Expand my Community achievements bar.

Error when enabling Encapsulated Token support for dual publish environment

Avatar

Level 3

Good evening AEM Team!

We have integrated Okta as the IDM for our AEM 6.2 website. We have done so using a fairly standard SAML configuration which has worked well. In our live/production environment we have two publish instances so we have been testing the integration across two publish environments.

We have configured:

- Apache Sling Distribution Agents - Sync Agents Factory

- Adobe Granite Distribution - Encrypted Password Transport Secret Provider

- Apache Sling Distribution Trigger - Scheduled Triggers Factory

- Apache Sling Distribution Agent – Queue Agents Factory (on each Publish Instance)

- Adobe Granite Distribution – Diff Observer Factory (on each Publish Instance)

- AEM Communities User Sync Listener (on each Publish Instance)

We have also enabled Encapsulated Token Support:

- Day CRX Token Authentication Handler

(As described in your tech note here: https://helpx.adobe.com/uk/experience-manager/6-2/sites/administering/using/encapsulated-token.html (1))

We have had good results with user replication and we have been able to observe that the login-token is being shared across both instances (by viewing the login status of CRXDE on each instance).

However, we have encountered a critical error when attempting to login via the SAML Authentication Handler. After following the instructions (1) above, we SAML authenticate via Okta and we are met with the following error:

AEM-Error-1.jpg

A fuller extract from the logs is as follows:

15.05.2019 22:59:45.428 ERROR [qtp192509136-4428] org.apache.felix.http.jetty Exception while processing request to /XXXXXXXXXXXXXX/saml_login (java.lang.SecurityException: com.adobe.granite.crypto.CryptoException: Cannot convert byte data)

java.lang.SecurityException: com.adobe.granite.crypto.CryptoException: Cannot convert byte data

at com.adobe.granite.keystore.internal.KeyStoreServiceImpl.extractStorePassword(KeyStoreServiceImpl.java:609)

at com.adobe.granite.keystore.internal.KeyStoreServiceImpl.internalGetTrustStore(KeyStoreServiceImpl.java:462)

at com.adobe.granite.keystore.internal.KeyStoreServiceImpl.getTrustStore(KeyStoreServiceImpl.java:154)

at com.adobe.granite.auth.saml.SamlAuthenticationHandler.handleLogin(SamlAuthenticationHandler.java:737)

at com.adobe.granite.auth.saml.SamlAuthenticationHandler.extractCredentials(SamlAuthenticationHandler.java:433)

at org.apache.sling.auth.core.impl.AuthenticationHandlerHolder.doExtractCredentials(AuthenticationHandlerHolder.java:75)

at org.apache.sling.auth.core.impl.AbstractAuthenticationHandlerHolder.extractCredentials(AbstractAuthenticationHandlerHolder.java:60)

at org.apache.sling.auth.core.impl.SlingAuthenticator.getAuthenticationInfo(SlingAuthenticator.java:718)

at org.apache.sling.auth.core.impl.SlingAuthenticator.doHandleSecurity(SlingAuthenticator.java:466)

at org.apache.sling.auth.core.impl.SlingAuthenticator.handleSecurity(SlingAuthenticator.java:451)

at org.apache.sling.engine.impl.SlingHttpContext.handleSecurity(SlingHttpContext.java:121)

at org.apache.felix.http.base.internal.service.ServletContextImpl.handleSecurity(ServletContextImpl.java:421)

at org.apache.felix.http.base.internal.dispatch.InvocationChain.doFilter(InvocationChain.java:57)

at org.apache.felix.http.base.internal.dispatch.Dispatcher.dispatch(Dispatcher.java:124)

at org.apache.felix.http.base.internal.DispatcherServlet.service(DispatcherServlet.java:61)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:725)

at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:812)

at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:587)

at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:221)

at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)

at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)

at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)

at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)

at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)

at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215)

at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)

at org.eclipse.jetty.server.Server.handle(Server.java:499)

at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311)

at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)

at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544)

at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)

at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)

at java.lang.Thread.run(Unknown Source)

Caused by: com.adobe.granite.crypto.CryptoException: Cannot convert byte data

at com.adobe.granite.crypto.internal.CryptoSupportImpl.unprotect(CryptoSupportImpl.java:160)

at com.adobe.granite.keystore.internal.KeyStoreServiceImpl.extractStorePassword(KeyStoreServiceImpl.java:601)

... 32 common frames omitted

Caused by: com.adobe.granite.crypto.CryptoException: Failed decrypting cipher text

at com.adobe.granite.crypto.internal.CryptoSupportImpl.decrypt(CryptoSupportImpl.java:96)

at com.adobe.granite.crypto.internal.CryptoSupportImpl.unprotect(CryptoSupportImpl.java:157)

... 33 common frames omitted

Caused by: com.rsa.jsafe.JSAFE_PaddingException: Invalid padding.

at com.rsa.jsafe.JSAFE_SymmetricCipher.decryptFinal(Unknown Source)

at com.adobe.granite.crypto.internal.jsafe.JSafeCryptoSupport.getPlainText(JSafeCryptoSupport.java:325)

at com.adobe.granite.crypto.internal.jsafe.JSafeCryptoSupport.getPlainText(JSafeCryptoSupport.java:307)

at com.adobe.granite.crypto.internal.CryptoSupportImpl.decrypt(CryptoSupportImpl.java:94)

... 34 common frames omitted

One point to note, is that there is a key piece of detail missing from the instructions in (1), regarding where the /etc/key/ package should be built. Should it come from the common author instance or one of the publish instances? Either way, I know the problem goes deeper than that one concern but it should also be addressed.

All inputs gratefully received as ever.

4 Replies

Avatar

Level 3

Thanks so much for jumping in Jaideep.

Our instance is 6.2 so we have to use the method described here: Encapsulated Token Support

Are you saying we can use the 6.3 method on 6.2?

Avatar

Employee Advisor

Sorry, I misread the version number, if you are using 6.2 that's the correct article you are following.

There might be an issue with the Keystore.

Can you try to recreated the keystore.

Also, check if "cryptoservice" user has jcr:all rights on /etc/key