Managing Server Encryption Keys in IDM 8.1

I am trying to import the server encryption key from my local machine to the development environment. However, I get the error "java.lang.IllegalStateException: Error attempting to decrypt: Given final block not properly padded".
I am attempting to import the keys with the lh import command like I would with the other custom configuration objects. I have checked the JDK on my machine vs the development machine and they are both running JDK's from Sun.
Any ideas?

Hi,
Some more information would be helpful. What versions of IDM, what vendor and version of JDK, what server encryption type is configured for each IDM server, how was the key exported, have you tried importing a key from any other IDM instance, etc. The more info, the better.
Thanks,
Mike

Similar Messages

Resetting the encryption keys to default in Waveset

Hi All,
Is there a way to reset the default encryption keys on IDM?
I was trying something and generated a new server encryption key and now I can't get my AD resource adapter to talk to the gateway.
Any help would be highly appreciated.
Thank You
Vamsi

Try finding the solution on http://www.encryptionkey.info/

How to manage encryption keys on Linux

Using SSH encryption keys provides better security and (when done well) increased convenience over using passwords, but for each computer you want secure access to, you need a key file. Pretty soon you may find yourself juggling more files than you can easily handle. What to do?Jeff Cogswell on Linux.com has someadvice, and it doesn't involve using any special software to manage private keys. Some tips are practical, such as the suggestion to use a passphrase with private keys, and the requirement for a quick way to revoke public keys from a server in the event of a security breach. However, the best approach depends on an organization's specific needs; Cogswell links to a couple of descriptions of detailed techniques.
This topic first appeared in the Spiceworks Community

Hi,
I want steps to install oracle 9i on linux version 4
Kindly give steps.Ok, I'll try...
Step 1) Leave this forum as it has nothing to do with your problem.
Step 2) Enter the Installation forum.
Step 3) Search / read there.
Step 4) Read the installation guide.
Step 5) Do what you have learned during the previous steps.
One question remains: why does it have to be 9i? But that is also of interest only in the appropriate forum, so please, don't answer. :)

Airport Extreme Encryption Key for TV on OS X Server configuration

I have a Airport Extreme last model 5th generation, which is controlled by the OS X Server 2.2.1 on Mountain Lion 10.8.2. I´m running in a small structured Home Network. To go in i have always to input a User Name and Password, that works perfectly with OS X or Windows computers, as well as iPhone, iPad, and also my NAS system.
The problem is with my TV-set, it is a Panasonic and should connect via Wi-Fi, but it ask for the Network Encryption Key ! i tried to enter the Airport Password, but no success . also i tried look around google and the solutions were around the Airport Utility App, which was last year re-vamped and those solutions can not be used
any suggestion, where can i find my Network Encryption Key is welcome
thanks

yes, it is the right way
i start the Guest Wi-Fi Network with WPA2 Personal and it rocks
the problem, or not, i build a secure Network at home manage by the Server and not i open a Guest Hole dont know what are the risks in this Guest connection.
thanks anyway, your sugestion works

While Creating the encryption and restoring the encryption key in the confiiguration manager it will thrown this error?

While Creating the backup encryption key in the Configuration server setting it will show you the below error
so can U resolve this issue
Microsoft.ReportingServices.WmiProvider.WMIProviderException: The profile for the user is a temporary profile. (Exception from HRESULT: 0x80090024)
at Microsoft.ReportingServices.WmiProvider.RSWmiAdmin.ThrowOnError(ManagementBaseObject mo)
at Microsoft.ReportingServices.WmiProvider.RSWmiAdmin.BackupEncryptionKey(Byte[]& encryptedBytes, String password)
at ReportServicesConfigUI.WMIProvider.RSReportServerAdmin.BackupEncryptionKey(Byte[]& encryptedBytes, String password)
above is the error msg thrown in the console.

It sounds like when you logged into the server or computer, something happened where your profile wasn't used or created, and thus a temporary profile was used. To resolve this you can try logging out and logging back in again, logging in with a
different user and hoping it doesn't happen to them, or restarting the computer. You probably got a warning when you logged into the computer about it using a temporary profile. To me, it look like and operating system problem resulting in an application
problem.

Office Professional Plus 2010 - Fails to Install - Error 25004 - "System error: -1073418209" - Microsoft Key Management Server

I am receiving an error when attempting to install a site license copy of Microsoft Office Professional Plus 2010. The enterprise environment that I am in is using a Microsoft Key Management Server for the authentication of all Office 2010 and Windows 7
installations. The error that I receive at the end of the installation is: "Error 25004. The product key you entered cannot be used on this machine. This is most likely due to previous Office 2010 trials being installed. (System error: -1073418209)".
I have never installed a trial of Office 2010, nor did I ever install the beta of Office 2010. I do have a copy of Microsoft Office Projects 2010 installed. Before attempting to install Office 2010, I had Office 2007 installed. I used the Upgrade option
to install 2010, instead of removing 2007 (which apparently I should have done instead) first. I have tried using the Microsoft FixIt tool to remove both Office 2007 AND Office 2010. Neither of those tools has fixed my problem. Office 2010 also does not show
up in my Add/Remove Programs list.
Any ideas on how to fix this? I do not have time to reformat until after the Holiday seasons, and need to have Office working!

Hi,
The full error text is as follows: Error 25004: The product key you entered cannot be used on this machine.
This is most likely due to previous Office 2010 trials being installed. (System error: 1073422308)
The key you are currently trying to install with, is an Office Professional Plus Trial key. A machine will allow one Professional Plus Trial key installed on it ever. Meaning you can
install a trial on a machine, used it for some time, uninstall Office. When you go back to the Microsoft website and get a new key, the second installation will be rejected with the above error message.
If this is not the situation, try to completely uninstall all the versions of the Office programs from control panel, and then use the suggestions in this KB
article to uninstall it:
How do I uninstall Office 2003, Office 2007 or Office 2010 suites if I cannot uninstall it from Control Panel?
http://support.microsoft.com/kb/290301
Then, reinstall the Office 2010 program.
Best Regards,
Sally Tang

Error configuring and starting Managed Server in WebLogic 10.3

Hi,
I am able to configure and start the Managed Server on windows environment. I am trying to configure Managed Server on linux environment. I am configuring the Managed Server with custom keystore. When I configured the Managed Server I specified the keystore/trustsote information in the Keystores tab of the Admin Console for Managed Server settings. Specified Private Key Alias, Password in SSL tab.But when I am starting the Managed Server from command line, I see the process looking for demo trust files and failing.
Here is the command I run to start the Managed Server:
./startManagedWebLogic.sh MyManagedServer1 https://localhost.localdomain:8443
Below is the console output:
<Mar 11, 2015 12:37:44 PM PDT> <Info> <WebLogicServer> <BEA-000377> <Starting WebLogic Server with Java HotSpot(TM) 64-Bit Server VM Version 20.45-b01 from Sun Microsystems Inc.>
<Mar 11, 2015 12:37:45 PM PDT> <Info> <Security> <BEA-090065> <Getting boot identity from user.>
Enter username to boot WebLogic server:beaadmin
Enter password to boot WebLogic server:
<Mar 11, 2015 12:37:53 PM PDT> <Info> <Security> <BEA-090908> <Using default WebLogic SSL Hostname Verifier implementation.>
<Mar 11, 2015 12:37:53 PM PDT> <Notice> <Security> <BEA-090169> <Loading trusted certificates from the jks keystore file /opt/wlserver_10.3/server/lib/DemoTrust.jks.>
<Mar 11, 2015 12:37:53 PM PDT> <Error> <Security> <BEA-090132> <Could not open the keystore file /opt/wlserver_10.3/server/lib/DemoTrust.jks for read access. Exception: java.io.FileNotFoundException: /opt/wlserver_10.3/server/lib/DemoTrust.jks (No such file or directory)>
<Mar 11, 2015 12:37:53 PM PDT> <Warning> <Security> <BEA-090164> <Failed to load trusted certificates from keystore /opt/wlserver_10.3/server/lib/DemoTrust.jks of type jks>
<Mar 11, 2015 12:37:53 PM PDT> <Notice> <Security> <BEA-090169> <Loading trusted certificates from the jks keystore file /opt/jre1.6.0_45/lib/security/cacerts.>
<Mar 11, 2015 12:37:53 PM PDT> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=Entrust Root Certification Authority - G2,OU=(c) 2009 Entrust\, Inc. - for authorized use only,OU=See www.entrust.net/legal-terms,O=Entrust\, Inc.,C=US". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
<Mar 11, 2015 12:37:53 PM PDT> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=thawte Primary Root CA - G3,OU=(c) 2008 thawte\, Inc. - For authorized use only,OU=Certification Services Division,O=thawte\, Inc.,C=US". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
<Mar 11, 2015 12:37:53 PM PDT> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=T-TeleSec GlobalRoot Class 3,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
<Mar 11, 2015 12:37:53 PM PDT> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=T-TeleSec GlobalRoot Class 2,OU=T-Systems Trust Center,O=T-Systems Enterprise Services GmbH,C=DE". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
<Mar 11, 2015 12:37:53 PM PDT> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R3". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
<Mar 11, 2015 12:37:53 PM PDT> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "OU=Security Communication RootCA2,O=SECOM Trust Systems CO.\,LTD.,C=JP". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
<Mar 11, 2015 12:37:53 PM PDT> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=VeriSign Universal Root Certification Authority,OU=(c) 2008 VeriSign\, Inc. - For authorized use only,OU=VeriSign Trust Network,O=VeriSign\, Inc.,C=US". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
<Mar 11, 2015 12:37:53 PM PDT> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=KEYNECTIS ROOT CA,OU=ROOT,O=KEYNECTIS,C=FR". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
<Mar 11, 2015 12:37:53 PM PDT> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=GeoTrust Primary Certification Authority - G3,OU=(c) 2008 GeoTrust Inc. - For authorized use only,O=GeoTrust Inc.,C=US". The loading of the trusted certificate list raised a certificate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object: 1.2.840.113549.1.1.11.>
<Mar 11, 2015 12:37:53 PM PDT> <Info> <Management> <BEA-141107> <Version: WebLogic Server 10.3.6.0 Tue Nov 15 08:52:36 PST 2011 1441050 >
<Mar 11, 2015 12:37:54 PM PDT> <Warning> <Security> <BEA-090477> <Certificate chain received from localhost.localdomain - 127.0.0.1 was not trusted causing SSL handshake failure.>
<Mar 11, 2015 12:37:54 PM PDT> <Warning> <Security> <BEA-090477> <Certificate chain received from localhost.localdomain - 127.0.0.1 was not trusted causing SSL handshake failure.>
<Mar 11, 2015 12:37:54 PM PDT> <Warning> <Security> <BEA-090477> <Certificate chain received from localhost.localdomain - 127.0.0.1 was not trusted causing SSL handshake failure.>
<Mar 11, 2015 12:37:54 PM PDT> <Warning> <Security> <BEA-090477> <Certificate chain received from localhost.localdomain - 127.0.0.1 was not trusted causing SSL handshake failure.>
<Mar 11, 2015 12:37:54 PM PDT> <Warning> <Security> <BEA-090477> <Certificate chain received from localhost.localdomain - 127.0.0.1 was not trusted causing SSL handshake failure.>
<Mar 11, 2015 12:37:55 PM PDT> <Warning> <Security> <BEA-090477> <Certificate chain received from localhost.localdomain - 127.0.0.1 was not trusted causing SSL handshake failure.>
<Mar 11, 2015 12:37:55 PM PDT> <Warning> <Security> <BEA-090477> <Certificate chain received from localhost.localdomain - 127.0.0.1 was not trusted causing SSL handshake failure.>
<Mar 11, 2015 12:37:55 PM PDT> <Emergency> <Management> <BEA-141151> <The admin server could not be reached at https://localhost.localdomain:8443.>
<Mar 11, 2015 12:37:55 PM PDT> <Info> <Configuration Management> <BEA-150018> <This server is being started in managed server independence mode in the absence of the admin server.>
<Mar 11, 2015 12:37:55 PM PDT> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to STARTING>
<Mar 11, 2015 12:37:55 PM PDT> <Info> <WorkManager> <BEA-002900> <Initializing self-tuning thread pool>
<Mar 11, 2015 12:37:55 PM PDT> <Notice> <LoggingService> <BEA-320400> <The log file /h/data/local/base_domain/servers/MyManagedServer1/logs/MyManagedServer1.log will be rotated. Reopen the log file if tailing has stopped. This can happen on some platforms like Windows.>
<Mar 11, 2015 12:37:55 PM PDT> <Notice> <LoggingService> <BEA-320401> <The log file has been rotated to /h/data/local/base_domain/servers/MyManagedServer1/logs/MyManagedServer1.log00015. Log messages will continue to be logged in /h/data/local/base_domain/servers/MyManagedServer1/logs/MyManagedServer1.log.>
<Mar 11, 2015 12:37:55 PM PDT> <Notice> <Log Management> <BEA-170019> <The server log file /h/data/local/base_domain/servers/MyManagedServer1/logs/MyManagedServer1.log is opened. All server side log events will be written to this file.>
<Mar 11, 2015 12:37:56 PM PDT> <Error> <Security> <BEA-000000> <[Security:090837]The configured keystore location for the PKI Credential Mapper is either null or empty.>
<Mar 11, 2015 12:37:56 PM PDT> <Error> <Security> <BEA-000000> <[Security:090815]The password provided for the keystore configured for the PKICredential Mapper was null.>
<Mar 11, 2015 12:37:57 PM PDT> <Notice> <Security> <BEA-090082> <Security initializing using security realm myrealm.>
<Mar 11, 2015 12:37:57 PM PDT> <Critical> <Security> <BEA-090403> <Authentication for user beaadmin denied>
<Mar 11, 2015 12:37:57 PM PDT> <Critical> <WebLogicServer> <BEA-000386> <Server subsystem failed. Reason: weblogic.security.SecurityInitializationException: Authentication for user beaadmin denied
weblogic.security.SecurityInitializationException: Authentication for user beaadmin denied
        at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.doBootAuthorization(CommonSecurityServiceManagerDelegateImpl.java:966)
        at weblogic.security.service.CommonSecurityServiceManagerDelegateImpl.initialize(CommonSecurityServiceManagerDelegateImpl.java:1054)
        at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:873)
        at weblogic.security.SecurityService.start(SecurityService.java:141)
        at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
        Truncated. see log file for complete stacktrace
Caused By: javax.security.auth.login.FailedLoginException: [Security:090303]Authentication Failed: User beaadmin weblogic.security.providers.authentication.LDAPAtnDelegateException: [Security:090295]caught unexpected exception
        at weblogic.security.providers.authentication.LDAPAtnLoginModuleImpl.login(LDAPAtnLoginModuleImpl.java:251)
        at com.bea.common.security.internal.service.LoginModuleWrapper$1.run(LoginModuleWrapper.java:110)
        at java.security.AccessController.doPrivileged(Native Method)
        at com.bea.common.security.internal.service.LoginModuleWrapper.login(LoginModuleWrapper.java:106)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        Truncated. see log file for complete stacktrace
>
<Mar 11, 2015 12:37:57 PM PDT> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FAILED>
<Mar 11, 2015 12:37:57 PM PDT> <Error> <WebLogicServer> <BEA-000383> <A critical service failed. The server will shut itself down>
<Mar 11, 2015 12:37:57 PM PDT> <Notice> <WebLogicServer> <BEA-000365> <Server state changed to FORCE_SHUTTING_DOWN>
Why is it looking for demotrust.jks file to start the Managed Server. We don't use the demo trust and cannot copy to the location it is referring to. I followed the solution provided at the below link:
http://serverfault.com/questions/106499/custom-trust-and-custom-identity-keystore-in-weblogic-10-3
There are 2 options given in the link. To update the boot.properties of the Admin Server and appending JAVA_OPTIONS to DomainEnv file. Both of these caused the failure of Admin Server. I couldn't bring up the server after these changes.I also came across posts talking about boot.properties for Managed Server. I don't see the security folder that has boot.properties for my Managed Server (verified it on both windows and linux boxes).
Thanks in advance.
-nn.

Hi Faisal,
Here is the config.xml file:
<?xml version="1.0" encoding="UTF-8"?>
<domain xsi:schemaLocation="http://xmlns.oracle.com/weblogic/security/wls http://xmlns.oracle.com/weblogic/security/wls/1.0/wls.xsd http://xmlns.oracle.com/weblogic/domain http://xmlns.oracle.com/weblogic/1.0/domain.xsd http://xmlns.oracle.com/weblogic/security http://xmlns.oracle.com/weblogic/1.0/security.xsd http://xmlns.oracle.com/weblogic/security/xacml http://xmlns.oracle.com/weblogic/security/xacml/1.0/xacml.xsd"
        xmlns="http://xmlns.oracle.com/weblogic/domain" xmlns:sec="http://xmlns.oracle.com/weblogic/security"
        xmlns:wls="http://xmlns.oracle.com/weblogic/security/wls" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <name>JCRMDomain</name>
    <domain-version>10.3.4.0</domain-version>
    <security-configuration xmlns:xacml="http://xmlns.oracle.com/weblogic/security/xacml">
        <name>JCRMDomain</name>
        <realm>
            <sec:authentication-provider xsi:type="wls:default-authenticatorType">
                <sec:control-flag>SUFFICIENT</sec:control-flag>
            </sec:authentication-provider>
            <sec:authentication-provider xmlns:ext="http://xmlns.oracle.com/weblogic/security/extension" xsi:type="ext:jcrm-authenticatorType">
                <sec:name>JcrmAuthenticator</sec:name>
                <sec:control-flag>SUFFICIENT</sec:control-flag>
            </sec:authentication-provider>
            <sec:role-mapper xmlns:xac="http://xmlns.oracle.com/weblogic/security/xacml" xsi:type="xac:xacml-role-mapperType"></sec:role-mapper>
            <sec:authorizer xmlns:xac="http://xmlns.oracle.com/weblogic/security/xacml" xsi:type="xac:xacml-authorizerType"></sec:authorizer>
            <sec:adjudicator xsi:type="wls:default-adjudicatorType"></sec:adjudicator>
            <sec:credential-mapper xsi:type="wls:default-credential-mapperType"></sec:credential-mapper>
            <sec:credential-mapper xsi:type="wls:pki-credential-mapperType">
                <sec:name>PKICredentialMapper</sec:name>
            </sec:credential-mapper>
            <sec:cert-path-provider xsi:type="wls:web-logic-cert-path-providerType"></sec:cert-path-provider>
            <sec:cert-path-builder>WebLogicCertPathProvider</sec:cert-path-builder>
            <sec:user-lockout-manager>
                <sec:lockout-threshold>3</sec:lockout-threshold>
                <sec:lockout-duration>15</sec:lockout-duration>
                <sec:lockout-reset-duration>99999</sec:lockout-reset-duration>
            </sec:user-lockout-manager>
            <sec:deploy-role-ignored>false</sec:deploy-role-ignored>
            <sec:deploy-policy-ignored>false</sec:deploy-policy-ignored>
            <sec:fully-delegate-authorization>true</sec:fully-delegate-authorization>
            <sec:security-dd-model>DDOnly</sec:security-dd-model>
            <sec:combined-role-mapping-enabled>true</sec:combined-role-mapping-enabled>
            <sec:name>myrealm</sec:name>
            <sec:delegate-m-bean-authorization>false</sec:delegate-m-bean-authorization>
            <sec:password-validator xmlns:pas="http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator"
                                    xsi:type="pas:system-password-validatorType">
                <sec:name>JCRMPasswordValidator</sec:name>
                <pas:max-password-length>31</pas:max-password-length>
                <pas:min-password-length>15</pas:min-password-length>
                <pas:min-numeric-characters>2</pas:min-numeric-characters>
                <pas:min-lowercase-characters>2</pas:min-lowercase-characters>
                <pas:min-uppercase-characters>2</pas:min-uppercase-characters>
                <pas:min-non-alphanumeric-characters>2</pas:min-non-alphanumeric-characters>
            </sec:password-validator>
            <sec:deployable-provider-synchronization-enabled>false</sec:deployable-provider-synchronization-enabled>
        </realm>
        <default-realm>myrealm</default-realm>
        <credential-encrypted>{AES}cpwhv2peqwl0Z8Ma1Jk7KlmC6d1gtCAqxnzrmR5ssybHpM9AUzbBRJ7rE7m4/7U16IHgsTMkcOr/5/abZJ4NeuHR45jdDK1EjFmnUuPssISmGkan3EIpCKHmPPIynVxh</credential-encrypted>
        <node-manager-username>wdUXiuwL5A</node-manager-username>
        <node-manager-password-encrypted>{AES}UDiZjaLOrm0y+/I9noQVURudpzmRKMBOQR2B8ofNIt8=</node-manager-password-encrypted>
    </security-configuration>
    <server>
        <name>AdminServer</name>
        <max-http-message-size>10000000</max-http-message-size>
        <ssl>
            <name>AdminServer</name>
            <enabled>true</enabled>
            <hostname-verifier xsi:nil="true"></hostname-verifier>
            <hostname-verification-ignored>true</hostname-verification-ignored>
            <client-certificate-enforced>false</client-certificate-enforced>
            <listen-port>8443</listen-port>
            <two-way-ssl-enabled>true</two-way-ssl-enabled>
            <server-private-key-alias>localhost.localdomain</server-private-key-alias>
            <server-private-key-pass-phrase-encrypted>{AES}eZnL/NM4/xJaFj8rZAE4oB2htDm3srPUsTWYtDXblvk=</server-private-key-pass-phrase-encrypted>
            <ssl-rejection-logging-enabled>true</ssl-rejection-logging-enabled>
            <allow-unencrypted-null-cipher>false</allow-unencrypted-null-cipher>
            <use-server-certs>true</use-server-certs>
            <jsse-enabled>true</jsse-enabled>
        </ssl>
        <listen-port-enabled>false</listen-port-enabled>
        <web-server>
            <keep-alive-secs>60</keep-alive-secs>
            <https-keep-alive-secs>60</https-keep-alive-secs>
        </web-server>
        <listen-address/>
        <java-compiler>javac</java-compiler>
        <tunneling-enabled>true</tunneling-enabled>
        <tunneling-client-ping-secs>45</tunneling-client-ping-secs>
        <tunneling-client-timeout-secs>40</tunneling-client-timeout-secs>
        <client-cert-proxy-enabled>false</client-cert-proxy-enabled>
        <key-stores>CustomIdentityAndCustomTrust</key-stores>
        <custom-identity-key-store-file-name>certstores/keystore</custom-identity-key-store-file-name>
        <custom-identity-key-store-type>JKS</custom-identity-key-store-type>
        <custom-identity-key-store-pass-phrase-encrypted>{AES}eZnL/NM4/xJaFj8rZAE4oB2htDm3srPUsTWYtDXblvk=</custom-identity-key-store-pass-phrase-encrypted>
        <custom-trust-key-store-file-name>certstores/truststore</custom-trust-key-store-file-name>
        <custom-trust-key-store-type>JKS</custom-trust-key-store-type>
        <custom-trust-key-store-pass-phrase-encrypted>{AES}uSkLzfC74bMCEjomgVdHtVw47iZg8BN71g7cdKr+XHo=</custom-trust-key-store-pass-phrase-encrypted>
    <overload-protection>
      <panic-action>system-exit</panic-action>
      <failure-action>force-shutdown</failure-action>
      <server-failure-trigger>
        <max-stuck-thread-time>600</max-stuck-thread-time>
        <stuck-thread-count>3</stuck-thread-count>
      </server-failure-trigger>
    </overload-protection>
    </server>
    <server>
      <name>MyManagedServer1</name>
      <ssl>
        <enabled>true</enabled>
        <listen-port>8445</listen-port>
        <server-private-key-alias>localhost.localdomain</server-private-key-alias>
        <server-private-key-pass-phrase-encrypted>{AES}eZnL/NM4/xJaFj8rZAE4oB2htDm3srPUsTWYtDXblvk=</server-private-key-pass-phrase-encrypted>
      </ssl>
      <machine xsi:nil="true"></machine>
      <listen-port>8444</listen-port>
      <listen-port-enabled>true</listen-port-enabled>
      <cluster xsi:nil="true"></cluster>
      <web-server>
        <web-server-log>
          <number-of-files-limited>false</number-of-files-limited>
        </web-server-log>
      </web-server>
      <listen-address></listen-address>
      <key-stores>CustomIdentityAndCustomTrust</key-stores>
      <custom-identity-key-store-file-name>certstores/keystore</custom-identity-key-store-file-name>
      <custom-identity-key-store-type>JKS</custom-identity-key-store-type>
      <custom-identity-key-store-pass-phrase-encrypted>{AES}eZnL/NM4/xJaFj8rZAE4oB2htDm3srPUsTWYtDXblvk=</custom-identity-key-store-pass-phrase-encrypted>
      <custom-trust-key-store-file-name>certstores/truststore</custom-trust-key-store-file-name>
      <custom-trust-key-store-type>JKS</custom-trust-key-store-type>
      <custom-trust-key-store-pass-phrase-encrypted>{AES}uSkLzfC74bMCEjomgVdHtVw47iZg8BN71g7cdKr+XHo=</custom-trust-key-store-pass-phrase-encrypted>
      <data-source>
        <rmi-jdbc-security xsi:nil="true"></rmi-jdbc-security>
      </data-source>
    </server>
    <production-mode-enabled>false</production-mode-enabled>
    <embedded-ldap>
        <name>JCRMDomain</name>
        <credential-encrypted>{AES}LNAnq4qCQQmy9rCOMN+uIZVPq1bVvPrwQqqtOScZrnYmwESt9aruHNVy4IjqMWz7</credential-encrypted>
    </embedded-ldap>
    <administration-port-enabled>true</administration-port-enabled>
    <configuration-version>10.3.4.0</configuration-version>
    <admin-server-name>AdminServer</admin-server-name>
</domain>
It has 'CustomIdentityAndCustomTrust' for both Admin Server as well as managed Server in it.
Thanks,
nn

System encryption using LUKS and GPG encrypted keys for arch linux

Update: As of 2012-03-28, arch changed from gnupg 1.4 to 2.x which uses pinentry for the password dialog. The "etwo" hook described here doesn't work with gnupg 2. Either use the openssl hook below or use a statically compiled version of gnupg 1.4.
Update: As of 2012-12-19, the mkinitcpio is not called during boot, unless the "install" file for the hook contains "add_runscript". This resulted in an unbootable system for me. Also, the method name was changed from install () to build ().
Update: 2013-01-13: Updated the hook files using the corrections by Deth.
Note: This guide is a bit dated now, in particular the arch installation might be different now. But essentially, the approach stays the same. Please also take a look at the posts further down, specifically the alternative hooks that use openssl.
I always wanted to set up a fully encrypted arch linux server that uses gpg encrypted keyfiles on an external usb stick and luks for root filesystem encryption. I already did it once in gentoo using this guide. For arch, I had to play alot with initcpio hooks and after one day of experimentation, I finally got it working. I wrote a little guide for myself which I'm going to share here for anyone that might be interested. There might be better or easier ways, like I said this is just how I did it. I hope it might help someone else. Constructive feedback is always welcome
Intro
Using arch linux mkinitcpio's encrypt hook, one can easily use encrypted root partitions with LUKS. It's also possible to use key files stored on an external drive, like an usb stick. However, if someone steals your usb stick, he can just copy the key and potentially access the system. I wanted to have a little extra security by additionally encrypting the key file with gpg using a symmetric cipher and a passphrase.
Since the encrypt hook doesn't support this scenario, I created a modifed hook called “etwo” (silly name I know, it was the first thing that came to my mind). It will simply look if the key file has the extension .gpg and, if yes, use gpg to decrypt it, then pipe the result into cryptsetup.
Conventions
In this short guide, I use the following disk/partition names:
/dev/sda: is the hard disk that will contain an encrypted swap (/dev/sda1), /var (/dev/sda2) and root (/dev/sda3) partition.
/dev/sdb is the usb stick that will contain the gpg encrypted luks keys, the kernel and grub. It will have one partition /dev/sdb1 formatted with ext2.
/dev/mapper/root, /dev/mapper/swap and /dev/mapper/var will be the encrypted devices.
Credits
Thanks to the authors of SECURITY_System_Encryption_DM-Crypt_with_LUKS (gentoo wiki), System Encryption with LUKS (arch wiki), mkinitcpio (arch wiki) and Early Userspace in Arch Linux (/dev/brain0 blog)!
Guide
1. Boot the arch live cd
I had to use a newer testing version, because the 2010.05 cd came with a broken gpg. You can download one here: http://releng.archlinux.org/isos/. I chose the “core“ version. Go ahead and boot the live cd, but don't start the setup yet.
2. Set keymap
Use km to set your keymap. This is important for non-qwerty keyboards to avoid suprises with passphrases...
3. Wipe your discs
ATTENTION: this will DELETE everything on /dev/sda and /dev/sdb forever! Do not blame me for any lost data!
Before encrypting the hard disc, it has to be completely wiped and overwritten with random data. I used shred for this. Others use badblocks or dd with /dev/urandom. Either way, this will take a long time, depending on the size of your disc. I also wiped my usb stick just to be sure.
shred -v /dev/sda
shred -v /dev/sdb
4. Partitioning
Fire up fdisk and create the following partitions:
/dev/sda1, type linux swap.
/dev/sda2: type linux
/dev/sda3: type linux
/dev/sdb1, type linux
Of course you can choose a different layout, this is just how I did it. Keep in mind that only the root filesystem will be decrypted by the initcpio. The rest will be decypted during normal init boot using /etc/crypttab, the keys being somewhere on the root filesystem.
5. Format and mount the usb stick
Create an ext2 filesystem on /dev/sdb1:
mkfs.ext2 /dev/sdb1
mkdir /root/usb
mount /dev/sdb1 /root/usb
cd /root/usb # this will be our working directory for now.
Do not mount anything to /mnt, because the arch installer will use that directory later to mount the encrypted root filesystem.
6. Configure the network (if not already done automatically)
ifconfig eth0 192.168.0.2 netmask 255.255.255.0
route add default gw 192.168.0.1
echo "nameserver 192.168.0.1" >> /etc/resolv.conf
(this is just an example, your mileage may vary)
7. Install gnupg
pacman -Sy
pacman -S gnupg
Verify that gnupg works by launching gpg.
8. Create the keys
Just to be sure, make sure swap is off:
cat /proc/swaps
should return no entries.
Create gpg encrypted keys (remember, we're still in our working dir /root/usb):
dd if=/dev/urandom bs=512 count=4 | gpg -v --cipher-algo aes256 --digest-algo sha512 -c -a > root.gpg
dd if=/dev/urandom bs=512 count=4 | gpg -v --cipher-algo aes256 --digest-algo sha512 -c -a > var.gpg
Choose a strong password!!
Don't do this in two steps, e.g don't do dd to a file and then gpg on that file. The key should never be stored in plain text on an unencrypted device, except if that device is wiped on system restart (ramfs)!
Note that the default cipher for gpg is cast5, I just chose to use a different one.
9. Create the encrypted devices with cryptsetup
Create encrypted swap:
cryptsetup -c aes-cbc-essiv:sha256 -s 256 -h whirlpool -d /dev/urandom create swap /dev/sda1
You should see /dev/mapper/swap now. Don't format nor turn it on for now. This will be done by the arch installer.
Important: From the Cryptsetup 1.1.2 Release notes:
Cryptsetup can accept passphrase on stdin (standard input). Handling of new line (\n) character is defined by input specification:
if keyfile is specified as "-" (using --key-file=- or by positional argument in luksFormat and luksAddKey, like cat file | cryptsetup --key-file=- <action> ), input is processed
as normal binary file and no new line is interpreted.
if there is no key file specification (with default input from stdin pipe like echo passphrase | cryptsetup <action> ) input is processed as input from terminal, reading will
stop after new line is detected.
If I understand this correctly, since the randomly generated key can contain a newline early on, piping the key into cryptsetup without specifying --key-file=- could result in a big part of the key to be ignored by cryptsetup. Example: if the random key was "foo\nandsomemorebaratheendofthekey", piping it directly into cryptsetup without --key-file=- would result in cryptsetup using only "foo" as key which would have big security implications. We should therefor ALWAYS pipe the key into cryptsetup using --key-file=- which ignores newlines.
gpg -q -d root.gpg 2>/dev/null | cryptsetup -v -–key-file=- -c aes-cbc-essiv:sha256 -s 256 -h whirlpool luksFormat /dev/sda3
gpg -q -d var.gpg 2>/dev/null | cryptsetup -v –-key-file=- -c aes-cbc-essiv:sha256 -s 256 -h whirlpool -v luksFormat /dev/sda2
Check for any errors.
10. Open the luks devices
gpg -d root.gpg 2>/dev/null | cryptsetup -v –-key-file=- luksOpen /dev/sda3 root
gpg -d var.gpg 2>/dev/null | cryptsetup -v –-key-file=- luksOpen /dev/sda2 var
If you see /dev/mapper/root and /dev/mapper/var now, everything is ok.
11. Start the installer /arch/setup
Follow steps 1 to 3.
At step 4 (Prepare hard drive(s), select “3 – Manually Configure block devices, filesystems and mountpoints. Choose /dev/sdb1 (the usb stick) as /boot, /dev/mapper/swap for swap, /dev/mapper/root for / and /dev/mapper/var for /var.
Format all drives (choose “yes” when asked “do you want to have this filesystem (re)created”) EXCEPT for /dev/sdb1, choose “no”. Choose the correct filesystem for /dev/sdb1, ext2 in my case. Use swap for /dev/mapper/swap. For the rest, I chose ext4.
Select DONE to start formatting.
At step 5 (Select packages), select grub as boot loader. Select the base group. Add mkinitcpio.
Start step 6 (Install packages).
Go to step 7 (Configure System).
By sure to set the correct KEYMAP, LOCALE and TIMEZONE in /etc/rc.conf.
Edit /etc/fstab:
/dev/mapper/root / ext4 defaults 0 1
/dev/mapper/swap swap swap defaults 0 0
/dev/mapper/var /var ext4 defaults 0 1
# /dev/sdb1 /boot ext2 defaults 0 1
Configure the rest normally. When you're done, setup will launch mkinitcpio. We'll manually launch this again later.
Go to step 8 (install boot loader).
Be sure to change the kernel line in menu.lst:
kernel /vmlinuz26 root=/dev/mapper/root cryptdevice=/dev/sda3:root cryptkey=/dev/sdb1:ext2:/root.gpg
Don't forget the :root suffix in cryptdevice!
Also, my root line was set to (hd1,0). Had to change that to
root (hd0,0)
Install grub to /dev/sdb (the usb stick).
Now, we can exit the installer.
12. Install mkinitcpio with the etwo hook.
Create /mnt/lib/initcpio/hooks/etwo:
#!/usr/bin/ash
run_hook() {
/sbin/modprobe -a -q dm-crypt >/dev/null 2>&1
if [ -e "/sys/class/misc/device-mapper" ]; then
if [ ! -e "/dev/mapper/control" ]; then
/bin/mknod "/dev/mapper/control" c $(cat /sys/class/misc/device-mapper/dev | sed 's|:| |')
fi
[ "${quiet}" = "y" ] && CSQUIET=">/dev/null"
# Get keyfile if specified
ckeyfile="/crypto_keyfile"
usegpg="n"
if [ "x${cryptkey}" != "x" ]; then
ckdev="$(echo "${cryptkey}" | cut -d: -f1)"
ckarg1="$(echo "${cryptkey}" | cut -d: -f2)"
ckarg2="$(echo "${cryptkey}" | cut -d: -f3)"
if poll_device "${ckdev}" ${rootdelay}; then
case ${ckarg1} in
*[!0-9]*)
# Use a file on the device
# ckarg1 is not numeric: ckarg1=filesystem, ckarg2=path
if [ "${ckarg2#*.}" = "gpg" ]; then
ckeyfile="${ckeyfile}.gpg"
usegpg="y"
fi
mkdir /ckey
mount -r -t ${ckarg1} ${ckdev} /ckey
dd if=/ckey/${ckarg2} of=${ckeyfile} >/dev/null 2>&1
umount /ckey
# Read raw data from the block device
# ckarg1 is numeric: ckarg1=offset, ckarg2=length
dd if=${ckdev} of=${ckeyfile} bs=1 skip=${ckarg1} count=${ckarg2} >/dev/null 2>&1
esac
fi
[ ! -f ${ckeyfile} ] && echo "Keyfile could not be opened. Reverting to passphrase."
fi
if [ -n "${cryptdevice}" ]; then
DEPRECATED_CRYPT=0
cryptdev="$(echo "${cryptdevice}" | cut -d: -f1)"
cryptname="$(echo "${cryptdevice}" | cut -d: -f2)"
else
DEPRECATED_CRYPT=1
cryptdev="${root}"
cryptname="root"
fi
warn_deprecated() {
echo "The syntax 'root=${root}' where '${root}' is an encrypted volume is deprecated"
echo "Use 'cryptdevice=${root}:root root=/dev/mapper/root' instead."
if poll_device "${cryptdev}" ${rootdelay}; then
if /sbin/cryptsetup isLuks ${cryptdev} >/dev/null 2>&1; then
[ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated
dopassphrase=1
# If keyfile exists, try to use that
if [ -f ${ckeyfile} ]; then
if [ "${usegpg}" = "y" ]; then
# gpg tty fixup
if [ -e /dev/tty ]; then mv /dev/tty /dev/tty.backup; fi
cp -a /dev/console /dev/tty
while [ ! -e /dev/mapper/${cryptname} ];
do
sleep 2
/usr/bin/gpg -d "${ckeyfile}" 2>/dev/null | cryptsetup --key-file=- luksOpen ${cryptdev} ${cryptname} ${CSQUIET}
dopassphrase=0
done
rm /dev/tty
if [ -e /dev/tty.backup ]; then mv /dev/tty.backup /dev/tty; fi
else
if eval /sbin/cryptsetup --key-file ${ckeyfile} luksOpen ${cryptdev} ${cryptname} ${CSQUIET}; then
dopassphrase=0
else
echo "Invalid keyfile. Reverting to passphrase."
fi
fi
fi
# Ask for a passphrase
if [ ${dopassphrase} -gt 0 ]; then
echo ""
echo "A password is required to access the ${cryptname} volume:"
#loop until we get a real password
while ! eval /sbin/cryptsetup luksOpen ${cryptdev} ${cryptname} ${CSQUIET}; do
sleep 2;
done
fi
if [ -e "/dev/mapper/${cryptname}" ]; then
if [ ${DEPRECATED_CRYPT} -eq 1 ]; then
export root="/dev/mapper/root"
fi
else
err "Password succeeded, but ${cryptname} creation failed, aborting..."
exit 1
fi
elif [ -n "${crypto}" ]; then
[ ${DEPRECATED_CRYPT} -eq 1 ] && warn_deprecated
msg "Non-LUKS encrypted device found..."
if [ $# -ne 5 ]; then
err "Verify parameter format: crypto=hash:cipher:keysize:offset:skip"
err "Non-LUKS decryption not attempted..."
return 1
fi
exe="/sbin/cryptsetup create ${cryptname} ${cryptdev}"
tmp=$(echo "${crypto}" | cut -d: -f1)
[ -n "${tmp}" ] && exe="${exe} --hash \"${tmp}\""
tmp=$(echo "${crypto}" | cut -d: -f2)
[ -n "${tmp}" ] && exe="${exe} --cipher \"${tmp}\""
tmp=$(echo "${crypto}" | cut -d: -f3)
[ -n "${tmp}" ] && exe="${exe} --key-size \"${tmp}\""
tmp=$(echo "${crypto}" | cut -d: -f4)
[ -n "${tmp}" ] && exe="${exe} --offset \"${tmp}\""
tmp=$(echo "${crypto}" | cut -d: -f5)
[ -n "${tmp}" ] && exe="${exe} --skip \"${tmp}\""
if [ -f ${ckeyfile} ]; then
exe="${exe} --key-file ${ckeyfile}"
else
exe="${exe} --verify-passphrase"
echo ""
echo "A password is required to access the ${cryptname} volume:"
fi
eval "${exe} ${CSQUIET}"
if [ $? -ne 0 ]; then
err "Non-LUKS device decryption failed. verify format: "
err " crypto=hash:cipher:keysize:offset:skip"
exit 1
fi
if [ -e "/dev/mapper/${cryptname}" ]; then
if [ ${DEPRECATED_CRYPT} -eq 1 ]; then
export root="/dev/mapper/root"
fi
else
err "Password succeeded, but ${cryptname} creation failed, aborting..."
exit 1
fi
else
err "Failed to open encryption mapping: The device ${cryptdev} is not a LUKS volume and the crypto= paramater was not specified."
fi
fi
rm -f ${ckeyfile}
fi
Create /mnt/lib/initcpio/install/etwo:
#!/bin/bash
build() {
local mod
add_module dm-crypt
if [[ $CRYPTO_MODULES ]]; then
for mod in $CRYPTO_MODULES; do
add_module "$mod"
done
else
add_all_modules '/crypto/'
fi
add_dir "/dev/mapper"
add_binary "cryptsetup"
add_binary "dmsetup"
add_binary "/usr/bin/gpg"
add_file "/usr/lib/udev/rules.d/10-dm.rules"
add_file "/usr/lib/udev/rules.d/13-dm-disk.rules"
add_file "/usr/lib/udev/rules.d/95-dm-notify.rules"
add_file "/usr/lib/initcpio/udev/11-dm-initramfs.rules" "/usr/lib/udev/rules.d/11-dm-initramfs.rules"
add_runscript
help ()
cat<<HELPEOF
This hook allows for an encrypted root device with support for gpg encrypted key files.
To use gpg, the key file must have the extension .gpg and you have to install gpg and add /usr/bin/gpg
to your BINARIES var in /etc/mkinitcpio.conf.
HELPEOF
Edit /mnt/etc/mkinitcpio.conf (only relevant sections displayed):
MODULES=”ext2 ext4” # not sure if this is really nessecary.
BINARIES=”/usr/bin/gpg” # this could probably be done in install/etwo...
HOOKS=”base udev usbinput keymap autodetect pata scsi sata usb etwo filesystems” # (usbinput is only needed if you have an usb keyboard)
Copy the initcpio stuff over to the live cd:
cp /mnt/lib/initcpio/hooks/etwo /lib/initcpio/hooks/
cp /mnt/lib/initcpio/install/etwo /lib/initcpio/install/
cp /mnt/etc/mkinitcpio.conf /etc/
Verify your LOCALE, KEYMAP and TIMEZONE in /etc/rc.conf!
Now reinstall the initcpio:
mkinitcpio -g /mnt/boot/kernel26.img
Make sure there were no errors and that all hooks were included.
13. Decrypt the "var" key to the encrypted root
mkdir /mnt/keys
chmod 500 /mnt/keys
gpg –output /mnt/keys/var -d /mnt/boot/var.gpg
chmod 400 /mnt/keys/var
14. Setup crypttab
Edit /mnt/etc/crypttab:
swap /dev/sda1 SWAP -c aes-cbc-essiv:sha256 -s 256 -h whirlpool
var /dev/sda2 /keys/var
15. Reboot
We're done, you may reboot. Make sure you select the usb stick as the boot device in your bios and hope for the best. . If it didn't work, play with grub's settings or boot from the live cd, mount your encrypted devices and check all settings. You might also have less trouble by using uuid's instead of device names. I chose device names to keep things as simple as possible, even though it's not the optimal way to do it.
Make backups of your data and your usb stick and do not forget your password(s)! Or you can say goodbye to your data forever...
Last edited by fabriceb (2013-01-15 22:36:23)

