Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.
Read More & Register today!
SOLVED

Issue with moving crypto keys between different instances

Avatar

Level 4
Level 4
10/15/15 7:28:58 PM

Hi Everyone,

I was trying to protect password available within my OSGi config.  I need to use the same key across my instances so I tried to move the key. 

I went through the article on "EXPORTING KEYS FROM AUTHOR AND IMPORTING ON PUBLISH" available at http://docs.adobe.com/docs/en/cq/5-6/wcm/campaigns/newsletters.html#Exporting keys from author and importing on publish 

I have used Adobe eclipse plugin to get the master.binary file within the etc/key folder (etc/key/master is used as vault filter) . When I deployed the package and refreshed the "Crypto Package " from felix console AEM started behaving strangely. I can see CRX up and running but unable to load any of the content and even unable to deploy/build new packages . 

As a workaround I have to delete the "etc" folder and restart my instance. 

Can someone help me on the correct way to move the key.

Regards,

Krishna

Views

1.7K

Replies

4
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Level 10
Level 10
10/15/15 7:28:58 PM

Yes suggest to have key in a separate package and deploy as last one.  But anyhow this not going to solve your existing problem based on the error. 

When you delete /etc it work because it generates a new one & surely a problem with key itself that is in your file system.   You said "checkout" & assuming you are using some source version controller liker git or svn etc....  In that case I am assuming for security reason the private key is changed by some other layers/commands when you try to store in repository.   From all your symptoms  I can say not issue with your package but some other commands changing the key file format itself..  As a example  curl command to upload any binary that as private key changes its content due to security reason.  

I have see this issue with some other case example uploading private key for saml using curl & informed our security team to validate & informed doc team to update. At this point of time I did not had enough proof to qualify as product bug.   But if you have those steps & not due to checkouts please file official support ticket.

View solution in original post

Views

844

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
4 Replies

Avatar

Level 10
Level 10
10/15/15 7:28:58 PM

I assume when you say "refreshed the Crypto Package " it means you restarted the bundle.  There is a difference. In case it was refresh only then please stop & start the bundle.

If you have restarted the bundle then your symptoms looks strage.  What is the error in logs & what is your deployment steps (First install key package--> then restart crypto bundle -> then deploy rest of packages)?   Also make sure /etc/key/master is seperate package & deployed as last one.

Views

837

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 4
Level 4
10/15/15 7:28:58 PM

Thanks for the reply Sham,

When I restart the bundle I get below exception 

POST /system/console/bundles/92 HTTP/1.1] com.adobe.granite.crypto.internal.Activator setupCryptoSupport: Failed creating CryptoSupport Implementation:  javax.crypto.IllegalBlockSizeException: Input length must be multiple of 8 when decrypting with padded cipher
    at com.sun.crypto.provider.SunJCE_f.b(DashoA13*..)

I assume that the (master.binary) file might have corrupted since I am trying to checkout the file to file system and them move across  environments .(Not sure whether this can happen )

I have deployed the key as a part of my apps package. 

Do you suggest to have key in a separate package and deploy as last one ? 


Thanks,

Krishna

Views

1.0K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Correct answer by
Level 10
Level 10
10/15/15 7:28:58 PM

Yes suggest to have key in a separate package and deploy as last one.  But anyhow this not going to solve your existing problem based on the error. 

When you delete /etc it work because it generates a new one & surely a problem with key itself that is in your file system.   You said "checkout" & assuming you are using some source version controller liker git or svn etc....  In that case I am assuming for security reason the private key is changed by some other layers/commands when you try to store in repository.   From all your symptoms  I can say not issue with your package but some other commands changing the key file format itself..  As a example  curl command to upload any binary that as private key changes its content due to security reason.  

I have see this issue with some other case example uploading private key for saml using curl & informed our security team to validate & informed doc team to update. At this point of time I did not had enough proof to qualify as product bug.   But if you have those steps & not due to checkouts please file official support ticket.

Views

845

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply

Avatar

Level 4
Level 4
10/15/15 7:28:58 PM

Thanks Sham.

Now after installing the key as a separate package and restarting the bundle everything works fine, surely it a problem with the file in repository.

 I will have key as a separate package. Since key deployment will be single time process so I don't see a big issue with that. 

Thanks for quick response Sham.

Krishna

Views

1.0K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Related Conversations
Page Exporter issue

Views

31

Likes

0

Replies

1
JMS integration with AEM 6.5 to push messages to Queue

Views

44

Likes

0

Replies

0
Issue when using experience fragment component on a page

Views

108

Likes

0

Replies

6
Issue while publishing/unpublish pages using the manage publication

Views

142

Likes

0

Replies

5
Apache reverse proxy AH00898 – Error during SSL handshake with the remote server

Views

132

Likes

0

Replies

3