IBM Support

IZ66419: JAVAX.CRYPTO.BADPADDINGEXCEPTION: GIVEN FINAL BLOCK NOT PROPERLY PADDED: WHEN CHANGING KEYSTORE PASSWORD

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • When changing the keystore password in EKM using the following
command in keytool:
.
keytool -storepasswd -v -all -new "xxxxxxxxxxxx" -keystore
/u/ekm/EKMKeystore -storepass "yyyyyyyyyyyy" -storetype jceks
.
EKM will not start up, receiving the following error:
.
javax.crypto.BadPaddingException: Given final block not properly
padded
.at com.ibm.crypto.provider.AESCipher.engineDoFinal(Unknown
Source)
.at com.ibm.crypto.provider.AESCipher.engineDoFinal(Unknown
Source)
.at javax.crypto.Cipher.doFinal(Unknown Source)
.at com.ibm.keymanager.keygroups.b.a.a(a.java:15)
.
The keypasswd and storepass have been set to same value and it
has been set for all keys and error still occurs.

Local fix

  • Have changed back to old password temporarily

Problem summary

  • badpaddingexception when change keystore password

When changing the keystore password in EKM using the following
command in keytool:
.
keytool -storepasswd -v -all -new "xxxxxxxxxxxx" -keystore
/u/ekm/EKMKeystore -storepass "yyyyyyyyyyyy" -storetype jceks
.
EKM will not start up, receiving the following error:
.
javax.crypto.BadPaddingException: Given final block not properly
padded
.at com.ibm.crypto.provider.AESCipher.engineDoFinal(Unknown
Source)
.at com.ibm.crypto.provider.AESCipher.engineDoFinal(Unknown
Source)
.at javax.crypto.Cipher.doFinal(Unknown Source)
.at com.ibm.keymanager.keygroups.b.a.a(a.java:15)
.
The keypasswd and storepass have been set to same value and it
has been set for all keys and error still occurs.

Problem conclusion

  • The EKM IPUG also needs modification.  In Chapter 3: "Installing
the Encryption Key Manager and Keystores", under Main heading:
"Generating Keys and Aliases for Encryption on LTO 4",  under
Sub Heading: "Changing Keystore Passwords",   As the IPUG is not
being modified, this APAR will contain the updated
documentation.

Changing Keystore Passwords

Note: Once you have set the keystore password, do not change it
unless it's security has been breached. The passwords are
obfuscated to eliminate any security exposure. Changing the
keystore password requires that the password on every key in
that keystore be changed individually using the following
keytool command.

To change the keystore password enter:

keytool -keypasswd -keypass old_passwd -new new_passwd -alias
alias -keystore keystorename -storetype keystoretype

You must also edit KeyManagerConfig.properties to change the
keystore password in every server configuration file property
where it is specified using one of these methods:
Delete the entire obfuscated password and allow the Encryption
Key Manager to prompt on the next startup.
Delete the entire obfuscated password and type the new password
in the clear. It will be obfuscated on the next startup.

If createkeygroup command had been run earlier to add keygroup
entries in KeyGroups.xml file, you must also run the following
command to update the EncryptionKey attribute in KeyGroups.xml
file.

java com.ibm.keymanager.tools.EKMKeyGroupKeyModifier  <Server
Configuration Properties Filename >   <KeyGroup password>

 Server Configuration Properties Filename is the Server's
Configuration Properties filename having updated keystore
password.
 KeyGroup password is the password that was specified while
running createkeygroup command.

eg: java com.ibm.keymanager.tools.EKMKeyGroupKeyModifier
KeyManagerConfig.properties  passphrase

Fixed in IBMKeyManagementServer.jar:  Build 20100129

Hursley Defect 161384
1.4.2 sr13-fp5; 5.0 sr11-fp2; 6.0 sr8

Temporary fix

  • change password back to original password

Comments

  • 



APAR Information




    

  • APAR number
    IZ66419
    • 

  • Reported component name
    TIV TAPE ENCRY
    • 

  • Reported component ID
    TIVOEKM00
    • 

  • Reported release
    120
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt
    • 

  • Submitted date
    2009-12-07
    • 

  • Closed date
    2010-03-05
    • 

  • Last modified date
    2010-03-05
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    TIV TAPE ENCRY
    • 

  • Fixed component ID
    TIVOEKM00
    • 



Applicable component levels


    

  • R100  PSY
       UP
    • 








      
              
                            

              

              [{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSC6LF3","label":"EKM"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"120","Edition":"","Line of Business":{"code":"","label":""}}]
              

                                                                    

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            05 March 2010
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback