ISE v1.1 NAD 6500 failed to decrypt Key......

Hello everyone ,
I´ve implemented 2 Cisco ISE v1.1 in HA to run MAB and 802.x Authentication / Authorization. Using Local ISE DB and Active Directory as an External Identity Source for wireless and wired users and devices. This was working fine 2 weeks ago after finishing installation.
My NAD devices are a Core SW 6500 for wired users (there are no access SW, just the Core for the whole network, its a small office) and a WLC 2405 for Wireless Users.
Here is the network topology:
DNSs are fully resolvable forward and reverse zone and ISEs, AD, WLC and SW Core are synched with the same NTP server.
As I mentioned Authentication and Authorization were working fine. Two weekends ago there was an electrical outage in the office. When the ISEs servers came up, the trust relationship between AD and ISEs was broken and so was HA replication. I did some troubleshoot to delete and install new certificates from AD into both ISEs and build again the HA configuration. I finally got the ISEs working fine again.
This last weekend, another electrical outage occurs in the office (client is working with a temporary plant and is already warned about electrical damages not covered by warranty) and the ISE servers came up in the same condition again, no trust relationship with AD (Domain Controller). So I fix this again by deleting and installing new certificates into ISE. The problem is that for some reason the NAD 6500 is not authenticating to the ISE. I´m receiving the following debug messages in the SW:
Sep 12 17:41:00.222: RADIUS(00000000): Request timed out
Sep 12 17:41:00.222: RADIUS: Retransmit to (172.16.3.5:1812,1813) for id 1645/165
Sep 12 17:41:00.222: RADIUS(00000000): Started 5 sec timeout
Sep 12 17:41:00.226: RADIUS: Received from id 1645/165 172.16.3.5:1812, Access-Reject, len 20
Sep 12 17:41:00.226: RADIUS: authenticator 00 D5 B6 0B C9 49 83 81 - 87 17 23 82 2B 6A CB C7
Sep 12 17:41:00.226: RADIUS: response-authenticator decrypt fail, pak len 20
Sep 12 17:41:00.226: RADIUS: packet dump: 03A5001400D5B60BC9498381871723822B6ACBC7
Sep 12 17:41:00.226: RADIUS: expected digest: BFAB772B5BA4B134F46E13A21F722317
Sep 12 17:41:00.226: RADIUS: response authen: 00D5B60BC9498381871723822B6ACBC7
Sep 12 17:41:00.226: RADIUS: request authen: 41EAE3A7DAEE6332CE646436F949C5A1
Sep 12 17:41:00.226: RADIUS: Response (165) failed decrypt
Sep 12 17:41:05.110: RADIUS(00000000): Request timed out
Sep 12 17:41:05.110: RADIUS: Retransmit to (172.16.3.5:1812,1813) for id 1645/165
Sep 12 17:41:05.110: RADIUS(00000000): Started 5 sec timeout
Sep 12 17:41:05.114: RADIUS: Received from id 1645/165 172.16.3.5:1812, Access-Reject, len 20
Sep 12 17:41:05.114: RADIUS: authenticator 00 D5 B6 0B C9 49 83 81 - 87 17 23 82 2B 6A CB C7
Sep 12 17:41:05.114: RADIUS: response-authenticator decrypt fail, pak len 20
Sep 12 17:41:05.114: RADIUS: packet dump: 03A5001400D5B60BC9498381871723822B6ACBC7
Sep 12 17:41:05.114: RADIUS: expected digest: BFAB772B5BA4B134F46E13A21F722317
Sep 12 17:41:05.114: RADIUS: response authen: 00D5B60BC9498381871723822B6ACBC7
Sep 12 17:41:05.114: RADIUS: request authen: 41EAE3A7DAEE6332CE646436F949C5A1
Sep 12 17:41:05.114: RADIUS: Response (165) failed decrypt
Sep 12 17:41:10.438: RADIUS(00000000): Request timed out
Sep 12 17:41:10.438: RADIUS: No response from (172.16.3.5:1812,1813) for id 1645/165
Sep 12 17:41:10.438: RADIUS/DECODE: parse response no app start; FAIL
Sep 12 17:41:10.438: RADIUS/DECODE: parse response; FAIL
Sep 12 17:41:13.682: %MAB-5-FAIL: Authentication failed for client (a44c.11ca.eadf) on Interface Gi1/29
Sep 12 17:41:13.682: %AUTHMGR-7-RESULT: Authentication result 'server dead' from 'mab' for client (a44c.11ca.eadf) on Interface Gi1/29
Sep 12 17:41:13.682: %AUTHMGR-5-FAIL: Authorization failed for client (a44c.11ca.eadf) on Interface Gi1/29
Sep 12 17:41:00.222: RADIUS(00000000): Request timed out
I have deleted and created again the 6500 NAD in the ISE, and configured againd the Radius-Key in the 6500 making sure they are exactly the same. But I keep receiving the same errors.
I have already reviewed the following links:
http://www.cisco.com/en/US/docs/wireless/access_point/12.3_7_JA/configuration/guide/s37err.html
http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_logging.html#wp1061989
http://puck.nether.net/pipermail/cisco-nas/2004-May/000686.html
And the troubleshooting section from the Cisco Identity Services Engine User Guide, Release 1.0.4
Everything points me that the Radius Key between ISE and the 6500SW is wrong, but I´ve configured it again twice and typed it letter by letter slowly to avoid any typos.
ISE version: 1.1.0.665
ADE OS: 2
Active Directory: Windows 2008 R2 Standard
6500 SW Config:
Building configuration...
Current configuration : 65413 bytes
! Last configuration change at 12:22:42 MXVeran Tue Jul 31 2012 by ho1a
! NVRAM config last updated at 22:21:11 MXVeran Mon Jul 30 2012 by ho1a
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service compress-config
service counters max age 5
boot-start-marker
boot system flash bootdisk:
boot-end-marker
logging buffered 64000
enable secret 5 $1$QoxK$w6sZJ66pXDMLS1lGPp3KR.
username ho1a privilege 15 secret 5 $1$DYMo$O8BQi2u.emzdCFfNMxCTd.
username test-radius password 7 14141B180F0B7B7977
aaa new-model
aaa authentication login Tr3s41ia.2012 local
aaa authentication dot1x default group radius
aaa authorization exec default local
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting update periodic 5
aaa accounting dot1x default start-stop group radius
aaa accounting system default start-stop group radius
aaa server radius dynamic-author
client 172.16.3.5 server-key 7 110A1016141D5A5E57
aaa session-id common
platform ip cef load-sharing ip-only
platform rate-limit layer2 port-security pkt 300 burst 10
clock timezone MXInv -6
clock summer-time MXVerano recurring
authentication critical recovery delay 1000
interface GigabitEthernet8/1
switchport
switchport access vlan 2
switchport mode access
ip access-group ACL_ISE_Default in
authentication host-mode multi-auth
authentication open
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
spanning-tree portfast edge
ip default-gateway 172.16.3.2
ip forward-protocol nd
ip http server
ip http secure-server
ip route 0.0.0.0 0.0.0.0 172.16.3.2
ip radius source-interface Vlan3 vrf default
logging origin-id ip
logging source-interface Vlan3
logging host 172.16.3.5 transport udp port 20514
snmp-server group Tr3s41ia.2012aes v3 priv
snmp-server group Tr3s41ia.2012md5 v3 auth
snmp-server community public RO
snmp-server community tresaliarw RW
snmp-server community tresaliaro RO
snmp-server trap-source Vlan3
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps memory bufferpeak
no snmp-server enable traps entity-sensor threshold
snmp-server enable traps cpu threshold
snmp-server enable traps vtp
snmp-server enable traps flash insertion removal
snmp-server enable traps mac-notification move change
snmp-server enable traps errdisable
snmp-server host 172.16.3.4 version 3 priv Tr3s41ia.2012aes
snmp-server host 172.16.3.4 version 3 auth Tr3s41ia.2012md5
snmp-server host 172.16.3.5 version 2c tresaliaro
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 30 tries 3
radius-server host 172.16.3.5 auth-port 1812 acct-port 1813 test username test-radius key 7 104D000A061843595F
radius-server vsa send accounting
radius-server vsa send authentication
control-plane
service-policy input policy-default-autocopp
line con 0
logging synchronous
login authentication Tr3s41ia.2012
line aux 0
line vty 0 4
login authentication defaulTr3s41ia.2012
transport input ssh
line vty 5 1509
login authentication defaulTr3s41ia.2012
transport input ssh
ntp clock-period 17179836
ntp peer 172.16.4.9
no event manager policy Mandatory.go_switchbus.tcl type system
end
Additionaly, I´m getting the following screen when accesing the Stand-by server via https:
I´m thinking that there might be some problems with the CA Certificates installed on ISEs, or some corrupted data due to the 2 sudden restarts.
Any help, hint or direction will be really appreciated.
Thanks in advanced for your time. Best Regards.

