Share all details related to your problem, including any error messages you may have received.
Hello Everyone,
We’re trying to implement site-specific encryption for one of our customers. As part of the requirement, we generated a new encryption key using the addKey command in the iiq keystore console. iiq.dat and iiq.cfg files were created successfully in WEB-INF/classes, but when we tried running the “Encrypted Data Synchronization” task, it was failing with the below error.
“An unexpected error occurred: the final block was not properly padded. Such issues can arise if a bad key is used during decryption.”
We tried rerunning the addKey command, assuming there might be an issue with the key generated, but no luck. Could you please help us on this?
Some additional findings: the task is running successfully if the “Disable App Sync Check box is checked,” and I can see the task is failing exactly when it starts updating one of the Active Directory Application object.
This error will come if value is not in clear text or not encrypted with default key or not encrypted with key available in current env . to me seems like you have password in your env which was encrypted by the key which is not available in this env.
When I ran the list command in the iiq keystore, I could see all the keys (1 and 2) present, and we’re facing this issue specifically for application objects. If I exclude app objects, the task is running successfully.
I think any of the application secrets are encrypted using the key which doesn’t exist in system , may be that encrypted secret would have come from lower env .
Or else what you can do is update all the pwd with default key and then you can sync with latest key uisng this job.
Hi Lolith,
I’m affraid you are not able to just remove keys from the store - the only way is to remove the store and create new one with new encryption keys.
If you want to move back to default encryption keys than it’s enought if you remove the iiq.dat file but remember that passwords encrypted with old keys won’t work properly anymore.
To resolve this issue, I ran a script that listed all applications with passwords encrypted using the old key. During decryption, I discovered an application encountering the same error. I didn’t import any external passwords for this app, so I’m uncertain why this occurred. To fix it, I got the password in plaintext and added it to the application’s UI, which successfully resolved the issue.