Hi,

Jay SenSharma

Jay SenSharma

Many times we get Security related errors while starting the WebLogic Server. Most of them occurs because of the corruption of the Security related files. Always we should keep a backup of  “<DOMAIN_HOME>security” directory including “<DOMAIN_HOME>serversAdminServerldap” directory to prevent any loss.

Here is a very common example  of the following Exception and it’s remedy. While starting your WebLogic Server if you get the following kind of error trace :

Your Server will not come up …if you get this kind of error. So to prevent this exception …please do the following:

Caused By:  weblogic.security.internal.encryption.EncryptionServiceException:  com.rsa.jsafe.JSAFE_PaddingException: Could not perform unpadding:  invalid pad byte.
at weblogic.security.internal.encryption.JSafeEncryptionServiceImpl.decryptBytes(JSafeEncryptionServiceImpl.java:125)
at weblogic.security.internal.encryption.JSafeEncryptionServiceImpl.decryptString(JSafeEncryptionServiceImpl.java:173)
at weblogic.security.internal.encryption.ClearOrEncryptedService.decrypt(ClearOrEncryptedService.java:96)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at weblogic.descriptor.DescriptorManager$SecurityServiceImpl$SecurityProxy._invokeServiceMethod(DescriptorManager.java:173)
at weblogic.descriptor.DescriptorManager$SecurityServiceImpl$SecurityProxy.decrypt(DescriptorManager.java:192)
at weblogic.descriptor.DescriptorManager$SecurityServiceImpl.decrypt(DescriptorManager.java:114)
at weblogic.descriptor.internal.AbstractDescriptorBean._decrypt(AbstractDescriptorBean.java:991)
at weblogic.management.configuration.SecurityConfigurationMBeanImpl.getCredential (SecurityConfigurationMBeanImpl.java:709)
at weblogic.security.internal.ServerPrincipalValidatorImpl.getSecret(ServerPrincipalValidatorImpl.java:88)
at weblogic.security.internal.ServerPrincipalValidatorImpl.sign(ServerPrincipalValidatorImpl.java:67)
at weblogic.security.service.PrivilegedActions$SignPrincipalAction.run(PrivilegedActions.java:62)
at java.security.AccessController.doPrivileged(Native Method)
at weblogic.security.service.SecurityServiceManager.createServerID(SecurityServiceManager.java:1098)
at weblogic.security.service.SecurityServiceManager.getServerID(SecurityServiceManager.java:1111)
at weblogic.security.service.SecurityServiceManager.sendASToWire(SecurityServiceManager.java:602)
at weblogic.server.channels.ChannelService.resetQOS(ChannelService.java:284)
at weblogic.server.channels.ChannelService.start(ChannelService.java:250)
at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)

Caused By: weblogic.security.internal.encryption.EncryptionServiceException: com.rsa.jsafe.JSAFE_PaddingException: Could not perform unpadding: invalid pad byte.
We encounder this exception when the SerializedSystemIni.dat file gets corrupted. This file contains the hash to decrypt the encrypted values present in the <DOMAIN_HOME>/config/config.xml

You can try the following..
Change all the encrypted values in the config.xml to plain text and try to start the server again…

Example:
<node-manager-username>weblogic</node-manager-username>
<node-manager-password-encrypted>{3DES}Va1McYXiUPirK77U+SQfMg==</node-manager-password-encrypted>
<default-realm>myrealm</default-realm>
<anonymous-admin-lookup-enabled>false</anonymous-admin-lookup-enabled>
<credential-encrypted>{3DES}diqufr0TEjlJuLvdnhvtCxEUbxr0yIm8dadNaJRqiefJgGQqcWagiY4tlLX3I3pWa/jpBKeMzyEJgufp/725y1/PXSt0mWOh</credential-encrypted>

Change Above “config.xml” entry like below…(replacing all the encrypted values into the ClearText values)
<node-manager-password-encrypted>weblogic</node-manager-password-encrypted>
<credential-encrypted>weblogic</credential-encrypted>
<embedded-ldap>
<name>Your_Domain</name>
<credential-encrypted>weblogic</credential-encrypted>
</embedded-ldap>

Then restart your Server. For more info on this please refer to: http://forums.oracle.com/forums/thread.jspa?threadID=1570604&tstart=0

NOTE:

You will have to start your ProductionServers in Development Mode first with clear text passwords….and then shutdown. Next time you can start them in Production mode….
Because as soon as your Server starts on Development Mode with Cleartext passwords ..the Passwords will be automatically encrypted. So next time if you will start them in Production mode then u wont see any issue.

So the step will be like this:
1). Provide the Clear text Passwords in “config.xml”
2).
Start the Server in Development Mode (this time as soon as the Server comes up….the config.xml cleartext passwords will be encrypted again)
3). Now u can shutdown the servers which is running on Development Mode…and then start them in Production Mode this time.

.
.
Thanks
Jay SenSharma

If you enjoyed this post, please considerleaving a comment or subscribing to the RSS feed to have future articles delivered to your feed reader.