Documentation

SSL certificates getting reverted after switching over the author manually

Last update: Fri Oct 27 2023 00:00:00 GMT+0000 (Coordinated Universal Time)

Learn how to fix SSL Certificates getting reverted after switching over the author manually.

Description description

Environment

Adobe Experience Manager (AEM) on-premises 6.5.15

Issue/Symptoms

An AEM environment is set up with two authors, publishers, and dispatchers, where one author is active (primary), one author is on standby (secondary), and the publishers and dispatchers are in high availability.

The secondary author is not enabled with SSL, so while importing the SSL certificates, in order to switch over to it, the primary author needs to be shut down.

After this operation, the secondary author will be accessible. After performing these steps, the authors can be switched back to their initial state. When the same procedure is attempted one more time by switching on the secondary author, it is inaccessible due to the lack of availability of the certificates that were imported earlier.

Resolution resolution

Follow these steps to sync the HMAC:

On the primary author:

  1. Navigate to OSGi > Bundles and confirm bundle< ID> for "com.adobe.granite.crypto.file".
  2. Navigate to "/crx-quickstart/launchpad/felix/bundle<ID>/data", where bundle< ID> is the one found in step 1.
  3. Copy “hmac” and “master” under "/crx-quickstart/launchpad/felix/bundle<Id>/data".

On the secondary author:

  1. Navigate to OSGi > Bundles and confirm bundle< ID> for "com.adobe.granite.crypto.file"
  2. Take a backup of "/crx-quickstart/launchpad/felix/bundle<ID>/data".
  3. Paste the two copied files from author1 to the same path in author2, replacing the old ones.
  4. Restart the target com.adobe.granite.crypto bundle or the entire AEM instance.

After syncing the HMAC keys on the two authors, the certificates are no longer reverted.

Note:
Error [ 1] was present in the error log for the secondary author.

[ 1]

03.09.2023 12:30:29.212 *WARN* [ FelixStartLevel]  com.adobe.granite.crypto.config.internal.GraniteCryptoConfigurationPlugin Exception while decrypting the configuration mapcom.adobe.granite.crypto.CryptoException: Cannot convert byte dataat com.adobe.granite.crypto.internal.CryptoSupportImpl.unprotect(CryptoSupportImpl.java:130) [ com.adobe.granite.crypto:3.4.16] at com.adobe.granite.crypto.config.internal.GraniteCryptoConfigurationPlugin.modifyConfiguration(GraniteCryptoConfigurationPlugin.java:57) [ com.adobe.granite.crypto.config:0.0.4] at org.apache.felix.cm.impl.ConfigurationManager.callPlugins(ConfigurationManager.java:912) [ org.apache.felix.configadmin:1.9.12] at org.apache.felix.cm.impl.ConfigurationAdapter.getProcessedProperties(ConfigurationAdapter.java:292) [ org.apache.felix.configadmin:1.9.12] at org.apache.felix.scr.impl.manager.RegionConfigurationSupport.configureComponentHolder(RegionConfigurationSupport.java:228) [ org.apache.felix.scr:2.1.20] at org.apache.felix.scr.impl.BundleComponentActivator.setRegionConfigurationSupport(BundleComponentActivator.java:785) [ org.apache.felix.scr:2.1.20] at org.apache.felix.scr.impl.helper.ConfigAdminTracker$1.addingService(ConfigAdminTracker.java:69) [ org.apache.felix.scr:2.1.20] at org.apache.felix.scr.impl.helper.ConfigAdminTracker$1.addingService(ConfigAdminTracker.java:41) [ org.apache.felix.scr:2.1.20] at org.osgi.util.tracker.ServiceTracker$Tracked.customizerAdding(ServiceTracker.java:943)at org.osgi.util.tracker.ServiceTracker$Tracked.customizerAdding(ServiceTracker.java:871)at org.osgi.util.tracker.AbstractTracked.trackAdding(AbstractTracked.java:256)at org.osgi.util.tracker.AbstractTracked.trackInitial(AbstractTracked.java:183)at org.osgi.util.tracker.ServiceTracker.open(ServiceTracker.java:321)at org.osgi.util.tracker.ServiceTracker.open(ServiceTracker.java:264)at org.apache.felix.scr.impl.helper.ConfigAdminTracker.<init>(ConfigAdminTracker.java:86) [ org.apache.felix.scr:2.1.20] at org.apache.felix.scr.impl.BundleComponentActivator.<init>(BundleComponentActivator.java:269) [ org.apache.felix.scr:2.1.20] at org.apache.felix.scr.impl.Activator.loadComponents(Activator.java:551) [ org.apache.felix.scr:2.1.20] at org.apache.felix.scr.impl.Activator.access$200(Activator.java:69) [ org.apache.felix.scr:2.1.20] at org.apache.felix.scr.impl.Activator$ScrExtension.start(Activator.java:424) [ org.apache.felix.scr:2.1.20] at org.apache.felix.scr.impl.AbstractExtender.createExtension(AbstractExtender.java:196) [ org.apache.felix.scr:2.1.20] at org.apache.felix.scr.impl.AbstractExtender.modifiedBundle(AbstractExtender.java:169) [ org.apache.felix.scr:2.1.20] at org.apache.felix.scr.impl.AbstractExtender.modifiedBundle(AbstractExtender.java:49) [ org.apache.felix.scr:2.1.20] at org.osgi.util.tracker.BundleTracker$Tracked.customizerModified(BundleTracker.java:488)at org.osgi.util.tracker.BundleTracker$Tracked.customizerModified(BundleTracker.java:420)at org.osgi.util.tracker.AbstractTracked.track(AbstractTracked.java:232)at org.osgi.util.tracker.BundleTracker$Tracked.bundleChanged(BundleTracker.java:450)at org.apache.felix.framework.EventDispatcher.invokeBundleListenerCallback(EventDispatcher.java:915)at org.apache.felix.framework.EventDispatcher.fireEventImmediately(EventDispatcher.java:834)at org.apache.felix.framework.EventDispatcher.fireBundleEvent(EventDispatcher.java:516)at org.apache.felix.framework.Felix.fireBundleEvent(Felix.java:4817)at org.apache.felix.framework.Felix.startBundle(Felix.java:2336)at org.apache.felix.framework.Felix.setActiveStartLevel(Felix.java:1539)at org.apache.felix.framework.FrameworkStartLevelImpl.run(FrameworkStartLevelImpl.java:308)at java.lang.Thread.run(Thread.java:750)Caused by: com.adobe.granite.crypto.CryptoException: Failed decrypting cipher textat com.adobe.granite.crypto.internal.CryptoSupportImpl.decrypt(CryptoSupportImpl.java:66) [ com.adobe.granite.crypto:3.4.16] at com.adobe.granite.crypto.internal.CryptoSupportImpl.unprotect(CryptoSupportImpl.java:127) [ com.adobe.granite.crypto:3.4.16] ... 33 common frames omittedCaused by: com.rsa.jsafe.JSAFE_PaddingException: Invalid padding.at com.rsa.jsafe.JSAFE_SymmetricCipher.decryptFinal(Unknown Source)at com.adobe.granite.crypto.internal.jsafe.JSafeCryptoSupport.getPlainText(JSafeCryptoSupport.java:267)at com.adobe.granite.crypto.internal.jsafe.JSafeCryptoSupport.getPlainText(JSafeCryptoSupport.java:249)at com.adobe.granite.crypto.internal.CryptoSupportImpl.decrypt(CryptoSupportImpl.java:64) [ com.adobe.granite.crypto:3.4.16] ... 34 common frames omitted

Cause

This error usually appears when the crypto feature is broken on the instance, and in this case, the HMAC key needs to be synced from the instance from where the certificates were imported.

recommendation-more-help
3d58f420-19b5-47a0-a122-5c9dab55ec7f