

     

    So when I have had to move to a new WebSphere environment I get these errors (for instannce I recently reinstalled WAS because I couldn't get rid of IF003 which had broken many of the APIs).

    It is easy to delete the 2 attributes from all the entries in the LDAP but there may be other implications. I believe the problem that this may cause (I would need to test to confirm) is that when you create a new account it will complain that there is no password (if you are using synchronisation). So you may need to reset the person's password. I certainly think a change has been made here and the implications haven't beeen fully thought through. When this has happened to me I have been using the same LDAP server so it had nothing to do with LDAP encryption ( although I could be wrong, it was a little while ago).

    Of course good systems management and backup before any change is the order of the day (and good testing when complete).

    Since 5.0 the encryption is moved to a keystore - these property values are used in Enrole.properties :

    # Encryption algorithm.  Specify 'AES' or 'PBEWithMD5AndDES'
    # This suite must be supported by a configured JCE provider.
    enrole.encryption.algorithm=AES

    # For PBEWithMD5AndDES, this is the encryption password.
    # For AES, this is the keystore password.
    enrole.encryption.password=password

    # Message digest algorithm for passwords.
    # Specify 'MD5', 'SHA-1', 'SHA-256', etc.
    enrole.encryption.passwordDigest=SHA-256

    # Keystore file name for AES key.
    # This file will be located at <ITIM_HOME>\data\keystore
    enrole.encryption.keystore=itimKeystore.jceks

    And no - there is no description available I know of how copy this around without problems :-)

    The enrole.properties also contains a complete list of all (ISIM) encrypted passwords :

    ###########################################################
    # specifies which attribute will be encrypted by the dataservices component.
    password.attributes=ersynchpassword erServicePassword erServicePwd1 erServicePwd2 erServicePwd3 erServicePwd4 erADDomainPassword erPersonPassword erNotesPasswdAddCert eritamcred erep6umds erposixpassphrase
     

    HTH

    Regards

    Franz Wolfhagen

  • BodenMorrison
    BodenMorrison
    2 Posts

    Re: com.ibm.itim.util.EncryptionException: CTGIMO036E 处理加密请求时发生错误

    ‏2013-11-20T03:33:42Z  
    • franzw
    • ‏2013-10-11T20:01:04Z

    Since 5.0 the encryption is moved to a keystore - these property values are used in Enrole.properties :

    # Encryption algorithm.  Specify 'AES' or 'PBEWithMD5AndDES'
    # This suite must be supported by a configured JCE provider.
    enrole.encryption.algorithm=AES

    # For PBEWithMD5AndDES, this is the encryption password.
    # For AES, this is the keystore password.
    enrole.encryption.password=password

    # Message digest algorithm for passwords.
    # Specify 'MD5', 'SHA-1', 'SHA-256', etc.
    enrole.encryption.passwordDigest=SHA-256

    # Keystore file name for AES key.
    # This file will be located at <ITIM_HOME>\data\keystore
    enrole.encryption.keystore=itimKeystore.jceks

    And no - there is no description available I know of how copy this around without problems :-)

    The enrole.properties also contains a complete list of all (ISIM) encrypted passwords :

    ###########################################################
    # specifies which attribute will be encrypted by the dataservices component.
    password.attributes=ersynchpassword erServicePassword erServicePwd1 erServicePwd2 erServicePwd3 erServicePwd4 erADDomainPassword erPersonPassword erNotesPasswdAddCert eritamcred erep6umds erposixpassphrase
     

    HTH

    Regards

    Franz Wolfhagen

    I experienced this error in TIM when trying to create an account on a specific service. My issue was due to having the service URL pointing to a server name that couldn't be resolved. Not sure why I would get this error, but it usually helps when the service URL is correct. :D