Hello Tarik, thanks for your response,
I´ll go ahead and remove and configure again the complete radius configuration on the SW and let you know what happens, if this doesn´t work I´m thinking that re-installing the ISE server might be the solution. It´s was working fine after the fresh install.
I use the command "test aaa group radius username password new-code" to test SW communication to ISE and here is the debug output from the SW:
Sep 12 20:42:59.713: RADIUS/ENCODE(00000000):Orig. component type = INVALID
Sep 12 20:42:59.713: RADIUS(00000000): Config NAS IP: 172.16.3.1
Sep 12 20:42:59.713: RADIUS(00000000): sending
Sep 12 20:42:59.713: RADIUS(00000000): Send Access-Request to 172.16.3.5:1812 id 1645/93, len 56
Sep 12 20:42:59.713: RADIUS: authenticator 24 52 30 41 B7 06 74 CE - C7 4B 7B FF 87 88 F7 23
Sep 12 20:42:59.713: RADIUS: User-Password       [2]   18 *
Sep 12 20:42:59.713: RADIUS: User-Name           [1]   6   test
Sep 12 20:42:59.713: RADIUS: Service-Type        [6]   6   Login                     [1]
Sep 12 20:42:59.713: RADIUS: NAS-IP-Address      [4]   6   172.16.3.1
Sep 12 20:42:59.713: RADIUS(00000000): Started 5 sec timeout
Sep 12 20:43:14.485: RADIUS(00000000): Started 5 sec timeout
Sep 12 20:43:14.489: RADIUS: Received from id 1645/93 172.16.3.5:1812, Access-Reject, len 20
Sep 12 20:43:14.489: RADIUS: authenticator B2 89 18 4B F5 D8 D6 67 - 85 4D 1E C3 DE C9 06 85
Sep 12 20:43:14.489: RADIUS: response-authenticator decrypt fail, pak len 20
Sep 12 20:43:14.489: RADIUS: packet dump: 035D0014B289184BF5D8D667854D1EC3DEC90685
Sep 12 20:43:14.489: RADIUS: expected digest: EDB6C64ADA12BCD81CD21C3EF28CDB27
Sep 12 20:43:14.489: RADIUS: response authen: B289184BF5D8D667854D1EC3DEC90685
Sep 12 20:43:14.489: RADIUS: request authen: 24523041B70674CEC74B7BFF8788F723
Sep 12 20:43:14.489: RADIUS: Response (93) failed decryptUser rejected
And here are the results from the Operations/Authentications Tabe from ISE:
There are no other SWs in the network, just the Core. I cannot test Wireless Authentication since the AccessPoint Switchport is also controlled by ISE and is not Authenticated right now. I can Authenticate the Active Directory Users using NTRadPing tool as a test and its succesful. AD and 6500 SW are using the same Radius key to communicate with ISE. Here is the AD usert Authentication:
So I´ll proceed to re-configure the SW for Radius server and let you know if this is the solution.
Thanks in advanced for your time and comments.