I'm trying to run my install script that is based on https://bbs.archlinux.org/viewtopic.php?id=129885
Decrypting the gpg key after grub works, but then "Devce root already exists." appears every second.
any idea ?
#!/bin/bash
# This script is designed to be run in conjunction with a UEFI boot using Archboot intall media.
# prereqs:
# EFI "BIOS" set to boot *only* from EFI
# successful EFI boot of Archboot USB
# mount /dev/sdb1 /src
set -o nounset
#set -o errexit
# Host specific configuration
# this whole script needs to be customized, particularly disk partitions
# and configuration, but this section contains global variables that
# are used during the system configuration phase for convenience
HOSTNAME=daniel
USERNAME=user
# Globals
# We don't need to set these here but they are used repeatedly throughout
# so it makes sense to reuse them and allow an easy, one-time change if we
# need to alter values such as the install target mount point.
INSTALL_TARGET="/install"
HR="--------------------------------------------------------------------------------"
PACMAN="pacman --noconfirm --config /tmp/pacman.conf"
TARGET_PACMAN="pacman --noconfirm --config /tmp/pacman.conf -r ${INSTALL_TARGET}"
CHROOT_PACMAN="pacman --noconfirm --cachedir /var/cache/pacman/pkg --config /tmp/pacman.conf -r ${INSTALL_TARGET}"
FILE_URL="file:///packages/core-$(uname -m)/pkg"
FTP_URL='ftp://mirrors.kernel.org/archlinux/$repo/os/$arch'
HTTP_URL='http://mirrors.kernel.org/archlinux/$repo/os/$arch'
# Functions
# I've avoided using functions in this script as they aren't required and
# I think it's more of a learning tool if you see the step-by-step
# procedures even with minor duplciations along the way, but I feel that
# these functions clarify the particular steps of setting values in config
# files.
SetValue () {
# EXAMPLE: SetValue VARIABLENAME '\"Quoted Value\"' /file/path
VALUENAME="$1" NEWVALUE="$2" FILEPATH="$3"
sed -i "s+^#\?$${VALUENAME}$=.*$+\1=${NEWVALUE}+" "${FILEPATH}"
CommentOutValue () {
VALUENAME="$1" FILEPATH="$2"
sed -i "s/^$${VALUENAME}.*$$/#\1/" "${FILEPATH}"
UncommentValue () {
VALUENAME="$1" FILEPATH="$2"
sed -i "s/^#$${VALUENAME}.*$$/\1/" "${FILEPATH}"
# Initialize
# Warn the user about impending doom, set up the network on eth0, mount
# the squashfs images (Archboot does this normally, we're just filling in
# the gaps resulting from the fact that we're doing a simple scripted
# install). We also create a temporary pacman.conf that looks for packages
# locally first before sourcing them from the network. It would be better
# to do either *all* local or *all* network but we can't for two reasons.
# 1. The Archboot installation image might have an out of date kernel
# (currently the case) which results in problems when chrooting
# into the install mount point to modprobe efivars. So we use the
# package snapshot on the Archboot media to ensure our kernel is
# the same as the one we booted with.
# 2. Ideally we'd source all local then, but some critical items,
# notably grub2-efi variants, aren't yet on the Archboot media.
# Warn
timer=9
echo -e "\n\nMAC WARNING: This script is not designed for APPLE MAC installs and will potentially misconfigure boot to your existing OS X installation. STOP NOW IF YOU ARE ON A MAC.\n\n"
echo -n "GENERAL WARNING: This procedure will completely format /dev/sda. Please cancel with ctrl-c to cancel within $timer seconds..."
while [[ $timer -gt 0 ]]
do
sleep 1
let timer-=1
echo -en "$timer seconds..."
done
echo "STARTING"
# Get Network
echo -n "Waiting for network address.."
#dhclient eth0
dhcpcd -p eth0
echo -n "Network address acquired."
# Mount packages squashfs images
umount "/packages/core-$(uname -m)"
umount "/packages/core-any"
rm -rf "/packages/core-$(uname -m)"
rm -rf "/packages/core-any"
mkdir -p "/packages/core-$(uname -m)"
mkdir -p "/packages/core-any"
modprobe -q loop
modprobe -q squashfs
mount -o ro,loop -t squashfs "/src/packages/archboot_packages_$(uname -m).squashfs" "/packages/core-$(uname -m)"
mount -o ro,loop -t squashfs "/src/packages/archboot_packages_any.squashfs" "/packages/core-any"
# Create temporary pacman.conf file
cat << PACMANEOF > /tmp/pacman.conf
[options]
Architecture = auto
CacheDir = ${INSTALL_TARGET}/var/cache/pacman/pkg
CacheDir = /packages/core-$(uname -m)/pkg
CacheDir = /packages/core-any/pkg
[core]
Server = ${FILE_URL}
Server = ${FTP_URL}
Server = ${HTTP_URL}
[extra]
Server = ${FILE_URL}
Server = ${FTP_URL}
Server = ${HTTP_URL}
#Uncomment to enable pacman -Sy yaourt
[archlinuxfr]
Server = http://repo.archlinux.fr/\$arch
PACMANEOF
# Prepare pacman
[[ ! -d "${INSTALL_TARGET}/var/cache/pacman/pkg" ]] && mkdir -m 755 -p "${INSTALL_TARGET}/var/cache/pacman/pkg"
[[ ! -d "${INSTALL_TARGET}/var/lib/pacman" ]] && mkdir -m 755 -p "${INSTALL_TARGET}/var/lib/pacman"
${PACMAN} -Sy
${TARGET_PACMAN} -Sy
# Install prereqs from network (not on archboot media)
echo -e "\nInstalling prereqs...\n$HR"
#sed -i "s/^#S/S/" /etc/pacman.d/mirrorlist # Uncomment all Server lines
UncommentValue S /etc/pacman.d/mirrorlist # Uncomment all Server lines
${PACMAN} --noconfirm -Sy gptfdisk btrfs-progs-unstable libusb-compat gnupg
# Configure Host
# Here we create three partitions:
# 1. efi and /boot (one partition does double duty)
# 2. swap
# 3. our encrypted root
# Note that all of these are on a GUID partition table scheme. This proves
# to be quite clean and simple since we're not doing anything with MBR
# boot partitions and the like.
echo -e "format\n"
# shred -v /dev/sda
# disk prep
sgdisk -Z /dev/sda # zap all on disk
#sgdisk -Z /dev/mmcb1k0 # zap all on sdcard
sgdisk -a 2048 -o /dev/sda # new gpt disk 2048 alignment
#sgdisk -a 2048 -o /dev/mmcb1k0
# create partitions
sgdisk -n 1:0:+200M /dev/sda # partition 1 (UEFI BOOT), default start block, 200MB
sgdisk -n 2:0:+4G /dev/sda # partition 2 (SWAP), default start block, 200MB
sgdisk -n 3:0:0 /dev/sda # partition 3, (LUKS), default start, remaining space
#sgdisk -n 1:0:1800M /dev/mmcb1k0 # root.gpg
# set partition types
sgdisk -t 1:ef00 /dev/sda
sgdisk -t 2:8200 /dev/sda
sgdisk -t 3:8300 /dev/sda
#sgdisk -t 1:0700 /dev/mmcb1k0
# label partitions
sgdisk -c 1:"UEFI Boot" /dev/sda
sgdisk -c 2:"Swap" /dev/sda
sgdisk -c 3:"LUKS" /dev/sda
#sgdisk -c 1:"Key" /dev/mmcb1k0
echo -e "create gpg file\n"
# create gpg file
dd if=/dev/urandom bs=512 count=4 | gpg -v --cipher-algo aes256 --digest-algo sha512 -c -a > /root/root.gpg
echo -e "format LUKS on root\n"
# format LUKS on root
gpg -q -d /root/root.gpg 2>/dev/null | cryptsetup -v --key-file=- -c aes-xts-plain -s 512 --hash sha512 luksFormat /dev/sda3
echo -e "open LUKS on root\n"
gpg -d /root/root.gpg 2>/dev/null | cryptsetup -v --key-file=- luksOpen /dev/sda3 root
# NOTE: make sure to add dm_crypt and aes_i586 to MODULES in rc.conf
# NOTE2: actually this isn't required since we're mounting an encrypted root and grub2/initramfs handles this before we even get to rc.conf
# make filesystems
# following swap related commands not used now that we're encrypting our swap partition
#mkswap /dev/sda2
#swapon /dev/sda2
#mkfs.ext4 /dev/sda3 # this is where we'd create an unencrypted root partition, but we're using luks instead
echo -e "\nCreating Filesystems...\n$HR"
# make filesystems
mkfs.ext4 /dev/mapper/root
mkfs.vfat -F32 /dev/sda1
#mkfs.vfat -F32 /dev/mmcb1k0p1
echo -e "mount targets\n"
# mount target
#mount /dev/sda3 ${INSTALL_TARGET} # this is where we'd mount the unencrypted root partition
mount /dev/mapper/root ${INSTALL_TARGET}
# mount target
mkdir ${INSTALL_TARGET}
# mkdir ${INSTALL_TARGET}/key
# mount -t vfat /dev/mmcb1k0p1 ${INSTALL_TARGET}/key
mkdir ${INSTALL_TARGET}/boot
mount -t vfat /dev/sda1 ${INSTALL_TARGET}/boot
# Install base, necessary utilities
mkdir -p ${INSTALL_TARGET}/var/lib/pacman
${TARGET_PACMAN} -Sy
${TARGET_PACMAN} -Su base
# curl could be installed later but we want it ready for rankmirrors
${TARGET_PACMAN} -S curl
${TARGET_PACMAN} -S libusb-compat gnupg
${TARGET_PACMAN} -R grub
rm -rf ${INSTALL_TARGET}/boot/grub
${TARGET_PACMAN} -S grub2-efi-x86_64
# Configure new system
SetValue HOSTNAME ${HOSTNAME} ${INSTALL_TARGET}/etc/rc.conf
sed -i "s/^$127\.0\.0\.1.*$$/\1 ${HOSTNAME}/" ${INSTALL_TARGET}/etc/hosts
SetValue CONSOLEFONT Lat2-Terminus16 ${INSTALL_TARGET}/etc/rc.conf
#following replaced due to netcfg
#SetValue interface eth0 ${INSTALL_TARGET}/etc/rc.conf
# write fstab
# You can use UUID's or whatever you want here, of course. This is just
# the simplest approach and as long as your drives aren't changing values
# randomly it should work fine.
cat > ${INSTALL_TARGET}/etc/fstab <<FSTAB_EOF
# /etc/fstab: static file system information
# <file system> <dir> <type> <options> <dump> <pass>
tmpfs /tmp tmpfs nodev,nosuid 0 0
/dev/sda1 /boot vfat defaults 0 0
/dev/mapper/cryptswap none swap defaults 0 0
/dev/mapper/root / ext4 defaults,noatime 0 1
FSTAB_EOF
# write etwo
mkdir -p /lib/initcpio/hooks/
mkdir -p /lib/initcpio/install/
cp /src/etwo_hooks /lib/initcpio/hooks/etwo
cp /src/etwo_install /lib/initcpio/install/etwo
mkdir -p ${INSTALL_TARGET}/lib/initcpio/hooks/
mkdir -p ${INSTALL_TARGET}/lib/initcpio/install/
cp /src/etwo_hooks ${INSTALL_TARGET}/lib/initcpio/hooks/etwo
cp /src/etwo_install ${INSTALL_TARGET}/lib/initcpio/install/etwo
# write crypttab
# encrypted swap (random passphrase on boot)
echo cryptswap /dev/sda2 SWAP "-c aes-xts-plain -h whirlpool -s 512" >> ${INSTALL_TARGET}/etc/crypttab
# copy configs we want to carry over to target from install environment
mv ${INSTALL_TARGET}/etc/resolv.conf ${INSTALL_TARGET}/etc/resolv.conf.orig
cp /etc/resolv.conf ${INSTALL_TARGET}/etc/resolv.conf
mkdir -p ${INSTALL_TARGET}/tmp
cp /tmp/pacman.conf ${INSTALL_TARGET}/tmp/pacman.conf
# mount proc, sys, dev in install root
mount -t proc proc ${INSTALL_TARGET}/proc
mount -t sysfs sys ${INSTALL_TARGET}/sys
mount -o bind /dev ${INSTALL_TARGET}/dev
echo -e "umount boot\n"
# we have to remount /boot from inside the chroot
umount ${INSTALL_TARGET}/boot
# Create install_efi script (to be run *after* chroot /install)
touch ${INSTALL_TARGET}/install_efi
chmod a+x ${INSTALL_TARGET}/install_efi
cat > ${INSTALL_TARGET}/install_efi <<EFI_EOF
# functions (these could be a library, but why overcomplicate things
SetValue () { VALUENAME="\$1" NEWVALUE="\$2" FILEPATH="\$3"; sed -i "s+^#\?$\${VALUENAME}$=.*\$+\1=\${NEWVALUE}+" "\${FILEPATH}"; }
CommentOutValue () { VALUENAME="\$1" FILEPATH="\$2"; sed -i "s/^$\${VALUENAME}.*$\$/#\1/" "\${FILEPATH}"; }
UncommentValue () { VALUENAME="\$1" FILEPATH="\$2"; sed -i "s/^#$\${VALUENAME}.*$\$/\1/" "\${FILEPATH}"; }
echo -e "mount boot\n"
# remount here or grub et al gets confused
mount -t vfat /dev/sda1 /boot
# mkinitcpio
# NOTE: intel_agp drm and i915 for intel graphics
SetValue MODULES '\\"dm_mod dm_crypt aes_x86_64 ext2 ext4 vfat intel_agp drm i915\\"' /etc/mkinitcpio.conf
SetValue HOOKS '\\"base udev pata scsi sata usb usbinput keymap consolefont etwo encrypt filesystems\\"' /etc/mkinitcpio.conf
SetValue BINARIES '\\"/usr/bin/gpg\\"' /etc/mkinitcpio.conf
mkinitcpio -p linux
# kernel modules for EFI install
modprobe efivars
modprobe dm-mod
# locale-gen
UncommentValue de_AT /etc/locale.gen
locale-gen
# install and configure grub2
# did this above
#${CHROOT_PACMAN} -Sy
#${CHROOT_PACMAN} -R grub
#rm -rf /boot/grub
#${CHROOT_PACMAN} -S grub2-efi-x86_64
# you can be surprisingly sloppy with the root value you give grub2 as a kernel option and
# even omit the cryptdevice altogether, though it will wag a finger at you for using
# a deprecated syntax, so we're using the correct form here
# NOTE: take out i915.modeset=1 unless you are on intel graphics
SetValue GRUB_CMDLINE_LINUX '\\"cryptdevice=/dev/sda3:root cryptkey=/dev/sda1:vfat:/root.gpg add_efi_memmap i915.i915_enable_rc6=1 i915.i915_enable_fbc=1 i915.lvds_downclock=1 pcie_aspm=force quiet\\"' /etc/default/grub
# set output to graphical
SetValue GRUB_TERMINAL_OUTPUT gfxterm /etc/default/grub
SetValue GRUB_GFXMODE 960x600x32,auto /etc/default/grub
SetValue GRUB_GFXPAYLOAD_LINUX keep /etc/default/grub # comment out this value if text only mode
# install the actual grub2. Note that despite our --boot-directory option we will still need to move
# the grub directory to /boot/grub during grub-mkconfig operations until grub2 gets patched (see below)
grub_efi_x86_64-install --bootloader-id=grub --no-floppy --recheck
# create our EFI boot entry
# bug in the HP bios firmware (F.08)
efibootmgr --create --gpt --disk /dev/sda --part 1 --write-signature --label "ARCH LINUX" --loader "\\\\grub\\\\grub.efi"
# copy font for grub2
cp /usr/share/grub/unicode.pf2 /boot/grub
# generate config file
grub-mkconfig -o /boot/grub/grub.cfg
exit
EFI_EOF
# Install EFI using script inside chroot
chroot ${INSTALL_TARGET} /install_efi
rm ${INSTALL_TARGET}/install_efi
# Post install steps
# anything you want to do post install. run the script automatically or
# manually
touch ${INSTALL_TARGET}/post_install
chmod a+x ${INSTALL_TARGET}/post_install
cat > ${INSTALL_TARGET}/post_install <<POST_EOF
set -o errexit
set -o nounset
# functions (these could be a library, but why overcomplicate things
SetValue () { VALUENAME="\$1" NEWVALUE="\$2" FILEPATH="\$3"; sed -i "s+^#\?$\${VALUENAME}$=.*\$+\1=\${NEWVALUE}+" "\${FILEPATH}"; }
CommentOutValue () { VALUENAME="\$1" FILEPATH="\$2"; sed -i "s/^$\${VALUENAME}.*$\$/#\1/" "\${FILEPATH}"; }
UncommentValue () { VALUENAME="\$1" FILEPATH="\$2"; sed -i "s/^#$\${VALUENAME}.*$\$/\1/" "\${FILEPATH}"; }
# root password
echo -e "${HR}\\nNew root user password\\n${HR}"
passwd
# add user
echo -e "${HR}\\nNew non-root user password (username:${USERNAME})\\n${HR}"
groupadd sudo
useradd -m -g users -G audio,lp,optical,storage,video,games,power,scanner,network,sudo,wheel -s /bin/bash ${USERNAME}
passwd ${USERNAME}
# mirror ranking
echo -e "${HR}\\nRanking Mirrors (this will take a while)\\n${HR}"
cp /etc/pacman.d/mirrorlist /etc/pacman.d/mirrorlist.orig
mv /etc/pacman.d/mirrorlist /etc/pacman.d/mirrorlist.all
sed -i "s/#S/S/" /etc/pacman.d/mirrorlist.all
rankmirrors -n 5 /etc/pacman.d/mirrorlist.all > /etc/pacman.d/mirrorlist
# temporary fix for locale.sh update conflict
mv /etc/profile.d/locale.sh /etc/profile.d/locale.sh.preupdate || true
# yaourt repo (add to target pacman, not tmp pacman.conf, for ongoing use)
echo -e "\\n[archlinuxfr]\\nServer = http://repo.archlinux.fr/\\\$arch" >> /etc/pacman.conf
echo -e "\\n[haskell]\\nServer = http://www.kiwilight.com/\\\$repo/\\\$arch" >> /etc/pacman.conf
# additional groups and utilities
pacman --noconfirm -Syu
pacman --noconfirm -S base-devel
pacman --noconfirm -S yaourt
# sudo
pacman --noconfirm -S sudo
cp /etc/sudoers /tmp/sudoers.edit
sed -i "s/#\s*$%wheel\s*ALL=(ALL)\s*ALL.*$$/\1/" /tmp/sudoers.edit
sed -i "s/#\s*$%sudo\s*ALL=(ALL)\s*ALL.*$$/\1/" /tmp/sudoers.edit
visudo -qcsf /tmp/sudoers.edit && cat /tmp/sudoers.edit > /etc/sudoers
# power
pacman --noconfirm -S acpi acpid acpitool cpufrequtils
yaourt --noconfirm -S powertop2
sed -i "/^DAEMONS/ s/)/ @acpid)/" /etc/rc.conf
sed -i "/^MODULES/ s/)/ acpi-cpufreq cpufreq_ondemand cpufreq_powersave coretemp)/" /etc/rc.conf
# following requires my acpi handler script
echo "/etc/acpi/handler.sh boot" > /etc/rc.local
# time
pacman --noconfirm -S ntp
sed -i "/^DAEMONS/ s/hwclock /!hwclock @ntpd /" /etc/rc.conf
# wireless (wpa supplicant should already be installed)
pacman --noconfirm -S iw wpa_supplicant rfkill
pacman --noconfirm -S netcfg wpa_actiond ifplugd
mv /etc/wpa_supplicant.conf /etc/wpa_supplicant.conf.orig
echo -e "ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=network\nupdate_config=1" > /etc/wpa_supplicant.conf
# make sure to copy /etc/network.d/examples/wireless-wpa-config to /etc/network.d/home and edit
sed -i "/^DAEMONS/ s/)/ @net-auto-wireless @net-auto-wired)/" /etc/rc.conf
sed -i "/^DAEMONS/ s/ network / /" /etc/rc.conf
echo -e "\nWIRELESS_INTERFACE=wlan0" >> /etc/rc.conf
echo -e "WIRED_INTERFACE=eth0" >> /etc/rc.conf
echo "options iwlagn led_mode=2" > /etc/modprobe.d/iwlagn.conf
# sound
pacman --noconfirm -S alsa-utils alsa-plugins
sed -i "/^DAEMONS/ s/)/ @alsa)/" /etc/rc.conf
mv /etc/asound.conf /etc/asound.conf.orig || true
#if alsamixer isn't working, try alsamixer -Dhw and speaker-test -Dhw -c 2
# video
pacman --noconfirm -S base-devel mesa mesa-demos
# x
#pacman --noconfirm -S xorg xorg-xinit xorg-utils xorg-server-utils xdotool xorg-xlsfonts
#yaourt --noconfirm -S xf86-input-wacom-git # NOT NEEDED? input-wacom-git
#TODO: cut down the install size
#pacman --noconfirm -S xorg-server xorg-xinit xorg-utils xorg-server-utils
# TODO: wacom
# environment/wm/etc.
#pacman --noconfirm -S xfce4 compiz ccsm
#pacman --noconfirm -S xcompmgr
#yaourt --noconfirm -S physlock unclutter
#pacman --noconfirm -S rxvt-unicode urxvt-url-select hsetroot
#pacman --noconfirm -S gtk2 #gtk3 # for taffybar?
#pacman --noconfirm -S ghc
# note: try installing alex and happy from cabal instead
#pacman --noconfirm -S haskell-platform haskell-hscolour
#yaourt --noconfirm -S xmonad-darcs xmonad-contrib-darcs xcompmgr
#yaourt --noconfirm -S xmobar-git
# TODO: edit xfce to use compiz
# TODO: xmonad, but deal with video tearing
# TODO: xmonad-darcs fails to install from AUR. haskell dependency hell.
# switching to cabal
# fonts
pacman --noconfirm -S terminus-font
yaourt --noconfirm -S webcore-fonts
yaourt --noconfirm -S fontforge libspiro
yaourt --noconfirm -S freetype2-git-infinality
# TODO: sed infinality and change to OSX or OSX2 mode
# and create the sym link from /etc/fonts/conf.avail to conf.d
# misc apps
#pacman --noconfirm -S htop openssh keychain bash-completion git vim
#pacman --noconfirm -S chromium flashplugin
#pacman --noconfirm -S scrot mypaint bc
#yaourt --noconfirm -S task-git stellarium googlecl
# TODO: argyll
POST_EOF
# Post install in chroot
#echo "chroot and run /post_install"
chroot /install /post_install
rm /install/post_install
# copy grub.efi file to the default HP EFI boot manager path
mkdir -p ${INSTALL_TARGET}/boot/EFI/Microsoft/BOOT/
mkdir -p ${INSTALL_TARGET}/boot/EFI/BOOT/
cp ${INSTALL_TARGET}/boot/grub/grub.efi ${INSTALL_TARGET}/boot/EFI/Microsoft/BOOT/bootmgfw.efi
cp ${INSTALL_TARGET}/boot/grub/grub.efi ${INSTALL_TARGET}/boot/EFI/BOOT/BOOTX64.EFI
cp /root/root.gpg ${INSTALL_TARGET}/boot/
# NOTES/TODO

