Decryption issue on VMWare image

[markryan]

Hi all,

I have a unique issue that I can't seem to crack.  I configured a Cognos Server to my liking on a VMWare instance, and requested an duplicate of this machine be made to save me much of the setup the second time around.  Everything looked good until I tried to change the content store and start the Cognos service.  I get this error:

[Cryptography]
1. [ ERROR ] CAM-CRP-1280 An error occurred while trying to decrypt using the system protection key. Reason: javax.crypto.BadPaddingException: Given final block not properly padded

I've tried to find answers to this issue, but nothing seems to work.

Any idea why this error might occur and how to fix it?

Mark

[kolonell]

hmm .. looks like the encryption info got corrupted for some reason when cloning.

You might want to consider exporting the configuration file and removing the cryptograpic  folders (csk,encryptkeypair,signkeypair and caSerial) before cloning machines. That will force the keys to be regenerated
when the clones are used for the first time.

Hope this helps

[markryan]

Makes sense.  Although, since I have the server up right now with a bad key (possibly), is there a way to reset this?

I've tried rolling back the cogstartup.xml to the one from the image, and deleting (backup) the folders you mentioned, and then before my first test of the configurations I changed the references from Server1 to Server2, as well as a new content store db.  I still get the same type of error;

CAM-AAA-0185 CCLConfiguration exception was caught. Error message: 'CAM-CRP-1280 An error occurred while trying to decrypt using the system protection key. Reason: javax.crypto.BadPaddingException: Given final block not properly padded'.

Seems like I should be able to turn off encryption or remove it and then re-add it to create new keys.  Or even just simply set new keys.

[kolonell]

The error seems to indicate the configuration is still encrypted. 

The only way (that I am aware of) to reset this when no unecrypted version is to delete the keys and  re-enter all
the passwords and credentials.
If you have the unencrypted version (File > export as) then there is no need to modify any credentials.

Can you verify whether you can add a data source that requires a sign on in the portal (on the server with the "Bad keys") ? If that works then the current keys work.   

I don't reckon there is a way to simply turn off encryption as that would be regarded as a major Security Concern.
Creating new keys is done by backing up those folders but if the configuration isn't exported then the passwords are still encoded. No way to recover those with new keys apart from entering new values ;-)

[markryan]

Good news for me... and likely for the next sorry soul who tries to get too fancy with server administration before they even know how Cognos admin works... I got it fixed, so here's what I did.  I'd say all your comments were true and what led me to my solution Kolonell.  Thanks for the insight!

1. I stopped the Cognos Service.

2. I did a backup of the files in: (**I don't know if this step was required or not.**)
  ./configuration/csk/
  ./configuration/encryptkeypair/
  ./configuration/signkeypair/

3. I did a backup of ./configuration/cogstartup.xml

4. I copied and renamed the first instance of the archived cogstartup.xml so it was now the current startup config.
  (I used the one with the oldest time stamp in it's name)

5. I started Cognos Configuration and changed the config settings I wanted based on the authentication modes I want to support and the content store.

6. Tested all the config settings and started Cognos Service again.

Everything works fine, so really I think your point about the config being encrypted was when the light came on.  It seems trivial now to clone a cognos server environment.

Thanks again. Real helpful.

[kolonell]

> 4. I copied and renamed the first instance of the archived cogstartup.xml so it was now the current startup config.  (I used the one with the oldest time stamp in it's name)

I reckon by doing step 4 you restored the very first configuration ever backed up by the Config tool (it does that every time you hit the save button) . And that would be to file that comes after the initial install  hence unencrypted.

But yeah the source in this issue is surely the Content Store. I have a few VMs that I regularly copy where I don't experience this. But they use the Cognos Content database so the CS virtually stays the same.

[raviperot]

Small modification to above step

1. Stop the Cognos Service. [If not running please ignore the step]
2. Backup and remove of the files in:
  ./configuration/csk/
  ./configuration/encryptkeypair/
  ./configuration/signkeypair/
3. Backup and remove ./configuration/cogstartup.xml
4. Export cogstartup.xml from "cognos configuration" from original image and copy cogstartup.xml to ./configuration into new vmimage/clone.
5. Launch Cognos Configuration, Save Configuration in the clone.
6. Start Cognos Configuration
7. Test all the config settings and start Cognos Service again.

[kaazimraza]

Hi guys,

I had to perform an additional step. I had to change the host name in cogconfig.prefs file, from old_host_name to new_host_name.

Thanks
Kaz