Expand my Community achievements bar.

SOLVED

Issue with moving crypto keys between different instances

Avatar

Level 4
Level 4
10/15/15 7:28:58 PM

Hi Everyone,

I was trying to protect password available within my OSGi config.  I need to use the same key across my instances so I tried to move the key. 

I went through the article on "EXPORTING KEYS FROM AUTHOR AND IMPORTING ON PUBLISH" available at http://docs.adobe.com/docs/en/cq/5-6/wcm/campaigns/newsletters.html#Exporting keys from author and importing on publish 

I have used Adobe eclipse plugin to get the master.binary file within the etc/key folder (etc/key/master is used as vault filter) . When I deployed the package and refreshed the "Crypto Package " from felix console AEM started behaving strangely. I can see CRX up and running but unable to load any of the content and even unable to deploy/build new packages . 

As a workaround I have to delete the "etc" folder and restart my instance. 

Can someone help me on the correct way to move the key.

Regards,

Krishna

Views

1.6K

Replies

4
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Level 10
Level 10
10/15/15 7:28:58 PM

Yes suggest to have key in a separate package and deploy as last one.  But anyhow this not going to solve your existing problem based on the error. 

When you delete /etc it work because it generates a new one & surely a problem with key itself that is in your file system.   You said "checkout" & assuming you are using some source version controller liker git or svn etc....  In that case I am assuming for security reason the private key is changed by some other layers/commands when you try to store in repository.   From all your symptoms  I can say not issue with your package but some other commands changing the key file format itself..  As a example  curl command to upload any binary that as private key changes its content due to security reason.  

I have see this issue with some other case example uploading private key for saml using curl & informed our security team to validate & informed doc team to update. At this point of time I did not had enough proof to qualify as product bug.   But if you have those steps & not due to checkouts please file official support ticket.

View solution in original post

Views

740

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
4 Replies

Avatar

Level 10
Level 10
10/15/15 7:28:58 PM

I assume when you say "refreshed the Crypto Package " it means you restarted the bundle.  There is a difference. In case it was refresh only then please stop & start the bundle.

If you have restarted the bundle then your symptoms looks strage.  What is the error in logs & what is your deployment steps (First install key package--> then restart crypto bundle -> then deploy rest of packages)?   Also make sure /etc/key/master is seperate package & deployed as last one.

Views

733

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 4
Level 4
10/15/15 7:28:58 PM

Thanks for the reply Sham,

When I restart the bundle I get below exception 

POST /system/console/bundles/92 HTTP/1.1] com.adobe.granite.crypto.internal.Activator setupCryptoSupport: Failed creating CryptoSupport Implementation:  javax.crypto.IllegalBlockSizeException: Input length must be multiple of 8 when decrypting with padded cipher
    at com.sun.crypto.provider.SunJCE_f.b(DashoA13*..)

I assume that the (master.binary) file might have corrupted since I am trying to checkout the file to file system and them move across  environments .(Not sure whether this can happen )

I have deployed the key as a part of my apps package. 

Do you suggest to have key in a separate package and deploy as last one ? 


Thanks,

Krishna

Views

917

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Correct answer by
Level 10
Level 10
10/15/15 7:28:58 PM

Yes suggest to have key in a separate package and deploy as last one.  But anyhow this not going to solve your existing problem based on the error. 

When you delete /etc it work because it generates a new one & surely a problem with key itself that is in your file system.   You said "checkout" & assuming you are using some source version controller liker git or svn etc....  In that case I am assuming for security reason the private key is changed by some other layers/commands when you try to store in repository.   From all your symptoms  I can say not issue with your package but some other commands changing the key file format itself..  As a example  curl command to upload any binary that as private key changes its content due to security reason.  

I have see this issue with some other case example uploading private key for saml using curl & informed our security team to validate & informed doc team to update. At this point of time I did not had enough proof to qualify as product bug.   But if you have those steps & not due to checkouts please file official support ticket.

Views

741

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply

Avatar

Level 4
Level 4
10/15/15 7:28:58 PM

Thanks Sham.

Now after installing the key as a separate package and restarting the bundle everything works fine, surely it a problem with the file in repository.

 I will have key as a separate package. Since key deployment will be single time process so I don't see a big issue with that. 

Thanks for quick response Sham.

Krishna

Views

933

Replies

0
Sign in to like this content

Total Likes

Translate
Translate