Bug 1028483 - Error logged during login to Admin portal (javax.crypto.BadPaddingException)
Summary: Error logged during login to Admin portal (javax.crypto.BadPaddingException)
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: oVirt
Classification: Retired
Component: ovirt-engine-webadmin
Version: 3.3
Hardware: Unspecified
OS: Linux
unspecified
medium
Target Milestone: ---
: 3.4.0
Assignee: Eli Mesika
QA Contact:
URL:
Whiteboard: infra
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-11-08 14:55 UTC by Bob Doolittle
Modified: 2014-02-07 13:09 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-01-13 21:31:18 UTC
oVirt Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Bob Doolittle 2013-11-08 14:55:30 UTC 
Description of problem:
When logging into the Admin portal, I always see a few of the errors shown at the end of this note in engine.log. It does not seem to be fatal, but clearly something is not right. The error begins:

2013-11-08 09:14:48,151 ERROR [org.ovirt.engine.core.dal.dbbroker.generic.DBConfigUtils] (ajp--127.0.0.1-8702-1) Failed to decrypt value for property LocalAdminPassword will be used encrypted value: javax.crypto.BadPaddingException: Data must start with zero 

See the end of this note for the full (lengthy) error.

Version-Release number of selected component (if applicable):
3.3

How reproducible:
100%

Steps to Reproduce:
1. log in to Admin portal
2.
3.