Similar Messages

ISE Alarm (WARNING): Dynamic Authorization Failed for Device

Hi all,
I am posting this discussion as previous posts that I have found in this forum have never been resolved or the resolution is not applicable to me.
I am using ISE 1.1.1.268 and WLC 7.2.111.3 and NAC agent version 4.9.1.6 on Windows 7 Client machines.
About once a day i get the error "ISE Alarm (WARNING): Dynamic Authorization Failed for Device".
The device it is reffering to is my NAD, a WLC 5508 running 7.2.111.3
I have looked at the logs and I cannot see anything in the logs which correcponds to this message so that I can troubleshoot further. Maybe I can if I am enabling the correct logging level on the correct ISE component.
Can someone suggest the components and the logging level that I should set to get some more detail about this error?
At the moment, I have only set debug logging on Active Directory. I have TRACE logging set on Posture, Runtime AAA & prrt-JNI.
I do not want to enable too much debug logs, so I was wondering whether anyone can help with a specific element that I should be debugging.
I thought debugging the posture element would be enough but when I look at the logs there is nothing there that relates to this message.
Can anyone help?
thanks
Mario

Firstly, I wouldn't run a production deployment of ISE on 1.1.1.... 1.1.3 Patch 1 or 1.1.4 is the way to go.
Secondly, this error happen a lot, especially with Wireless, and it's not worth worrying about. I've had a couple of TAC cases opened for this and some similar errors, generally they're caused by a Client going to sleep, leaving the coverage area or otherwise leaving the WLC while ISE is trying to do something with it.
Only worry if you actually have a Client-impacting problem, which by the sounds of it, you don't.

SQL Server Agent Failed to decrypt protected XML node

I'm getting the below error when trying to run sql server agent to run an SSIS package. I've updated folder security to allow sql server agent access, but cannot get the package to execute within SQL Management Studio. The package runs find in SSIS.
11.0.2100.60 for 64-bit Copyright (C) Microsoft Corporation. All rights reserved. Started: 12:12:00 PM Error: 2014-11-30 12:12:02.65 Code: 0xC0016016 Source: LoadStgProspects Description:
Failed to decrypt protected XML node "DTS:Password" with error 0x8009000B "Key not valid for use in specified state.". You may not be authorized to access this information. This error occurs when there is a cryptographic error. Verify that
the correct key is available. End Error Error: 2014-11-30 12:12:03.88 Code: 0xC0016016 Source: LoadStgProspects Description: Failed to decrypt protected XML node "DTS:Password" with error
0x8009000B "Key not valid for use in specified state.". You may not be authorized to access this information. This error occurs when there is a cryptographic error. Verify that the correct key is available. End Error Error: 2014-11-30
12:12:04.74 Code: 0xC0209303 Source: LoadStgProspects Connection manager "Excel Connection Manager" Description: The requested OLE DB provider Microsoft.Jet.OLEDB.4.0 is not registered. If the 64-bit driver
is not installed<c/> run the package in 32-bit mode. Error code: 0x00000000. An OLE DB record is available. Source: "Microsoft OLE DB Service Components" Hresult: 0x80040154 Description: "Class not registered".
End Error Error: 2014-11-30 12:12:04.74 Code: 0xC020801C Source: Load prospect files Prospect xls [231] Description: SSIS Error Code DTS_E_CANNOTACQUIRECONNECTIONFROMCONNECTIONMANAGER. The AcquireConnection
method call to the connection manager "Excel Connection Manager" failed with error code 0xC0209303. There may be error messages posted before this with more information on why the AcquireConnection method call failed. End Error Error:
2014-11-30 12:12:04.74 Code: 0xC0047017 Source: Load prospect files SSIS.Pipeline Description: Prospect xls failed validation and returned error code 0xC020801C. End Error Error: 2014-11-30 12:12:04.74
Code: 0xC004700C Source: Load prospect files SSIS.Pipeline Description: One or more component failed validation. End Error Error: 2014-11-30 12:12:04.74 Code: 0xC0024107 Source:
Load prospect files Description: There were errors during task validation. End Error Error: 2014-11-30 12:12:04.74 Code: 0xC00220DE Source: LoadStgProspects Description: Error
0xC0012050 while loading package file "C:\Users\Jim\Documents\Visual Studio 2010\Projects\SSISTraining\SSISTraining\LoadStgProspects.dtsx". Package failed validation from the ExecutePackage task. The package cannot run. . End Error DTExec:
The package execution returned DTSER_FAILURE (1). Started: 12:12:00 PM Finished: 12:12:04 PM Elapsed: 4.337 seconds. The package execution failed. The step failed.,00:00:04,0,0,,,,0

