Adobe Experience Manager Sites & More

courtthreeGDC · 5/15/19

Good evening AEM Team!

We have integrated Okta as the IDM for our AEM 6.2 website. We have done so using a fairly standard SAML configuration which has worked well. In our live/production environment we have two publish instances so we have been testing the integration across two publish environments.

We have configured:

- Apache Sling Distribution Agents - Sync Agents Factory

- Adobe Granite Distribution - Encrypted Password Transport Secret Provider

- Apache Sling Distribution Trigger - Scheduled Triggers Factory

- Apache Sling Distribution Agent – Queue Agents Factory (on each Publish Instance)

- Adobe Granite Distribution – Diff Observer Factory (on each Publish Instance)

- AEM Communities User Sync Listener (on each Publish Instance)

We have also enabled Encapsulated Token Support:

- Day CRX Token Authentication Handler

(As described in your tech note here: https://helpx.adobe.com/uk/experience-manager/6-2/sites/administering/using/encapsulated-token.html (1))

We have had good results with user replication and we have been able to observe that the login-token is being shared across both instances (by viewing the login status of CRXDE on each instance).

However, we have encountered a critical error when attempting to login via the SAML Authentication Handler. After following the instructions (1) above, we SAML authenticate via Okta and we are met with the following error:

A fuller extract from the logs is as follows:

15.05.2019 22:59:45.428 ERROR [qtp192509136-4428] org.apache.felix.http.jetty Exception while processing request to /XXXXXXXXXXXXXX/saml_login (java.lang.SecurityException: com.adobe.granite.crypto.CryptoException: Cannot convert byte data)

java.lang.SecurityException: com.adobe.granite.crypto.CryptoException: Cannot convert byte data

at com.adobe.granite.keystore.internal.KeyStoreServiceImpl.extractStorePassword(KeyStoreServiceImpl.java:609)

at com.adobe.granite.keystore.internal.KeyStoreServiceImpl.internalGetTrustStore(KeyStoreServiceImpl.java:462)

at com.adobe.granite.keystore.internal.KeyStoreServiceImpl.getTrustStore(KeyStoreServiceImpl.java:154)

at com.adobe.granite.auth.saml.SamlAuthenticationHandler.handleLogin(SamlAuthenticationHandler.java:737)

at com.adobe.granite.auth.saml.SamlAuthenticationHandler.extractCredentials(SamlAuthenticationHandler.java:433)

at org.apache.sling.auth.core.impl.AuthenticationHandlerHolder.doExtractCredentials(AuthenticationHandlerHolder.java:75)

at org.apache.sling.auth.core.impl.AbstractAuthenticationHandlerHolder.extractCredentials(AbstractAuthenticationHandlerHolder.java:60)

at org.apache.sling.auth.core.impl.SlingAuthenticator.getAuthenticationInfo(SlingAuthenticator.java:718)

at org.apache.sling.auth.core.impl.SlingAuthenticator.doHandleSecurity(SlingAuthenticator.java:466)

at org.apache.sling.auth.core.impl.SlingAuthenticator.handleSecurity(SlingAuthenticator.java:451)

at org.apache.sling.engine.impl.SlingHttpContext.handleSecurity(SlingHttpContext.java:121)

at org.apache.felix.http.base.internal.service.ServletContextImpl.handleSecurity(ServletContextImpl.java:421)

at org.apache.felix.http.base.internal.dispatch.InvocationChain.doFilter(InvocationChain.java:57)

at org.apache.felix.http.base.internal.dispatch.Dispatcher.dispatch(Dispatcher.java:124)

at org.apache.felix.http.base.internal.DispatcherServlet.service(DispatcherServlet.java:61)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:725)

at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:812)

at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:587)

at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:221)

at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)

at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)

at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)

at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)

at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)

at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215)

at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)

at org.eclipse.jetty.server.Server.handle(Server.java:499)

at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311)

at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)

at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544)

at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)

at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)

at java.lang.Thread.run(Unknown Source)

Caused by: com.adobe.granite.crypto.CryptoException: Cannot convert byte data

at com.adobe.granite.crypto.internal.CryptoSupportImpl.unprotect(CryptoSupportImpl.java:160)

at com.adobe.granite.keystore.internal.KeyStoreServiceImpl.extractStorePassword(KeyStoreServiceImpl.java:601)

... 32 common frames omitted

Caused by: com.adobe.granite.crypto.CryptoException: Failed decrypting cipher text

at com.adobe.granite.crypto.internal.CryptoSupportImpl.decrypt(CryptoSupportImpl.java:96)

at com.adobe.granite.crypto.internal.CryptoSupportImpl.unprotect(CryptoSupportImpl.java:157)

... 33 common frames omitted

Caused by: com.rsa.jsafe.JSAFE_PaddingException: Invalid padding.

at com.rsa.jsafe.JSAFE_SymmetricCipher.decryptFinal(Unknown Source)

at com.adobe.granite.crypto.internal.jsafe.JSafeCryptoSupport.getPlainText(JSafeCryptoSupport.java:325)

at com.adobe.granite.crypto.internal.jsafe.JSafeCryptoSupport.getPlainText(JSafeCryptoSupport.java:307)

at com.adobe.granite.crypto.internal.CryptoSupportImpl.decrypt(CryptoSupportImpl.java:94)

... 34 common frames omitted

One point to note, is that there is a key piece of detail missing from the instructions in (1), regarding where the /etc/key/ package should be built. Should it come from the common author instance or one of the publish instances? Either way, I know the problem goes deeper than that one concern but it should also be addressed.

All inputs gratefully received as ever.

Jaideep_Brar · 5/15/19

Have you tried replicating the crypto keys as mentioned at [1]

[1] Sharing Crypto Keys in AEM 6.3 - Adobe Experience Manager | AEM/CQ | Apache Sling

courtthreeGDC · 5/15/19

Thanks so much for jumping in Jaideep.

Our instance is 6.2 so we have to use the method described here: Encapsulated Token Support

Are you saying we can use the 6.3 method on 6.2?

Jaideep_Brar · 5/15/19

Sorry, I misread the version number, if you are using 6.2 that's the correct article you are following.

There might be an issue with the Keystore.

Can you try to recreated the keystore.

Also, check if "cryptoservice" user has jcr:all rights on /etc/key

courtthreeGDC · 5/15/19

Thanks again mate.

For resetting, do you recommend: https://helpx.adobe.com/uk/experience-manager/kb/how-to-reset-the-truststore-if-it-get-corrupted-in-...

How to reset the truststore in AEM

I'll also check the permissions and revert back ASAP!

Adobe Experience Manager Sites & More

Error when enabling Encapsulated Token support for dual publish environment

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe