Error when importing PCKS12 certificate into Certificates > Truststore: Error updating truststore file (filename) [DOM_001]:java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.

[Nirali22]

Hello!

I recently installed two harmony access points on different AWS EC2 instances in an attempt to send a test message from one AP to another.

I was following the "Static Discovery" guide which required me to either import a PCKS12 file directly into Certificates > Truststore or upload individual pem files per Party under PMode > Parties.

Everytime I tried to important a certificate (via a .P12 file as well as a .PEM file), I ran into the same error:

Error updating truststore file (filename) [DOM_001]:java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.

I can confirm that I entered the correct password when trying to import the .P12 file. I was able to use keytool to access contents of the file as well.

How can I overcome this issue? Is there another way to add certificates?

[petkivim]

Hi @Nirali22! What Access Point version number and host operating system (Ubuntu 20.04 / Ubuntu 22.04 / Docker) are you using?

Also, did you export the TLS certificate following the instructions available here? If you copy/paste the commands from the user guide, you should have a .cer file that's imported to the other Access Point's TLS truststore. For example, this is the command that you would run on the Access Point 1:

sudo keytool -export -keystore /etc/harmony-ap/tls-keystore.p12 -alias org1_gw -file org1_tls_certificate.cer -storepass <tls_keystore_password>

[Nirali22]

Hi @petkivim !
Thank you for the quick response. The UI shows harmony-MSH Version [2.2.2] and I've installed it on Ubuntu 22.04

I was actually referring to the "Import Trusted Certificates" section in the documentation
https://github.com/nordic-institute/harmony-common/blob/main/doc/static_discovery_configuration_guide.md#241-import-trusted-sign-certificates

I'm guessing that's separate from the TLS certificate you're referring to? I'm not sure, but I'll give this a try! Thank you :)

[Nirali22]

Hey @petkivim
Per your suggestion, I generated a .cer file using keytool and tried importing it using the "Add Certificate" option within Certificates > Truststore

Unfortunately, ran into the same error (I entered the same alias I used to generate the CER):
Error updating truststore file (ap1_sign_certificate.cer) java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.

On the other access point, I'm unable to generate a CER using keytool and the UI displays this error: Error reseting the TrustStore: [DOM_001]:Could not load store named domibus.truststore

[petkivim]

Hi @Nirali22! Have you tried to follow the Example configuration section of the Static Discovery Guide? It provides step-by-step instructions to complete the required configuration.

I just completed the Example configuration and set up two Access Points v2.2.2 running on fresh Ubuntu 22.04 LTS hosts. I was able to complete all the steps successfully without any issues. Unfortunately, I wasn't able to reproduce the issues that you're having. However, I think you should get rid of them by following the steps described in the Example configuration section.

[Nirali22]

Hi @petkivim!

I restarted harmony-ap on both the access points using the command: sudo systemctl restart harmony-ap (assuming it might help me get rid of the error) and now when I access the Certificates section using the admin UI, I get this error pop up: Error loading data for 'KeyStore' component: [DOM_001]:Could not load store named domibus.truststore

All the keytool commands fail with "keytool error: java.io.IOException: keystore password was incorrect". I'm quite sure I entered the correct keystore pass. Due to these errors, I'm unable to continue with the steps in the Example configuration section. :(

[petkivim]

Hi @Nirali22! I recommend that you remove the Access Point installations and install them again so that you can start over with a clean setup. Here you can find instructions to remove the Access Point software. After removing the installation, you should start the example configuration from the beginning.

Here you can find the locations of the passwords of different keystore and truststore files. The error keytool error: java.io.IOException: keystore password was incorrect means that you have wrong password.

Alternatively, here's some helper commands that you can use to extract the passwords from the configuration files. However, you must install xmlstarlet (sudo apt install xmlstarlet) before extracting the TLS keystore password:

# /etc/harmony-ap/ap-keystore.jks
sudo grep "domibus.security.keystore.password" /etc/harmony-ap/domibus.properties | cut -d'=' -f2 | head -n 1

# /etc/harmony-ap/tls-keystore.jks
sudo xmlstarlet sel -t -v "/Server/Service/Connector/@keystorePass" /etc/harmony-ap/tomcat-conf/server.xml