Actual results:
No errors

Expected results:
Attached error


Additional info:
Complete error follows:
2013-11-08 09:14:48,151 ERROR [org.ovirt.engine.core.dal.dbbroker.generic.DBConfigUtils] (ajp--127.0.0.1-8702-1) Failed to decrypt value for property LocalAdminPassword will be used encrypted value: javax.crypto.BadPaddingException: Data must start with zero
	at sun.security.rsa.RSAPadding.unpadV15(RSAPadding.java:325) [rt.jar:1.7.0_45]
	at sun.security.rsa.RSAPadding.unpad(RSAPadding.java:272) [rt.jar:1.7.0_45]
	at com.sun.crypto.provider.RSACipher.doFinal(RSACipher.java:356)
	at com.sun.crypto.provider.RSACipher.engineDoFinal(RSACipher.java:382)
	at javax.crypto.Cipher.doFinal(Cipher.java:1922) [jce.jar:1.7.0_45]
	at org.ovirt.engine.core.utils.crypt.EngineEncryptionUtils.decrypt(EngineEncryptionUtils.java:169) [utils.jar:]
	at org.ovirt.engine.core.dal.dbbroker.generic.DBConfigUtils.GetValue(DBConfigUtils.java:109) [dal.jar:]
	at org.ovirt.engine.core.dal.dbbroker.generic.DBConfigUtils.GetValue(DBConfigUtils.java:231) [dal.jar:]
	at org.ovirt.engine.core.common.config.Config.GetValue(Config.java:22) [common.jar:]
	at org.ovirt.engine.core.bll.GetConfigurationValuesQuery.executeQueryCommand(GetConfigurationValuesQuery.java:48) [bll.jar:]
	at org.ovirt.engine.core.bll.QueriesCommandBase.executeCommand(QueriesCommandBase.java:65) [bll.jar:]
	at org.ovirt.engine.core.dal.VdcCommandBase.execute(VdcCommandBase.java:28) [dal.jar:]
	at org.ovirt.engine.core.bll.Backend.runQueryImpl(Backend.java:475) [bll.jar:]
	at org.ovirt.engine.core.bll.Backend.RunQuery(Backend.java:452) [bll.jar:]
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_45]
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_45]
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_45]
	at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_45]
	at org.jboss.as.ee.component.ManagedReferenceMethodInterceptorFactory$ManagedReferenceMethodInterceptor.processInvocation(ManagedReferenceMethodInterceptorFactory.java:72) [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation.jar:1.1.1.Final]
	at org.jboss.invocation.InterceptorContext$Invocation.proceed(InterceptorContext.java:374) [jboss-invocation.jar:1.1.1.Final]
	at org.ovirt.engine.core.bll.interceptors.ThreadLocalSessionCleanerInterceptor.injectWebContextToThreadLocal(ThreadLocalSessionCleanerInterceptor.java:13) [bll.jar:]
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_45]
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_45]
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_45]
	at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_45]
	at org.jboss.as.ee.component.ManagedReferenceLifecycleMethodInterceptorFactory$ManagedReferenceLifecycleMethodInterceptor.processInvocation(ManagedReferenceLifecycleMethodInterceptorFactory.java:123) [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation.jar:1.1.1.Final]
	at org.jboss.invocation.WeavedInterceptor.processInvocation(WeavedInterceptor.java:53) [jboss-invocation.jar:1.1.1.Final]
	at org.jboss.as.ee.component.interceptors.UserInterceptorFactory$1.processInvocation(UserInterceptorFactory.java:36) [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation.jar:1.1.1.Final]
	at org.jboss.invocation.InitialInterceptor.processInvocation(InitialInterceptor.java:21) [jboss-invocation.jar:1.1.1.Final]
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation.jar:1.1.1.Final]
	at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61) [jboss-invocation.jar:1.1.1.Final]
	at org.jboss.as.ee.component.interceptors.ComponentDispatcherInterceptor.processInvocation(ComponentDispatcherInterceptor.java:53) [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation.jar:1.1.1.Final]
	at org.jboss.as.ejb3.component.singleton.SingletonComponentInstanceAssociationInterceptor.processInvocation(SingletonComponentInstanceAssociationInterceptor.java:53) [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation.jar:1.1.1.Final]
	at org.jboss.as.ejb3.tx.CMTTxInterceptor.invokeInNoTx(CMTTxInterceptor.java:211) [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]
	at org.jboss.as.ejb3.tx.CMTTxInterceptor.supports(CMTTxInterceptor.java:363) [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]
	at org.jboss.as.ejb3.tx.CMTTxInterceptor.processInvocation(CMTTxInterceptor.java:194) [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation.jar:1.1.1.Final]
	at org.jboss.as.ejb3.component.interceptors.CurrentInvocationContextInterceptor.processInvocation(CurrentInvocationContextInterceptor.java:41) [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation.jar:1.1.1.Final]
	at org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:59) [jboss-as-ejb3-7.1.1.Final.jar:7.1.1.Final]
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation.jar:1.1.1.Final]
	at org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50) [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation.jar:1.1.1.Final]
	at org.jboss.as.ee.component.TCCLInterceptor.processInvocation(TCCLInterceptor.java:45) [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation.jar:1.1.1.Final]
	at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61) [jboss-invocation.jar:1.1.1.Final]
	at org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:165) [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]
	at org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescription.java:173) [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation.jar:1.1.1.Final]
	at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61) [jboss-invocation.jar:1.1.1.Final]
	at org.jboss.as.ee.component.ProxyInvocationHandler.invoke(ProxyInvocationHandler.java:72) [jboss-as-ee-7.1.1.Final.jar:7.1.1.Final]
	at org.ovirt.engine.core.common.interfaces.BackendLocal$$$view9.RunQuery(Unknown Source) [common.jar:]
	at org.ovirt.engine.ui.frontend.server.gwt.GenericApiGWTServiceImpl.RunQuery(GenericApiGWTServiceImpl.java:59)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_45]
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_45]
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_45]
	at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_45]
	at com.google.gwt.rpc.server.RPC.invokeAndStreamResponse(RPC.java:196)
	at com.google.gwt.rpc.server.RpcServlet.processCall(RpcServlet.java:172)
	at com.google.gwt.rpc.server.RpcServlet.processPost(RpcServlet.java:233)
	at com.google.gwt.user.server.rpc.AbstractRemoteServiceServlet.doPost(AbstractRemoteServiceServlet.java:62)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:754) [jboss-servlet-3.0-api.jar:1.0.1.Final]
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) [jboss-servlet-3.0-api.jar:1.0.1.Final]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:329)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248)
	at org.ovirt.engine.ui.frontend.server.gwt.GwtCachingFilter.doFilter(GwtCachingFilter.java:132)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:280)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248)
	at org.ovirt.engine.core.utils.servlet.LocaleFilter.doFilter(LocaleFilter.java:59) [utils.jar:]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:280)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:275)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:161)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:489)
	at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
	at org.jboss.web.rewrite.RewriteValve.invoke(RewriteValve.java:466)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368)
	at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:505)
	at org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler.process(AjpProtocol.java:445)
	at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930)
	at java.lang.Thread.run(Thread.java:744) [rt.jar:1.7.0_45]
Comment 1 Eli Mesika 2013-11-11 21:29:33 UTC 
Please run the following from the dbscripts directory to fix 

