Error when enabling Encapsulated Token support for dual publish environment | Community
Skip to main content
C
courtthreeGDC
Level 3
May 15, 2019

Error when enabling Encapsulated Token support for dual publish environment

  • May 15, 2019
  • 1 reply
  • 3241 views

Good evening AEM Team!

We have integrated Okta as the IDM for our AEM 6.2 website. We have done so using a fairly standard SAML configuration which has worked well. In our live/production environment we have two publish instances so we have been testing the integration across two publish environments.

We have configured:

- Apache Sling Distribution Agents - Sync Agents Factory

- Adobe Granite Distribution - Encrypted Password Transport Secret Provider

- Apache Sling Distribution Trigger - Scheduled Triggers Factory

- Apache Sling Distribution Agent – Queue Agents Factory (on each Publish Instance)

- Adobe Granite Distribution – Diff Observer Factory (on each Publish Instance)

- AEM Communities User Sync Listener (on each Publish Instance)

We have also enabled Encapsulated Token Support:

- Day CRX Token Authentication Handler

(As described in your tech note here: https://helpx.adobe.com/uk/experience-manager/6-2/sites/administering/using/encapsulated-token.html (1))

We have had good results with user replication and we have been able to observe that the login-token is being shared across both instances (by viewing the login status of CRXDE on each instance).

However, we have encountered a critical error when attempting to login via the SAML Authentication Handler. After following the instructions (1) above, we SAML authenticate via Okta and we are met with the following error:

A fuller extract from the logs is as follows:

15.05.2019 22:59:45.428 ERROR [qtp192509136-4428] org.apache.felix.http.jetty Exception while processing request to /XXXXXXXXXXXXXX/saml_login (java.lang.SecurityException: com.adobe.granite.crypto.CryptoException: Cannot convert byte data)

java.lang.SecurityException: com.adobe.granite.crypto.CryptoException: Cannot convert byte data

at com.adobe.granite.keystore.internal.KeyStoreServiceImpl.extractStorePassword(KeyStoreServiceImpl.java:609)

at com.adobe.granite.keystore.internal.KeyStoreServiceImpl.internalGetTrustStore(KeyStoreServiceImpl.java:462)

at com.adobe.granite.keystore.internal.KeyStoreServiceImpl.getTrustStore(KeyStoreServiceImpl.java:154)

at com.adobe.granite.auth.saml.SamlAuthenticationHandler.handleLogin(SamlAuthenticationHandler.java:737)

at com.adobe.granite.auth.saml.SamlAuthenticationHandler.extractCredentials(SamlAuthenticationHandler.java:433)

at org.apache.sling.auth.core.impl.AuthenticationHandlerHolder.doExtractCredentials(AuthenticationHandlerHolder.java:75)

at org.apache.sling.auth.core.impl.AbstractAuthenticationHandlerHolder.extractCredentials(AbstractAuthenticationHandlerHolder.java:60)

at org.apache.sling.auth.core.impl.SlingAuthenticator.getAuthenticationInfo(SlingAuthenticator.java:718)

at org.apache.sling.auth.core.impl.SlingAuthenticator.doHandleSecurity(SlingAuthenticator.java:466)

at org.apache.sling.auth.core.impl.SlingAuthenticator.handleSecurity(SlingAuthenticator.java:451)

at org.apache.sling.engine.impl.SlingHttpContext.handleSecurity(SlingHttpContext.java:121)

at org.apache.felix.http.base.internal.service.ServletContextImpl.handleSecurity(ServletContextImpl.java:421)

at org.apache.felix.http.base.internal.dispatch.InvocationChain.doFilter(InvocationChain.java:57)

at org.apache.felix.http.base.internal.dispatch.Dispatcher.dispatch(Dispatcher.java:124)

at org.apache.felix.http.base.internal.DispatcherServlet.service(DispatcherServlet.java:61)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:725)

at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:812)

at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:587)

at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:221)

at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)

at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)

at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)

at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)

at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)

at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215)

at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)

at org.eclipse.jetty.server.Server.handle(Server.java:499)

at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311)

at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)

at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544)

at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)

at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)

at java.lang.Thread.run(Unknown Source)

Caused by: com.adobe.granite.crypto.CryptoException: Cannot convert byte data

at com.adobe.granite.crypto.internal.CryptoSupportImpl.unprotect(CryptoSupportImpl.java:160)

at com.adobe.granite.keystore.internal.KeyStoreServiceImpl.extractStorePassword(KeyStoreServiceImpl.java:601)

... 32 common frames omitted

Caused by: com.adobe.granite.crypto.CryptoException: Failed decrypting cipher text

at com.adobe.granite.crypto.internal.CryptoSupportImpl.decrypt(CryptoSupportImpl.java:96)

at com.adobe.granite.crypto.internal.CryptoSupportImpl.unprotect(CryptoSupportImpl.java:157)

... 33 common frames omitted

Caused by: com.rsa.jsafe.JSAFE_PaddingException: Invalid padding.

at com.rsa.jsafe.JSAFE_SymmetricCipher.decryptFinal(Unknown Source)

at com.adobe.granite.crypto.internal.jsafe.JSafeCryptoSupport.getPlainText(JSafeCryptoSupport.java:325)

at com.adobe.granite.crypto.internal.jsafe.JSafeCryptoSupport.getPlainText(JSafeCryptoSupport.java:307)

at com.adobe.granite.crypto.internal.CryptoSupportImpl.decrypt(CryptoSupportImpl.java:94)

... 34 common frames omitted

One point to note, is that there is a key piece of detail missing from the instructions in (1), regarding where the /etc/key/ package should be built. Should it come from the common author instance or one of the publish instances? Either way, I know the problem goes deeper than that one concern but it should also be addressed.

All inputs gratefully received as ever.

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.

1 reply

U
Adobe Employee
user05162Adobe Employee
Adobe Employee
May 15, 2019

Have you tried replicating the crypto keys as mentioned at [1]

[1] Sharing Crypto Keys in AEM 6.3 - Adobe Experience Manager | AEM/CQ | Apache Sling

C
courtthreeGDCAuthor
Level 3
May 15, 2019

Thanks so much for jumping in Jaideep.

Our instance is 6.2 so we have to use the method described here: Encapsulated Token Support

Are you saying we can use the 6.3 method on 6.2?

U
Adobe Employee
user05162Adobe Employee
Adobe Employee
May 15, 2019

Sorry, I misread the version number, if you are using 6.2 that's the correct article you are following.

There might be an issue with the Keystore.

Can you try to recreated the keystore.

Also, check if "cryptoservice" user has jcr:all rights on /etc/key

Terms & ConditionsAccessibility statement

Loading footer...