Hi selfdestruct80,
According to your description, you created SSIS package and it works fine. But you got the error message when the SSIS package was called from a SQL Server Agent job.
According to my knowledge, the package may not run in the following scenarios:
The current user cannot decrypt secrets from the package.
A SQL Server connection that uses integrated security fails because the current user does not have the required permissions.
File access fails because the current user does not have the required permissions to write to the file share that the connection manager accesses.
A registry-based SSIS package configuration uses the HKEY_CURRENT_USER registry keys. The HKEY_CURRENT_USER registry keys are user-specific.
A task or a connection manager requires that the current user account has correct permissions.
According to the error message, the SSIS Package ProtectionLevel property to EncryptSensitiveWithPassword as ArthurZ mentioned. To solve the problem, you need to go to Command Line tab, manually specify the paassword in SQL Agent Job with the command like below:
/FILE "\"C:\Users\xxxx\Documents\SQL Server Management Studio\SSIS\Package.dtsx\"" /DECRYPT somepassword /CHECKPOINTING OFF /REPORTING E
If you have any more questions, please feel free to ask.
Thanks,
Wendy Fu
Wendy Fu
TechNet Community Support

Error occured while reading identity data: failed to decrypt safe contents

Hello,
We are trying to access Tibco JMS server through SSL using JNDI lookup. Getting the following error, while executing a sample java file.
Java Version -
java version "1.4.2_05"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.2_05-b04)
Java HotSpot(TM) Client VM (build 1.4.2_05-b04, mixed mode)
Please let me know if any of you faced similar issues.
thanks in advace.
Following are the error messages.
javax.jms.JMSSecurityException: Error occured while reading identity data: failed to de
crypt safe contents entryCOM.rsa.jsafe.SunJSSE_cs: Could not perform unpadding: invalid
pad byte. at com.tibco.tibjms.TibjmsSSL._identityFromStore(TibjmsSSL.java:2699)
at com.tibco.tibjms.TibjmsSSL.createIdentity(TibjmsSSL.java:2604)
at com.tibco.tibjms.TibjmsxLinkSSL._initSSL(TibjmsxLinkSSL.java:291)
at com.tibco.tibjms.TibjmsxLinkSSL.connect(TibjmsxLinkSSL.java:338)
at com.tibco.tibjms.TibjmsConnection._create(TibjmsConnection.java:611)
at com.tibco.tibjms.TibjmsConnection.<init>(TibjmsConnection.java:1772)
at com.tibco.tibjms.TibjmsTopicConnection.<init>(TibjmsTopicConnection.java:37)
at com.tibco.tibjms.TibjmsxCFImpl._createImpl(TibjmsxCFImpl.java:139)
at com.tibco.tibjms.TibjmsxCFImpl._createConnection(TibjmsxCFImpl.java:201)
at com.tibco.tibjms.TibjmsTopicConnectionFactory.createTopicConnection(TibjmsTo
picConnectionFactory.java:84)
at tibjmsSSLJNDI.<init>(tibjmsSSLJNDI.java:202)
at tibjmsSSLJNDI.main(tibjmsSSLJNDI.java:252)
##### Linked Exception:
com.tibco.security.AXSecurityException: failed to decrypt safe contents entryCOM.rsa.js
afe.SunJSSE_cs: Could not perform unpadding: invalid pad byte.
at com.tibco.security.impl.j2se.IdentityImpl.init(IdentityImpl.java:70)
at com.tibco.security.IdentityFactory.createIdentity(IdentityFactory.java:61)
at com.tibco.tibjms.TibjmsSSL._identityFromStore(TibjmsSSL.java:2680)
at com.tibco.tibjms.TibjmsSSL.createIdentity(TibjmsSSL.java:2604)
at com.tibco.tibjms.TibjmsxLinkSSL._initSSL(TibjmsxLinkSSL.java:291)
at com.tibco.tibjms.TibjmsxLinkSSL.connect(TibjmsxLinkSSL.java:338)
at com.tibco.tibjms.TibjmsConnection._create(TibjmsConnection.java:611)
at com.tibco.tibjms.TibjmsConnection.<init>(TibjmsConnection.java:1772)
at com.tibco.tibjms.TibjmsTopicConnection.<init>(TibjmsTopicConnection.java:37)
at com.tibco.tibjms.TibjmsxCFImpl._createImpl(TibjmsxCFImpl.java:139)
at com.tibco.tibjms.TibjmsxCFImpl._createConnection(TibjmsxCFImpl.java:201)
at com.tibco.tibjms.TibjmsTopicConnectionFactory.createTopicConnection(TibjmsTo
picConnectionFactory.java:84)
at tibjmsSSLJNDI.<init>(tibjmsSSLJNDI.java:202)
at tibjmsSSLJNDI.main(tibjmsSSLJNDI.java:252)
Subexception stack trace follows:
java.io.IOException: failed to decrypt safe contents entryCOM.rsa.jsafe.SunJSSE_cs: Cou
ld not perform unpadding: invalid pad byte.
at com.sun.net.ssl.internal.ssl.PKCS12KeyStore.engineLoad(Unknown Source)
at java.security.KeyStore.load(Unknown Source) at com.tibco.security.impl.j2se.IdentityImpl.init(IdentityImpl.java:66)
at com.tibco.security.IdentityFactory.createIdentity(IdentityFactory.java:61)
at com.tibco.tibjms.TibjmsSSL._identityFromStore(TibjmsSSL.java:2680)
at com.tibco.tibjms.TibjmsSSL.createIdentity(TibjmsSSL.java:2604)
at com.tibco.tibjms.TibjmsxLinkSSL._initSSL(TibjmsxLinkSSL.java:291)
at com.tibco.tibjms.TibjmsxLinkSSL.connect(TibjmsxLinkSSL.java:338)
at com.tibco.tibjms.TibjmsConnection._create(TibjmsConnection.java:611)
at com.tibco.tibjms.TibjmsConnection.<init>(TibjmsConnection.java:1772)
at com.tibco.tibjms.TibjmsTopicConnection.<init>(TibjmsTopicConnection.java:37)
at com.tibco.tibjms.TibjmsxCFImpl._createImpl(TibjmsxCFImpl.java:139)
at com.tibco.tibjms.TibjmsxCFImpl._createConnection(TibjmsxCFImpl.java:201)
at com.tibco.tibjms.TibjmsTopicConnectionFactory.createTopicConnection(TibjmsTo
picConnectionFactory.java:84)
at tibjmsSSLJNDI.<init>(tibjmsSSLJNDI.java:202)
at tibjmsSSLJNDI.main(tibjmsSSLJNDI.java:252)
Caused by: COM.rsa.jsafe.SunJSSE_cs: Could not perform unpadding: invalid pad byte.
at COM.rsa.jsafe.SunJSSE_al.a(Unknown Source)
at COM.rsa.jsafe.SunJSSE_ag.a(Unknown Source)
at com.sun.net.ssl.internal.ssl.PKCS12KeyStore.a(Unknown Source)
... 16 more
Subexception stack trace follows:
java.io.IOException: failed to decrypt safe contents entryCOM.rsa.jsafe.SunJSSE_cs: Cou
ld not perform unpadding: invalid pad byte.
at com.sun.net.ssl.internal.ssl.PKCS12KeyStore.engineLoad(Unknown Source)
at java.security.KeyStore.load(Unknown Source)
at com.tibco.security.impl.j2se.IdentityImpl.init(IdentityImpl.java:66)
at com.tibco.security.IdentityFactory.createIdentity(IdentityFactory.java:61)
at com.tibco.tibjms.TibjmsSSL._identityFromStore(TibjmsSSL.java:2680)
at com.tibco.tibjms.TibjmsSSL.createIdentity(TibjmsSSL.java:2604)
at com.tibco.tibjms.TibjmsxLinkSSL._initSSL(TibjmsxLinkSSL.java:291)
at com.tibco.tibjms.TibjmsxLinkSSL.connect(TibjmsxLinkSSL.java:338)
at com.tibco.tibjms.TibjmsConnection._create(TibjmsConnection.java:611)
at com.tibco.tibjms.TibjmsConnection.<init>(TibjmsConnection.java:1772)
at com.tibco.tibjms.TibjmsTopicConnection.<init>(TibjmsTopicConnection.java:37)
at com.tibco.tibjms.TibjmsxCFImpl._createImpl(TibjmsxCFImpl.java:139)
at com.tibco.tibjms.TibjmsxCFImpl._createConnection(TibjmsxCFImpl.java:201)
at com.tibco.tibjms.TibjmsTopicConnectionFactory.createTopicConnection(TibjmsTo
picConnectionFactory.java:84)
at tibjmsSSLJNDI.<init>(tibjmsSSLJNDI.java:202)
at tibjmsSSLJNDI.main(tibjmsSSLJNDI.java:252)
Caused by: COM.rsa.jsafe.SunJSSE_cs: Could not perform unpadding: invalid pad byte.
at COM.rsa.jsafe.SunJSSE_al.a(Unknown Source)
at COM.rsa.jsafe.SunJSSE_ag.a(Unknown Source)
at com.sun.net.ssl.internal.ssl.PKCS12KeyStore.a(Unknown Source)
... 16 more

For the benifit of others.
The issue is resolved.
When we set the certificate password inside our application we were encrypting it inside our system.
When we sent it to tibco we did not decrypt it.
So the encrypted password was sent as it is that was the issue :(
Thanks,
Reflex.

Failed to decrypt protected XML node "DTS:Password" with error 0x8009000B "Key not valid for use in specified state

we have developed packages to do the followings
Extract data from DB2 Source and put it in MS Sql Server 2008 database (Lets Say DatabaseA).From MS Sql Server 2008 (DatabaseA)
we will process the data and place it in another database MS Sql Server 2008 (DatabaseB)
We have created packages in BIDS..We created datasource connection in Datasource folder in BIDS..Which has DB2 Connection and both Ms Sql Server connection (Windows authentication-Let
say its pointing to the server -ServerA which has DatabaseA and DatabaseB).The datasource connections will be used in packages during development.
For deployment we have created Package Configuration which will have both DB2 Connection and MS SqlServer connection in the config
We deployed the packages in different MS SqlServer by changing the connectionstring in the config for DB2 and MS SqlServer...
While runing the package we are getting the following error message
Code: 0xC0016016 Source: Description: Failed to decrypt protected XML node "DTS:Password" with error 0x8009000B "Key not valid for
use in specified state.". You may not be authorized to access this information. This error occurs when there is a cryptographic error. Verify that the correct key is available.
ilikemicrosoft

Hi Surendiran,
This is because the package has been created by somebody else and the package is being deployed under sombody else's account. e.g. If you are the creator then the package is encryption set according to your account and the package setup in SQL server is
under a different user account.
This happens because the package protection level is set to EncryptSensitiveWithUserKey which encrypts
sensitive information using creator's account name.
As a solution:
Either you have to set up the package in SQL server under your account (which some infrastructures do not allow).
OR
Set the package property Protection Level to "DontSaveSensitive" and add a configuration file
to the package and set the initial values for all the variables and all the connection manager in that configuration file (which might be tedious of-course).
OR
The third options (which I like do) is to open the package file and delete the password encryption entries from the package. Do note that this is not supported by designer and every time you make changes to the connection managers these encryption entries come
back.
Hope this helps.
Please mark the post as answered if it answers your question

Failed to decrypt protected XML node "DTS:Password" with error 0x8009000B

Hi,
I have developed several SSIS packages with the last Beta of VS2005 / SQL Server CTP. After the public release I tried to uninstall the CTP-Versions to install the msdn finals but this time I got lost and was not able to satisfy the requirements of the final setup of VS2005. So I decided to install the whole pc again and after some hours I had a clean machine (XP with latest SQL Server 2005 Standard and VS2005 Professional). Now I have tried to open my SSIS-Project but getting the following error: Error loading ImpNetqNewsRss.dtsx: Failed to decrypt protected XML node "DTS:Password" with error 0x8009000B "Schlüssel ist im angegebenen Status nicht gültig.". You may not be authorized to access this information. This error occurs when there is a cryptographic error. Verify that the correct key is available.
After some “googleing” I found this thread: http://forums.microsoft.com/msdn/showpost.aspx?postid=22739&siteid=1 If I’m right the solution should be to use a Package Password, but I can’t figure out where I have to go enter/change a password. I even can’t remember I that ever used a password on my old installation for a dtsx-package?? Any help is welcome… Regards, Dirk

Let's Say your package name is MyPackage
In Visual Studio Go to Control Flow Tab.
Righ Click on an empty area inside the window not clicking "Data Flow Component" . pop up menu click the the properties to get to the properties window of MyPackage package.
Under the Security Area -> You will see
        ProtectionLevel              -- Change that to EncryptSensitiveWithPassword
        PackagePassword          -- enter password-> temp
This should do the trick however to be sure:
Below you will connection managers:
Database Connections (if more than one preform on all)
Double Click your connection to get the property pages. Click "ALL" under the Connection Link on Left Side. Scroll Down to Security Area.
  Provide the followings:
   Password (for the sql userid being used)
   Persist Security Info = True
Save the Package and connect to SQL Integration Srvices in SQL Manager (To Server e.g; DBServer (Integration Services)
Stored Packages -> MSDB --> Right Click --> choose Import Package
in the property dialog box
              Package Location :   File System
              Package Path -- Choose the location of your dtsx file.  (MyPackage.dtsx)
  Leave everything default.
Click OK.
  Dialog box will appear asking for the Package Password
Provide the password-> temp
You have successfully imported the package called MyPackage.
In order to create a job.
In the job Step->
       Type: SQL Server Integration Services Package
       In the General Tab:
                 Package Source : SSIS Package Store
                 Server : DBServer (Where we stored our package above)
    Click the button for the package: Choose your package (MyPackage)
   Click OK :
    It will ask the package password again : temp
                Package has successfully been loaded to Job Step. Now you can schedule and do a test run on the job.
Thanks for the patience of reading for those who are expert.
- Azhar

Failed to decrypt OHS_ID cookie value. Bailing

Hi
I'm getting in a couple of HTTP 500 error with the following line in the error_log
Failed to decrypt OHS_ID cookie value. Bailing
with Internet Explorer with 9iAS 9.0.2. I've installed the latest patches (9iAS 9.0.2.2 Core) and it doesn't resolve the problem. Is there another patch that can fix this problem

Hi
Try out this, delete all internet temparary files from your browser. and also delete all the cookies....
and to ensure that sso is adding cookie or not... enable you browser to prompt you when it tries to add cookie...
close all the browser windows.
and retry.
any way this is not an perfect way to solve the prob... but in my case I have solved it few times like this...

Error: Failed to decrypt cert PFX data - distmgr.log

Hello,
When I distribute content to a DP, I get this error repeatedly in my distmgr.log:
SetObjectSecurity failed; 0x80070002
then a ton of these after:
Failed to decrypt cert PFX data
I'm running with HTTPS, and the packages always seem to copy ok, anyone know what this error indicates?
Terry

I've been able to figure where this error comes from.
I had 51 errors in my distmgr.log, i've reassign a DP o do a test and after the reassign, I had 50 errors. (-1)
This makes sense because the 2007 DP certificate is not known to SCCM before the reassign. Once reassign the DP create it's own cert in 2012 so the error goes away.
This error can be ignored as it will be removed after you reassign all your shared DP.
Benoit Lecours | Blog: System Center Dudes

Failed to decrypt UME session security password from secure storage

Hi,
I log on to B2B appication. I go to catalog. I can not see any price in the product list.
Logs and Traces show these errors:
1. Failed to decrypt UME session security password from secure storage.
2. Something went wrong determining values from application configuration. Check the log file entries obove. The session authentication will be skipped.
How I can solve these issues?
Denis.

Please see note 14[1492234|http://service.sap.com/sap/support/notes/1492234]
Also note that if you do import an XCM scenario from another engine this will need to be re-entered as the passwords woudl not be coppied.
Mark

PKCS12KeyStore - failed to decrypt safe contents entry

I am trying to figure out how to fix this error. I can find no documentation on it.
java.io.IOException: failed to decrypt safe contents entry
at com.sun.net.ssl.internal.ssl.PKCS12KeyStore.engineLoad(DashoA6275)
at java.security.KeyStore.load(KeyStore.java:652) ...
Windows 2K
JDK 1.4.0_01
A cert from www.FreeSSL.com
I did take my cert and convert it to the pk12 format already.
Thank You,
Mica Cooper

Ok,
Found the answer... I was using the wrong .PEM file and password. So if you get this error, you might try checking that 1, your password is correct, and 2, you have the correct PEM.

SOS: javax.ejb.CreateException: Create failed because primary key is null

Hello,
I am desperately trying to get my application server to create a record through CMP 2. My app server is JRun 4.
Here is the client:
package com.parispano.tests;
import java.util.Date;
import java.util.Properties;
import javax.naming.Context;
import javax.naming.InitialContext;
import com.parispano.account.entity.Account;
import com.parispano.account.entity.AccountHome;
public class ClientEJBDeuxTemp {
public static void main(String[] args) {
    System.out.println("\nBegin account DemoClient...\n");
    try {
      // Create A Demo object, in the server
      // Note: the name of the class corresponds to the JNDI
      // property declared in the DeploymentDescriptor
      // From DeploymentDescriptor ...
      // beanHomeName demo.DemoHome
      Context ctx = getInitialContext();
      AccountHome ahome = (AccountHome) ctx.lookup("AccountEJBHome");
      //System.out.println("Creating Demo\n");
      Account account = ahome.create("toto","toto", "toto","toto","toto","toto","toto","toto","toto","toto","toto",new Date(),new Date());
    catch (Exception e) {
      System.out.println(":::::::::::::: Error :::::::::::::::::");
      e.printStackTrace();
    System.out.println("\nEnd DemoClient...\n");
static String user     = "admin";
static String password = "admin";
static String url      = "ordi:2908";
   * Gets an initial context.
   * @return                  Context
   * @exception               java.lang.Exception if there is
   *                          an error in getting a Context
static public Context getInitialContext() throws Exception {
    Properties p = new Properties();
    p.put(Context.INITIAL_CONTEXT_FACTORY, "jrun.naming.JRunContextFactory");
    p.put(Context.PROVIDER_URL, url);
    if (user != null) {
      System.out.println ("user: " + user);
      p.put(Context.SECURITY_PRINCIPAL, user);
      if (password == null)
        password = "";
      p.put(Context.SECURITY_CREDENTIALS, password);
    return new InitialContext(p);
}and here is the exception I get:
javax.ejb.CreateException: Create failed because primary key is null
I don't understand why I get this as the primary key is "toto" and therefore is not null.
Here is the DD:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE ejb-jar PUBLIC "-//Sun Microsystems, Inc.//DTD Enterprise JavaBeans 2.0//EN" "http://java.sun.com/dtd/ejb-jar_2_0.dtd">
<ejb-jar>
    <display-name>Account EJB</display-name>
    <enterprise-beans>
      <entity>
        <display-name>Account EJB</display-name>
        <ejb-name>AccountEJB</ejb-name>
        <home>com.parispano.account.entity.AccountHome</home>
          <remote>com.parispano.account.entity.Account</remote>
        <local-home>com.parispano.account.entity.AccountLocalHome</local-home>
        <local>com.parispano.account.entity.AccountLocal</local>
        <ejb-class>com.parispano.account.entity.AccountEJB</ejb-class>
        <persistence-type>Container</persistence-type>
        <prim-key-class>java.lang.String</prim-key-class>
        <reentrant>False</reentrant>
        <cmp-version>2.x</cmp-version>
        <abstract-schema-name>account</abstract-schema-name>
        <cmp-field>
        <description>Login</description>
        <field-name>login</field-name>
        </cmp-field>
        
        <cmp-field>
          <description>Password</description>
          <field-name>password</field-name>
        </cmp-field>
        <cmp-field>
          <description>Surname</description>
          <field-name>surname</field-name>
        </cmp-field>
        <cmp-field>
          <description>First Name</description>
          <field-name>firstName</field-name>
        </cmp-field>
        <cmp-field>
          <description>Address One</description>
          <field-name>addressOne</field-name>
        </cmp-field>
        <cmp-field>
          <description>Address Two</description>
          <field-name>addressTwo</field-name>
        </cmp-field>
        <cmp-field>
          <description>Postcode</description>
          <field-name>postcode</field-name>
        </cmp-field>
        <cmp-field>
          <description>City</description>
          <field-name>city</field-name>
        </cmp-field>
        <cmp-field>
          <description>Country</description>
          <field-name>country</field-name>
        </cmp-field>
        <cmp-field>
          <description>Telephone</description>
          <field-name>telephone</field-name>
        </cmp-field>
        <cmp-field>
          <description>Email</description>
          <field-name>email</field-name>
        </cmp-field>
        <cmp-field>
          <description>Inscription Date</description>
          <field-name>inscriptionDate</field-name>
        </cmp-field>
        <cmp-field>
          <description>Last Visit Date</description>
          <field-name>lastVisitDate</field-name>
        </cmp-field>
          <primkey-field>login</primkey-field>
      </entity>
    </enterprise-beans>
</ejb-jar>Can anyone tell me why I am getting this exception please?
Thanks in advance,
Julien Martin.

Yes, I have set the PK. Actually this is happening when the number of columns are more than 63 columns. After I reduce the number of column, it is working fine.
Is it the actual problem???
fyi, I'm using jboss as the Application Server...

Security setup operations failed: creating system keys

I have just downgraded my T60 laptop from Vista to windows xp using the lenovo CD's.
Everything seems to be working well, except that each time I boot up the computer, the lenovo security setup software runs. If I follow the menus all the way through, I get to the following error on the last screen:
"your security settings have been configured however, one or more setup operations failed: creating system keys"
There was also a message that previously briefly flashed during the bootup (on the "bios" screen?) which stated that the system was designed to use fingerprints to protect something or other, but this was not enabled. However: I then ran all updates for windows xp and for lenovo drivers etc. This message has now gone away (and unfortunately I didn't write it down).
I'm guessing the failure to "create system keys" results in the software running each time I boot up.
Another possibility: I have not yet enabled the symantec security, as I intend to uninstall it and use other virus protection software. Could this be causing the"failure to create system keys"?
(The fingerprint reader works fine, and reads my fingerprint at the windows logon screen.)
**UPDATE**: uninstalled symantec security software, and this had no effect.
Message Edited by orson_m on 12-29-2008 02:47 PM

