IIQ - Given final block not properly padded. Such issues can arise if a bad key is used during decryption error while executing any aggregation task

Hello Community,

We encountered a strange issue after adding a key to the keystore to connect to an OpenLDAP server using SSL/TLS. Although the key was added successfully, we started getting the error, first during the “Test Connection” of any application, and then while running any aggregation task

The logs in the debug section shows “unable to decript strings for: password”

image1444×542 26.1 KB

<?xml version='1.0' encoding='UTF-8'?>
<!DOCTYPE SyslogEvent PUBLIC "sailpoint.dtd" "sailpoint.dtd">
<SyslogEvent classname="sailpoint.connector.ConnectorFactory$1" created="1728424613230" eventLevel="ERROR" id="929b2798926d1d6a81926e22956e0164" lineNumber="250" quickKey="0081245095" server="iiqui-qa01a" thread="http-nio-8080-exec-1" username="SailPointContextRequestFilter">
  <EventMessage>unable to decrypt strings for: password</EventMessage>
</SyslogEvent>

The steps that i followed to add the key were this:

1. Create “certs” folder in the path /app/apache-tomcat-XXXX/webapps/identityiq/WEB-INF/classes/.

2. Upload the files “cacert.pem” and “servercrt.pem” to the created folder.

3. echo $JAVA_HOME to find JAVA path

4. Move to JAVA folder cd /usr/lib/jvm/JAVA_VERSION/lib/security

5. Execute sudo keytool -keystore cacerts -importcert -alias cacert -file /app/apache-tomcat-XXXX/webapps/identityiq/WEB-INF/classes/certs/cacert.pem -storepass changeit.

6. Run sudo keytool -keystore cacerts -importcert -alias servercrt -file /app/apache-tomcat-XXXX/webapps/identityiq/WEB-INF/classes/certs/servercrt.pem -storepass changeit 7.

7. Move to IIQ folder cd /app/apache-tomcat-XXXX/webapps/identityiq/WEB-INF/bin.

8. Run ./iiq keystore.

9. It will open a console and in the same one do list which will return “no keys found”.

10. Type addKey then y.

11. Type list to verify, this generates an iq.dat and iq.cfg file in: /app/apache-tomcat-XXXX/webapps/identityiq/WEB-INF/classes

12. Restart tomcat sudo systemctl stop/start tomcat.

I tried running an Encrypted Data Synchronization Task but I got the same error

We are currently using IIQ version 8.3p3

Any help in resolving this issue would be appreciated!

Hi @mlucero15,

Do you uncomment the keystore configuration in iiq.properties file?

you must uncomment keyStore.file and keyStore.passwordFile and change /example/path/filename with the path where are stored your .dat and .cfg file

Hi,

Thank you for your response. Just to confirm, do I still need to uncomment that section even though the .dat and .cfg files are located in the same path as the iiq.properties file?

Yes, you must uncomment keyStore.file = /example/path/filename and keyStore.passwordFile = /example/path/filename.

dat and cfg are 2 different file

I just updated the iiq.properties file with the path to both files and sadly nothing changed, it still gives me the same error when executing a task

You are confusing two processes here. Adding a certificate to a Java keystore for SSL/TLS connectivity is very different than the IIQ encryption key generation process. In generating a new IIQ encryption key, it means any secrets that were previously encrypted with the OOTB key will now be generated with the new key you’ve added. You’ll see a difference in the front of an encrypted secret 1:xxx vs 2:xxx where 2 is the new key you generated. Running the Encrypted Data Synchronization Task would also have updated all secrets from the original encryption to the new encryption.

Do you have multiple servers? If so, you need to copy the iiq.dat and iiq.cfg files you generated on one server to all your other servers and bounce them so they key is available across any server that runs a process which needs to decrypt a secret. If you only have the new key on a UI server for example but all your tasks run a different task server, then it cannot decrypt properly.

If you haven’t moved the iiq.cfg and iiq.dat files from WEB-INF/bin, you do not need to touch iiq.properties as mentioned before.

https://community.sailpoint.com/t5/Technical-White-Papers/Using-the-IdentityIQ-Keystore/ta-p/75490

Yes, we are using 4 servers for the QA environment which is the one with this error, I repeated the same process, which was used on a single server in the DEV environment and was provided to me by other co-workers, to add the certificate to Java Keystore and generate a new IIQ encryption key on all 4 servers.

Should I have done it on one and then copy the files to the other servers?

I don’t know what to do anymore to solve this problem

Yes, it should be generated on one server and then copied to other per the documentation:

Now restart your application server. After restarting the application server any newly set password will be encrypted using the new encryption key. Without the files iiq.dat and iiq.cfg, passwords cannot be decrypted by IdentityIQ. If you run more than one instance of IdentityIQ, these files need to be placed in the WEB-INF/classes folder of each instance, or in the location specified in iiq.properties.

Keep in mind I am not telling you to copy your DEV keys up to QA. If you already generated separate keys in DEV vs QA, just copy the new files from your one QA server to your other QA servers. Copying up the files from DEV to QA would be a whole other problem.

You technically could have copied your DEV keys up to QA but it sounds like you did not do that which means each IIQ environment will have different encrypted values (encrypted secret in DEV cannot be re-used in QA).

Thank you for your response,

It seems this approach resolved the issue. I copied the .dat and .cfg files from the QA1 server to the other servers and manually updated the application passwords.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.