Error while importing RSA Identity Management and Governance Collector metadata: java.lang.IllegalStateException: An issue while handling encryption was encountered

4 years ago

Originally Published: 2016-12-30

Article Number

000040220

Applies To

RSA Product Set: Identity Management and Governance
RSA Version/Condition: 6.9.x, 7.0.x

Issue

When importing a metadata file through the User Interface from Admin > Import/Export, that has been exported from another RSA Identity Management and Governance server, the export fails with the following error in the aveksaServer.log:

05/24/2016 04:17:44.121 ERROR (default task-47) [com.aveksa.server.export.ExportImportConverter] unmarshal
com.aveksa.server.runtime.ServerException: ExportedRoleDataCollector: error
        at com.aveksa.server.export.proxy.ProxyObject.toServerException(ProxyObject.java:148)
        at com.aveksa.server.export.proxy.ProxyObject.toServerException(ProxyObject.java:156)
        at com.aveksa.server.export.proxy.ExportedRoleDataCollector.normalizeAndPersist(ExportedRoleDataCollector.java:80)
        at com.aveksa.server.export.proxy.ProxyObject.unmarshall(ProxyObject.java:63)
        at com.aveksa.server.export.ExportImportConverter.unmarshal(ExportImportConverter.java:118)
        at com.thoughtworks.xstream.core.TreeUnmarshaller.convert(TreeUnmarshaller.java:72)
        at com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:66)
        at com.thoughtworks.xstream.core.TreeUnmarshaller.convertAnother(TreeUnmarshaller.java:50)
        at com.thoughtworks.xstream.core.TreeUnmarshaller.start(TreeUnmarshaller.java:134)
        at com.thoughtworks.xstream.core.AbstractTreeMarshallingStrategy.unmarshal(AbstractTreeMarshallingStrategy.java:32)
        at com.thoughtworks.xstream.XStream.unmarshal(XStream.java:1058)
        at com.thoughtworks.xstream.XStream.unmarshal(XStream.java:1030)
        at com.thoughtworks.xstream.XStream$2.readFromStream(XStream.java:1723)
        at com.thoughtworks.xstream.core.util.CustomObjectInputStream.readObjectOverride(CustomObjectInputStream.java:104)
        at java.io.ObjectInputStream.readObject(ObjectInputStream.java:364)
        at com.aveksa.server.export.ExportImportController.importMetadata(ExportImportController.java:114)
        at com.aveksa.gui.pages.admin.metadata.edit.general.ImportTablePage.processTable(ImportTablePage.java:65)
        at com.aveksa.gui.pages.admin.metadata.edit.general.ImportWizard.processTable(ImportWizard.java:139)
        at com.aveksa.gui.pages.admin.metadata.edit.CommonPromptPage.handleSubmit(CommonPromptPage.java:54)
        at com.aveksa.gui.pages.admin.metadata.edit.general.ImportPromptPage.handleSubmit(ImportPromptPage.java:55)
        at com.aveksa.gui.pages.base.data.wizard.StepWizardDialogData.handleRequest(StepWizardDialogData.java:113)
        at com.aveksa.gui.pages.PageManager.forwardRequest(PageManager.java:577)
        at com.aveksa.gui.pages.PageManager.handleRequest(PageManager.java:341)
        at com.aveksa.gui.pages.PageManager.handleRequest(PageManager.java:272)
        at com.aveksa.gui.core.MainManager.handleRequest(MainManager.java:177)
        at com.aveksa.gui.core.MainManager.doGet(MainManager.java:126)
        at com.aveksa.gui.core.MainManager.doPost(MainManager.java:412)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
        at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
        at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130)
        at com.aveksa.gui.core.filters.LoginFilter.doFilter(LoginFilter.java:53)
        at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
        at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
        at com.aveksa.gui.util.security.XSSFilter.doFilter(XSSFilter.java:20)
        at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
        at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
        at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85)
        at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:61)
        at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
        at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
        at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:56)
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51)
        at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45)
        at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:63)
        at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56)
        at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)
        at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70)
        at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:261)
        at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:247)
        at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:76)
        at io.undertow.servlet.handlers.ServletInitialHandler$1$1.run(ServletInitialHandler.java:172)
        at java.security.AccessController.doPrivileged(Native Method)
        at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:169)
        at io.undertow.server.Connectors.executeRootHandler(Connectors.java:197)
        at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:759)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
        at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.IllegalStateException: An issue with handling encryption was encountered
        at com.aveksa.common.crypto.EncryptionMgr.decrypt(EncryptionMgr.java:501)
        at com.aveksa.server.utils.PasswordTypePropertyHandler.convertPassword(PasswordTypePropertyHandler.java:93)
        at com.aveksa.server.utils.PasswordTypePropertyHandler.managePasswordTypeProperties(PasswordTypePropertyHandler.java:63)
        at com.aveksa.server.core.DataCollector.managePasswordTypeProperties(DataCollector.java:963)
        at com.aveksa.server.core.DataCollector.setBaseDataCollectorVO(DataCollector.java:387)
        at com.aveksa.server.core.RoleDataCollector.getRoleDataCollectorVO(RoleDataCollector.java:163)
        at com.aveksa.server.export.proxy.ExportedRoleDataCollector.normalizeAndPersist(ExportedRoleDataCollector.java:58)
        ... 64 more
Caused by: com.aveksa.common.crypto.EncryptionException: Value to be decrypted has no associated encryptor for its 
embedded key version: keyVersion[XyZ]; Value[ENCAQcV(XyZ...)]
 -- Check that the security key file is not missing
        at com.aveksa.common.crypto.EncryptionMgr.decrypt(EncryptionMgr.java:495)
        ... 70 more

Cause

The security mechanisms in RSA Identity Management and Governance have changed beginning in 6.9.1 to eliminate passwords stored in clear text and to improve encryption key handling to be more secure and robust. Due to these changes the import of exported metadata from a different server will fail.

Workaround

The solution for using the import option is to manually remove the encrypted password from the exported XML metadata file before importing and then setting the password through the user interface, once the object is imported in the new environment.

Notes

Improvements are anticipated in future releases to give a warning to reenter the password and not fail with an error on the import.

Don't see what you're looking for?

Potential Impact from Salesforce Device Activation Change

Related Articles

Trending Articles