Virtual appliance Log showing "Can not find key to decrypt"

vdivakar · January 31, 2024, 10:17am

Hi,
We recently installed VAs for one of the tenant and we tried Active Directory test connection after IQService installation,
The source is not getting connected and we are seeing this error “Cannot find key to decrypt message”.

I wonder if someone has faced this issue ?
Solution and any insights are welcome

Thanks

edmarks · January 31, 2024, 3:25pm

More specifics would be needed, but I’d start with these basic tests to confirm:

No IQService Setting (i.e. aggregation only) w/o using TLS (i.e. non-TLS)
No IQService Setting (i.e. aggregation only) w/ TLS
IQService configured w/o using TLS (i.e. remove TLS from the aggregation configuration also)
IQService configured w/ TLS as well as TLS in aggregation

At some point these tests will likely fail and it will allow you to zero in on if it’s related to:

Ports
non-TLS/TLS
IQService configuration
IQService account
etc.

vdivakar · February 2, 2024, 11:33am

Hi Ed Marks,
Thanks for the insight,

We are using non TLS configuration, we noticed that the exact same error is coming for another connector as well. “Can not find Key to decrypt message”.

edmarks · February 2, 2024, 2:39pm

@vdivakar - I’d bet lunch that the keyPassphrase you used for the VA cluster contains an invalid special character which is normally the issue if you’re seeing “java.lang.RuntimeException: java.io.FileNotFoundException: /opt/sailpoint/data/keystore.jks (No such file or directory)” in the ccg.log file.

https://community.sailpoint.com/t5/IdentityNow-Connectors/Virtual-Appliance-Troubleshooting-Guide/ta-p/78735

The keyPassphrase cannot start with $ or !
Passphrases should not start with a special character. These will often interfere with YAML specifications and be interpreted incorrectly.
Exclamation point ( ! ), spaces, and forward and back slashes (/ and ) cannot be used. (no longer part of the above document, but used to be applicable and my still be even though it’s not documented)

This manifests itself in a success VA connection during configuration, but every test connection after that will fail.

vdivakar · February 5, 2024, 6:29am

Well I have given passphrase in such a way that it only contains normal letters,
is it possible to change the keypassphrase after we install the VAs and existing config.yaml file already has a key encrypted ?

vdivakar · February 5, 2024, 7:57am

Hi, we created new cluster and added same VAs in those clusters,
Now the source connections are successful.

Thanks,

system · April 5, 2024, 7:57am

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Virtual Appliances Lab Configuration ISC Discussion and Questions identity-security-cloud , virtual-appliance	1	99	April 26, 2024
Vmtoolsd.service Faile to Start ISC Discussion and Questions identity-security-cloud	0	57	April 17, 2024
Sandbox Virtual Appliance Warning Message related to VA versions ISC Discussion and Questions identity-security-cloud , virtual-appliance	2	201	March 25, 2024
Windows Deprovisioning ISC Discussion and Questions identity-security-cloud	2	186	December 17, 2023
Hi. Can someone please help here. I have installed VA in the Azure environment, but when I try to create source I cant see my cluster ISC Discussion and Questions identity-security-cloud	12	111	April 18, 2024

Virtual appliance Log showing "Can not find key to decrypt"

Related Topics