Scheduled async task , when running makes the server crash

[xavnicnsi]

Hello emshedu,

Hope you're going great :) So we did setup the up-to-date Docusign plugin code, and configured the schedule async task as suggested in the readme. But when the task is triggered, it makes the websphere server crash.

Here is the log of our websphere server: FINE: Enter addError: exception=com.ibm.ecm.util.security.CryptionException: javax.crypto.BadPaddingException: Given final block not properly padded [3/22/22 12:01:00:343 CDT] 00000252 SystemErr R Mar 22, 2022 12:01:00 PM BaseTask run SEVERE: Exception com.ibm.ecm.util.security.CryptionException: javax.crypto.BadPaddingException: Given final block not properly padded at com.ibm.ecm.util.security.Cryption.decrypt(Cryption.java:304) at com.ibm.ecm.util.security.Cryption.decryptFromBytes(Cryption.java:242) at com.ibm.ecm.util.security.Cryption.decrypt(Cryption.java:212) at com.ibm.ecm.util.security.Cryption.decrypt(Cryption.java:192) at com.ibm.ecm.icntasks.util.TaskUtils.getDecryptedPassword(TaskUtils.java:160) at com.ibm.icn.extension.docusign.util.P8ConnectionUtil.getTargetOS(P8ConnectionUtil.java:63) at com.ibm.icn.extension.docusign.tasks.CheckInSignedDocument.performTask(CheckInSignedDocument.java:80) at com.ibm.ecm.task.commonj.work.BaseTask.run(BaseTask.java:104) at com.ibm.ws.asynchbeans.J2EEContext$RunProxy.run(J2EEContext.java:267) at java.security.AccessController.doPrivileged(AccessController.java:708) at javax.security.auth.Subject.doAs(Subject.java:490) at com.ibm.websphere.security.auth.WSSubject.doAs(WSSubject.java:133) at com.ibm.websphere.security.auth.WSSubject.doAs(WSSubject.java:91) at com.ibm.ws.asynchbeans.J2EEContext$DoAsProxy.run(J2EEContext.java:338) at java.security.AccessController.doPrivileged(AccessController.java:738) at com.ibm.ws.asynchbeans.J2EEContext.run(J2EEContext.java:1174) at com.ibm.ws.asynchbeans.WorkWithExecutionContextImpl.go(WorkWithExecutionContextImpl.java:199) at com.ibm.ws.asynchbeans.CJWorkItemImpl.run(CJWorkItemImpl.java:237) at java.lang.Thread.run(Thread.java:825) Caused by: javax.crypto.BadPaddingException: Given final block not properly padded at com.ibm.crypto.fips.provider.at.a(Unknown Source) at com.ibm.crypto.fips.provider.at.b(Unknown Source) at com.ibm.crypto.fips.provider.at.engineDoFinal(Unknown Source) at javax.crypto.Cipher.doFinal(Unknown Source) at com.ibm.ecm.util.security.Cryption.decrypt(Cryption.java:287) ... 18 more

Do you have any ideas why? TIA

[emshedu]

Hi xavnicnsi it's a crypto issue. Rotate the keys using this https://www.ibm.com/support/pages/troubleshooting-crypto-errors-ibm-content-navigator And rotate only the DEK

[xavnicnsi]

hello emshedu,

I rotated the DEK keys as mentioned in your provided link but the error persists :(

[emshedu]

Hi I will setup scenarios to try to replicate that. i'll get back to you soonest. BTW, if you are satisfied with the previous case [https://github.com/ibm-ecm/ibm-content-navigator-samples/issues/9], may you please close it. Thank you!!

[xavnicnsi]

it's now closed.

Thanks emshedu!

[xavnicnsi]

by the way emshedu, I notticed you changed the settings field for the async schedule task. Before the auto-checkin, it was requested to fill the following fields: Int key, Docusign account username, Docusign accout password and maybe private key location. Within the new version with auto checkin, it is requested to fill Int key, User ID and Account ID instead and private key location. Are the new requested fields correct? TIA

[emshedu]

I have been unable to replicate the issue after rotating the key. Are you getting the exact same error? Also, the task config was updated to stay in alignment with Auth 2.0 requirements (not to use username and password for logging). You would need to fill the entries like it is done in the plugin admin config pane

[xavnicnsi]

I used the same entries used in the docusign plugin admin config pane and yes still the same error.

[emshedu]

Hi xavnicnsi, can you confirm that you did step two in the instruction which is to re-set all secrets. You'll have to do that in the ICM admin settings page as well as the TM connection ID set on the repository.

Reset secrets by going to the ICN admin desktop and saving configurations that contain secrets. For example, to reset the Task Manager administrator password, go to the settings page (and the repository configuration page) and save the configuration after entering the password.

[xavnicnsi]

Hi emshedu, yes we did that step following the instructions we found here https://www.ibm.com/support/pages/sharing-documents-content-navigator-will-fail-javaxcryptobadpaddingexception-given-final-block-not-properly-padded but still the same result.

[emshedu]

Can you please open a collaboration, so as to collect detailed debug information on the situation. I believe there is a crpto issue that has nothing to do with the plugin. But we can only confirm. Please create a collaboration, including the har file and tasksmanger debug logs

[xavnicnsi]

Hello emshedu, do you have an ibm email contact?

[emshedu]

Hi! Yes I do, However, I cannot comment it here: you can open a support case and ask that it be routed to me (Emmanuel Shedu) as I am aware of the issue. And an L2 Will open a collaboration.

[xavnicnsi]

Hi Emmanuel,

I requested the case support to be routed to you :) Thanks

[emshedu]

Thank you! We began investigation already. I will leave this case open for the time being