Usage: encryptionvalidator.sh [-h] [-s SERVERNAME [-p PORT]] [-d DATABASE] [-u USERNAME] [-l LOGFILE] [-c CERTIFICATE] [-f] [-v]

        -s SERVERNAME - The database servername for the database  (def. localhost)
        -p PORT       - The database port for the database        (def. 5432)
        -d DATABASE   - The database name                         (def. engine)
        -u USERNAME   - The username for the database             (def. engine)
        -l LOGFILE    - The logfile for capturing output          (def. encryptionvalidator.sh.log)
        -c CERTIFICATE- The certificate file to use for the encryption.(def /etc/pki/ovirt-engine/certs/engine.cer)
        -f            - Fix the non encrypted data in DB.
        -v            - Turn on verbosity                         (WARNING: lots of output)
        -h            - This help text.
Comment 2 Bob Doolittle 2013-11-11 21:40:55 UTC 
I'm afraid I'm going to need more detail than a usage message. What options in particular do you need me to specify and which are unnecessary?

Or do you just want me to run it with no arguments?
Comment 3 Bob Doolittle 2013-11-11 21:42:01 UTC 
Also, what is the path to the dbscripts directory where you want this command run?
Comment 4 Eli Mesika 2013-12-25 11:15:19 UTC 
(In reply to Bob Doolittle from comment #3)
> Also, what is the path to the dbscripts directory where you want this
> command run?

share/ovirt-engine/dbscripts
Comment 5 Bob Doolittle 2014-01-09 18:12:23 UTC 
I don't know what options to use with the command "encryptionvalidator.sh". When run with no arguments it simply says "Engine certificate was not set".
Comment 6 Eli Mesika 2014-01-12 09:27:16 UTC 
please look if you have engine.cer under /etc/pki/ovirt-engine/certs
If not , please use (with root account)

> find / -name "engine.cer" to locate it

Once located , run the following from the machine which host the DB:

> encryptionvalidator.sh -d <db name> -u <user name> -c <cert file> -f
Comment 7 Bob Doolittle 2014-01-13 15:44:00 UTC 
I'm sorry to seem thick, but how am I supposed to determine what "db name" to use?
Comment 8 Eli Mesika 2014-01-13 16:07:17 UTC 
For 3.3 :

> encryptionvalidator.sh -d engine -u engine -c <cert file> -f
Comment 9 Bob Doolittle 2014-01-13 17:10:38 UTC 
Thanks. I get the following:

# ./encryptionvalidator.sh -d engine -u engine -c /etc/pki/ovirt-engine/certs/engine.cer -f
Engine certificate was not set

(and yes the file /etc/pki/ovirt-engine/certs/engine.cer does exist).

This is the same output I get when I provide no options at all.

However, I should say that since filing this bug I have upgraded to 3.3.2-1, and no longer see the error in the original report (or any ERROR level log messages).
Comment 10 Eli Mesika 2014-01-13 21:31:18 UTC 
(In reply to Bob Doolittle from comment #9)

> However, I should say that since filing this bug I have upgraded to 3.3.2-1,
> and no longer see the error in the original report (or any ERROR level log
> messages).

Closing the bug
Note You need to log in before you can comment on or make changes to this bug.