I have just downgraded my T60 laptop from Vista to windows xp using the lenovo CD's.
Everything seems to be working well, except that each time I boot up the computer, the lenovo security setup software runs. If I follow the menus all the way through, I get to the following error on the last screen:
"your security settings have been configured however, one or more setup operations failed: creating system keys"
There was also a message that previously briefly flashed during the bootup (on the "bios" screen?) which stated that the system was designed to use fingerprints to protect something or other, but this was not enabled. However: I then ran all updates for windows xp and for lenovo drivers etc. This message has now gone away (and unfortunately I didn't write it down).
I'm guessing the failure to "create system keys" results in the software running each time I boot up.
Another possibility: I have not yet enabled the symantec security, as I intend to uninstall it and use other virus protection software. Could this be causing the"failure to create system keys"?
(The fingerprint reader works fine, and reads my fingerprint at the windows logon screen.)
**UPDATE**: uninstalled symantec security software, and this had no effect.
Message Edited by orson_m on 12-29-2008 02:47 PM

Failed to create key MRU

I am using the application Visual CertExam Designer, When i am closing the application an error occurs, It says that Failed to create key MRU. What is the problem? How i can solve it?

Hi,
Since this is a third-party application which is not hosted by Microsoft, in order to get better solution, I recommend you contact the owner’s support for help.
http://www.avanset.com/support.html
Please note: Since the website is not hosted by Microsoft, it may be changed without notice, Microsoft does not guarantee the accuracy of the information.
Thanks for your understanding!
Regards,
Ada Liu
TechNet Community Support

Error- isDefault SSL context init failed : Cannot recover key

Hi,
We are trying to run a sample HTTPS request from client to Server using SSL.
Below is the the code we used to run Client program which will communicate with HTTPS server (Server Socket which will accept connections)
Basically we created a server certificate inside Https server program and that will be exported and imported into Client directory.
Finally when we run below client program means its giving below error
Error- isDefault SSL context init failed : Cannot recover key
Can anybody please help me to run this program successfully?If we you give some basic steps to check the settings what needs to be set before running this program.?
Client Program
Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider() );
System.setProperty("javax.net.ssl.keyStore", "D:\\JavaR&D\\Rajiv\\server\\serverkeys");
System.setProperty("javax.net.ssl.keyStoreType" ,"JKS"); /* ,"pkcs12" */
System.setProperty("javax.net.ssl.keyStorePassword","welcome");
System.setProperty("javax.net.ssl.trustStore" , "C:\\j2sdk1.5.0\\jre\\lib\\security\\cacerts");
System.setProperty("javax.net.ssl.trustStorePassword" , "clientpass");
System.setProperty("javax.net.ssl.trustStoreType","JKS"); /* ,"pkcs12" */
System.setProperty("java.protocol.handler.pkgs" ,"com.sun.net.ssl.internal.www.protocol");
com.sun.net.ssl.HostnameVerifier hv=new com.sun.net.ssl.HostnameVerifier() {
public boolean verify(String urlHostname, String certHostname) {
System.out.println("urlHostname >>" + urlHostname +"<<");
System.out.println("certHostname >>" + certHostname +"<<");
System.out.println("WARNING: Hostname is not matched for cert.");
return true;
com.sun.net.ssl.HttpsURLConnection.setDefaultHostnameVerifier(hv);
SSLSocketFactory factory = (SSLSocketFactory)SSLSocketFactory.getDefault();
// server = (SSLServerSocket) factory.createServerSocket(portNumber);
System.out.println("above socketcreation");
SSLSocket socket = (SSLSocket)factory.createSocket("172.16.56.227",8443);
Server Program

Is there some kind of timeline that I can expect 8.1 to ship in?
I appreciate being informed that this is a known issue and all, but without giving me a timeframe to expect a fix in, how can you possibly expect me to continue to pursue your products as viable options?
To tell me to wait for 8.1, without giving me a timeframe or any further details is simply put in one word. Amatuer.
What kind of response is this? What am I supposed to tell my supervisor? How am I supposed to explain to upper management that the application server they're telling us to use is incapable of handling the use cases our business functions require? What do you want me to do, tell them to wait for the next release without being able to give them a ballpark figure? We're a small team, us Java guys. We've already invested months is moving to a new platform. Now that platform is failing us, and the vendor hasn't got any better response than, "Oh yeah, our bad. We'll fix it next time... whenever that is..."
If 8.1 is as half-baked as 8.0 is (BTW your deploytool is a broken piece of junk. I can reliably crash the thing in under 10 seconds) then I don't have a lot of hope for 8.1. You can bet I sure as heck won't be holding my breath for it.
Looks like it's time to investigate the other vendors that support J2EE 1.4. Something tells me I'll have better luck with WebSphere. The hard part there will be selling managment on the idea. At least IBM is notoriously forward with their clients, even if they are expensive.
All I'm asking for now is a timeframe for 8.1. When can we expect it? If it's before I expect to -have- to have this stuff in production I may be able to wait... but at this point, I'm disgruntled enough to not bother.
Maybe we should investigate moving to .net. At least then when the vendor screws me I'll be expecting it.

Default ssl context init failed: Cannot resolve key

Hi, I get this SSL Exception when I try to run my server using
ssl socket:
"default ssl context init failed: Cannot resolve key"
it is thrown at this line: "sslServerFactory.createServerSocket(port)"
I created a kestore and trustore files using 'keytool' and the step by step from the Jsse reference guide:
http://java.sun.com/j2se/1.4/docs/guide/security/jsse/JSSERefGuide.html#CreateKeystore
why do I get this exception and how to solve it, thank you.
Yves

SSL error messages are sometimes cryptic.
Set:
System.getProperties().put("javax.net.debug","all");to really see what is happening.
Cheers'
Kullervo

ISE v1.1 NAD 6500 failed to decrypt Key......

Similar Messages

Maybe you are looking for