Expand my Community achievements bar.

Error when enabling Encapsulated Token support for dual publish environment

Avatar

Level 3
Level 3
5/15/19 2:15:45 PM

Good evening AEM Team!

We have integrated Okta as the IDM for our AEM 6.2 website. We have done so using a fairly standard SAML configuration which has worked well. In our live/production environment we have two publish instances so we have been testing the integration across two publish environments.

We have configured:

- Apache Sling Distribution Agents - Sync Agents Factory

- Adobe Granite Distribution - Encrypted Password Transport Secret Provider

- Apache Sling Distribution Trigger - Scheduled Triggers Factory

- Apache Sling Distribution Agent – Queue Agents Factory (on each Publish Instance)

- Adobe Granite Distribution – Diff Observer Factory (on each Publish Instance)

- AEM Communities User Sync Listener (on each Publish Instance)

We have also enabled Encapsulated Token Support:

- Day CRX Token Authentication Handler

(As described in your tech note here: https://helpx.adobe.com/uk/experience-manager/6-2/sites/administering/using/encapsulated-token.html (1))

We have had good results with user replication and we have been able to observe that the login-token is being shared across both instances (by viewing the login status of CRXDE on each instance).

However, we have encountered a critical error when attempting to login via the SAML Authentication Handler. After following the instructions (1) above, we SAML authenticate via Okta and we are met with the following error:

AEM-Error-1.jpg

A fuller extract from the logs is as follows:

15.05.2019 22:59:45.428 ERROR [qtp192509136-4428] org.apache.felix.http.jetty Exception while processing request to /XXXXXXXXXXXXXX/saml_login (java.lang.SecurityException: com.adobe.granite.crypto.CryptoException: Cannot convert byte data)

java.lang.SecurityException: com.adobe.granite.crypto.CryptoException: Cannot convert byte data

at com.adobe.granite.keystore.internal.KeyStoreServiceImpl.extractStorePassword(KeyStoreServiceImpl.java:609)

at com.adobe.granite.keystore.internal.KeyStoreServiceImpl.internalGetTrustStore(KeyStoreServiceImpl.java:462)

at com.adobe.granite.keystore.internal.KeyStoreServiceImpl.getTrustStore(KeyStoreServiceImpl.java:154)

at com.adobe.granite.auth.saml.SamlAuthenticationHandler.handleLogin(SamlAuthenticationHandler.java:737)

at com.adobe.granite.auth.saml.SamlAuthenticationHandler.extractCredentials(SamlAuthenticationHandler.java:433)

at org.apache.sling.auth.core.impl.AuthenticationHandlerHolder.doExtractCredentials(AuthenticationHandlerHolder.java:75)

at org.apache.sling.auth.core.impl.AbstractAuthenticationHandlerHolder.extractCredentials(AbstractAuthenticationHandlerHolder.java:60)

at org.apache.sling.auth.core.impl.SlingAuthenticator.getAuthenticationInfo(SlingAuthenticator.java:718)

at org.apache.sling.auth.core.impl.SlingAuthenticator.doHandleSecurity(SlingAuthenticator.java:466)

at org.apache.sling.auth.core.impl.SlingAuthenticator.handleSecurity(SlingAuthenticator.java:451)

at org.apache.sling.engine.impl.SlingHttpContext.handleSecurity(SlingHttpContext.java:121)

at org.apache.felix.http.base.internal.service.ServletContextImpl.handleSecurity(ServletContextImpl.java:421)

at org.apache.felix.http.base.internal.dispatch.InvocationChain.doFilter(InvocationChain.java:57)

at org.apache.felix.http.base.internal.dispatch.Dispatcher.dispatch(Dispatcher.java:124)

at org.apache.felix.http.base.internal.DispatcherServlet.service(DispatcherServlet.java:61)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:725)

at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:812)

at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:587)

at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:221)

at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)

at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)

at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)

at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)

at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)

at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215)

at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)

at org.eclipse.jetty.server.Server.handle(Server.java:499)

at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311)

at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)

at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544)

at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)

at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)

at java.lang.Thread.run(Unknown Source)

Caused by: com.adobe.granite.crypto.CryptoException: Cannot convert byte data

at com.adobe.granite.crypto.internal.CryptoSupportImpl.unprotect(CryptoSupportImpl.java:160)

at com.adobe.granite.keystore.internal.KeyStoreServiceImpl.extractStorePassword(KeyStoreServiceImpl.java:601)

... 32 common frames omitted

Caused by: com.adobe.granite.crypto.CryptoException: Failed decrypting cipher text

at com.adobe.granite.crypto.internal.CryptoSupportImpl.decrypt(CryptoSupportImpl.java:96)

at com.adobe.granite.crypto.internal.CryptoSupportImpl.unprotect(CryptoSupportImpl.java:157)

... 33 common frames omitted

Caused by: com.rsa.jsafe.JSAFE_PaddingException: Invalid padding.

at com.rsa.jsafe.JSAFE_SymmetricCipher.decryptFinal(Unknown Source)

at com.adobe.granite.crypto.internal.jsafe.JSafeCryptoSupport.getPlainText(JSafeCryptoSupport.java:325)

at com.adobe.granite.crypto.internal.jsafe.JSafeCryptoSupport.getPlainText(JSafeCryptoSupport.java:307)

at com.adobe.granite.crypto.internal.CryptoSupportImpl.decrypt(CryptoSupportImpl.java:94)

... 34 common frames omitted

One point to note, is that there is a key piece of detail missing from the instructions in (1), regarding where the /etc/key/ package should be built. Should it come from the common author instance or one of the publish instances? Either way, I know the problem goes deeper than that one concern but it should also be addressed.

All inputs gratefully received as ever.

Views

2.7K

Replies

4
Sign in to like this content

Total Likes

Translate
Translate
4 Replies

Avatar

Level 3
Level 3
5/15/19 2:28:19 PM
In response to Jaideep_Brar

Thanks so much for jumping in Jaideep.

Our instance is 6.2 so we have to use the method described here: Encapsulated Token Support

Are you saying we can use the 6.3 method on 6.2?

Views

2.6K

Replies

2
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Employee Advisor
Employee Advisor
5/15/19 2:46:36 PM
In response to courtthreeGDC

Sorry, I misread the version number, if you are using 6.2 that's the correct article you are following.

There might be an issue with the Keystore.

Can you try to recreated the keystore.

Also, check if "cryptoservice" user has jcr:all rights on /etc/key

Views

2.6K

Replies

1
Sign in to like this content

Total Likes

Translate
Translate
Related Conversations
Adobe Developers Live, November 2024, Session | Extension Manager for AEM

Views

201

Likes

0

Replies

0
Adobe Developers Live, November 2024, On-Demand Session | Orchestrating Commerce APIs for headless implementations

Views

196

Likes

0

Replies

0
Adobe Developers Live, November 2024, On-Demand Session | Dynamic Media Masterclass: Best Practices for Performant Delivery

Views

144

Likes

0

Replies

0
Showing Blank Page after deploying code into test environment

Views

234

Likes

0

Replies

4
Adobe AEM Cloud - Servlets 403 code in production publish environment

Views

321

Likes

0

Replies

5