SSO breaks after upgrading to AEM 6.5.25 on-prem: BadPaddingException on all decrypts
SSO (SAML) breaks after an in-place upgrade to AEM 6.5.25 (CFP-25)
Environment: on-premise AEM Author, upgraded from 6.5.10 to 6.5.25.
Immediately after applying CFP-25, every SSO-related decrypt operation fails with:
javax.crypto.BadPaddingException: pad block corrupted
This appears to break decryption of the SAML keystore/truststore passwords and replication transport passwords. As a result, SSO fails and the CMS becomes inaccessible, except by disabling SAML authentication and using the manual login route.
The master key is stored in the JCR under /etc/key; it was never migrated to the filesystem bundle. The key value itself was not changed during the upgrade. I simply installed the CFP package, waited until it was complete and restarted the instance, as per the instructions.
The workaround that resolved the issue (currently on test environments) was to rewrite the stored /etc/key value from the older obfuscated format to the raw value, so the newer crypto bundle could read it correctly. Since the underlying key value remained the same, existing encrypted data stayed valid, and decrypt operations started working again after a restart. I did this locally using a custom Groovy script.
I have not confirmed whether this is the intended or supported fix, and I have not found this behavior documented in the release notes or known issues.
Questions:
-
Has anyone else seen this issue on AEM 6.5.25, CFP-25, or an earlier service pack?
-
Did CFP-25 change how the
/etc/keymaster key is read or encoded? If so, when did this behavior change? -
Is rewriting
/etc/keyfrom the older obfuscated format to the raw value the correct approach, or is the supported remediation to re-encrypt the affected passwords after the upgrade?