[APP: soa-infra] . Unable to fetch/generate encryption key.

Hello;
I am installing Fusion Middleware 11.1.1.7 on a Windows 2008 R2 64 bit server that is running in Oracle VM.
Components installed:
Oracle SE database Enterprise
RCU
WLS - 10.3.6
OSB
SOA
BAM
Web Center.
I am not sure why I am getiting this message but when I start the SOA server I get the following message:
[APP: soa-infra] <.> Unable to fetch/generate encryption key.[[Unable to fetch/generate encryption key.
Check installation/post-installation steps for errors. Check for errors during SOA server startup. ORABPEL-35012   Unable to fetch/generate encryption key.
Unable to fetch/generate encryption key.
Check installation/post-installation steps for errors. Check for errors during SOA server startup.
at oracle.bpel.services.common.util.EncryptionService.<clinit>(EncryptionService.java:82)
    at oracle.bpel.services.workflow.verification.impl.VerificationService$1.run(VerificationService.java:2803)
    at oracle.bpel.services.workflow.verification.impl.VerificationService.encryptString(VerificationService.java:2801)
    at oracle.bpel.services.workflow.verification.impl.VerificationService.createTokenFromMap(VerificationService.java:2544)
    at oracle.bpel.services.workflow.verification.impl.VerificationService.getInternalContextToken(VerificationService.java:465)
    at oracle.bpel.services.workflow.verification.impl.VerificationService.getInternalContext(VerificationService.java:492)
    at oracle.bpel.services.workflow.verification.impl.VerificationService.<clinit>(VerificationService.java:425)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
    at java.lang.reflect.Constructor.newInstance(Constructor.java:513)
    at org.springframework.beans.BeanUtils.instantiateClass(BeanUtils.java:100)
    at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:61)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateBean(AbstractAutowireCapableBeanFactory.java:877)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:839)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:440)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory$1.run(AbstractAutowireCapableBeanFactory.java:409)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:380)
    at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:264)
    at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:222)
    at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:261)
    at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:185)
    at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:164)
    at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:269)
    at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:104)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyPropertyValues(AbstractAutowireCapableBeanFactory.java:1245)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.populateBean(AbstractAutowireCapableBeanFactory.java:1010)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:472)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory$1.run(AbstractAutowireCapableBeanFactory.java:409)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:380)
    at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:264)
    at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:222)
    at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:261)
    at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:185)
    at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:164)
    at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:269)
    at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:104)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyPropertyValues(AbstractAutowireCapableBeanFactory.java:1245)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.populateBean(AbstractAutowireCapableBeanFactory.java:1010)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:472)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory$1.run(AbstractAutowireCapableBeanFactory.java:409)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:380)
    at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:264)
    at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:222)
    at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:261)
    at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:185)
    at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:164)
    at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:269)
    at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:104)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyPropertyValues(AbstractAutowireCapableBeanFactory.java:1245)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.populateBean(AbstractAutowireCapableBeanFactory.java:1010)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:472)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory$1.run(AbstractAutowireCapableBeanFactory.java:409)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:380)
    at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:264)
    at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:222)
    at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:261)
    at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:185)
    at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:164)
    at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:423)
    at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:728)
    at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:380)
    at org.springframework.context.support.ClassPathXmlApplicationContext.<init>(ClassPathXmlApplicationContext.java:139)
    at org.springframework.context.support.ClassPathXmlApplicationContext.<init>(ClassPathXmlApplicationContext.java:93)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
    at java.lang.reflect.Constructor.newInstance(Constructor.java:513)
    at org.springframework.beans.BeanUtils.instantiateClass(BeanUtils.java:100)
    at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:87)
    at org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:248)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.autowireConstructor(AbstractAutowireCapableBeanFactory.java:925)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:835)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:440)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory$1.run(AbstractAutowireCapableBeanFactory.java:409)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:380)
    at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:264)
    at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:222)
    at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:261)
    at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:185)
    at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:168)
    at org.springframework.context.support.AbstractApplicationContext.getBean(AbstractApplicationContext.java:884)
    at org.springframework.beans.factory.access.SingletonBeanFactoryLocator.useBeanFactory(SingletonBeanFactoryLocator.java:397)
    at org.springframework.ejb.support.AbstractEnterpriseBean.loadBeanFactory(AbstractEnterpriseBean.java:118)
    at org.springframework.ejb.support.AbstractStatelessSessionBean.ejbCreate(AbstractStatelessSessionBean.java:66)
    at oracle.bpm.bpmn.engine.instancemanagement.ejb.InternalInstanceManagementServiceBean_c6peyo_Impl.ejbCreate(Unknown Source)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:597)
    at com.oracle.pitchfork.inject.Jsr250Metadata.invokeLifecycleMethod(Jsr250Metadata.java:331)
    at com.oracle.pitchfork.inject.Jsr250Metadata.invokeLifecycleMethod(Jsr250Metadata.java:325)
    at com.oracle.pitchfork.inject.Jsr250Metadata.invokeLifecycleMethods(Jsr250Metadata.java:319)
    at com.oracle.pitchfork.intercept.InterceptionMetadata.invokeLifecycleMethods(InterceptionMetadata.java:468)
    at com.oracle.pitchfork.intercept.InterceptionMetadata$AdvisorChainProxyControl.invokeLifecycleMethod(InterceptionMetadata.java:416)
    at sun.reflect.GeneratedMethodAccessor946.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:597)
    at com.bea.core.repackaged.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:310)
    at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:106)
    at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
    at com.bea.core.repackaged.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
    at com.sun.proxy.$Proxy241.invokeLifecycleMethod(Unknown Source)
    at weblogic.ejb.container.pool.StatelessSessionPool.createBean(StatelessSessionPool.java:212)
    at weblogic.ejb.container.pool.Pool.createInitialBeans(Pool.java:299)
    at weblogic.ejb.container.manager.StatelessManager.initializePool(StatelessManager.java:448)
    at weblogic.ejb.container.deployer.EJBDeployer.initializePools(EJBDeployer.java:1649)
    at weblogic.ejb.container.deployer.EJBDeployer.start(EJBDeployer.java:1477)
    at weblogic.ejb.container.deployer.EJBModule.start(EJBModule.java:616)
    at weblogic.application.internal.flow.ModuleListenerInvoker.start(ModuleListenerInvoker.java:247)
    at weblogic.application.internal.flow.ModuleStateDriver$3.next(ModuleStateDriver.java:425)
    at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:52)
    at weblogic.application.internal.flow.ModuleStateDriver.start(ModuleStateDriver.java:119)
    at weblogic.application.internal.flow.StartModulesFlow.activate(StartModulesFlow.java:27)
    at weblogic.application.internal.BaseDeployment$2.next(BaseDeployment.java:671)
    at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:52)
    at weblogic.application.internal.BaseDeployment.activate(BaseDeployment.java:212)
    at weblogic.application.internal.EarDeployment.activate(EarDeployment.java:59)
    at weblogic.application.internal.DeploymentStateChecker.activate(DeploymentStateChecker.java:161)
    at weblogic.deploy.internal.targetserver.AppContainerInvoker.activate(AppContainerInvoker.java:79)
    at weblogic.deploy.internal.targetserver.BasicDeployment.activate(BasicDeployment.java:184)
    at weblogic.deploy.internal.targetserver.BasicDeployment.activateFromServerLifecycle(BasicDeployment.java:361)
    at weblogic.management.deploy.internal.DeploymentAdapter$1.doActivate(DeploymentAdapter.java:51)
    at weblogic.management.deploy.internal.DeploymentAdapter.activate(DeploymentAdapter.java:200)
    at weblogic.management.deploy.internal.AppTransition$2.transitionApp(AppTransition.java:30)
    at weblogic.management.deploy.internal.ConfiguredDeployments.transitionApps(ConfiguredDeployments.java:240)
    at weblogic.management.deploy.internal.ConfiguredDeployments.activate(ConfiguredDeployments.java:169)
    at weblogic.management.deploy.internal.ConfiguredDeployments.deploy(ConfiguredDeployments.java:123)
    at weblogic.management.deploy.internal.DeploymentServerService.resume(DeploymentServerService.java:180)
    at weblogic.management.deploy.internal.DeploymentServerService.start(DeploymentServerService.java:96)
    at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
    at weblogic.work.SelfTuningWorkManagerImpl$WorkAdapterImpl.run(SelfTuningWorkManagerImpl.java:545)
    at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
    at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
Caused by: java.security.AccessControlException: access denied (oracle.security.jps.service.credstore.CredentialAccessPermission context=SYSTEM,mapName=BPM-CRYPTO,keyName=BPM-CRYPTO read)
    at java.security.AccessControlContext.checkPermission(AccessControlContext.java:374)
    at java.security.AccessController.checkPermission(AccessController.java:549)
    at oracle.security.jps.util.JpsAuth$AuthorizationMechanism$3.checkPermission(JpsAuth.java:463)
    at oracle.security.jps.util.JpsAuth.checkPermission(JpsAuth.java:523)
    at oracle.security.jps.util.JpsAuth.checkPermission(JpsAuth.java:549)
    at oracle.security.jps.internal.credstore.util.CsfUtil.checkPermission(CsfUtil.java:684)
    at oracle.security.jps.internal.credstore.ssp.SspCredentialStore.getCredential(SspCredentialStore.java:562)
    at oracle.bpel.services.common.util.EncryptionService$1.run(EncryptionService.java:72)
    at oracle.bpel.services.common.util.EncryptionService.<clinit>(EncryptionService.java:61)
    at oracle.bpel.services.workflow.verification.impl.VerificationService$1.run(VerificationService.java:2803)
    at oracle.bpel.services.workflow.verification.impl.VerificationService.encryptString(VerificationService.java:2801)
    at oracle.bpel.services.workflow.verification.impl.VerificationService.createTokenFromMap(VerificationService.java:2544)
    at oracle.bpel.services.workflow.verification.impl.VerificationService.getInternalContextToken(VerificationService.java:465)
    at oracle.bpel.services.workflow.verification.impl.VerificationService.getInternalContext(VerificationService.java:492)
    at oracle.bpel.services.workflow.verification.impl.VerificationService.<clinit>(VerificationService.java:425)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
    at java.lang.reflect.Constructor.newInstance(Constructor.java:513)
    at org.springframework.beans.BeanUtils.instantiateClass(BeanUtils.java:100)
    at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:61)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateBean(AbstractAutowireCapableBeanFactory.java:877)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:839)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:440)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory$1.run(AbstractAutowireCapableBeanFactory.java:409)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:380)
    at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:264)
    at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:222)
    at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:261)
    at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:185)
    at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:164)
    at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:269)
    at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:104)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyPropertyValues(AbstractAutowireCapableBeanFactory.java:1245)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.populateBean(AbstractAutowireCapableBeanFactory.java:1011)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:472)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory$1.run(AbstractAutowireCapableBeanFactory.java:409)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:380)
    at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:264)
    at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:222)
    at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:261)
    at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:185)
    at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:164)
    at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:269)
    at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:104)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyPropertyValues(AbstractAutowireCapableBeanFactory.java:1245)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.populateBean(AbstractAutowireCapableBeanFactory.java:1011)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:472)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory$1.run(AbstractAutowireCapableBeanFactory.java:409)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:380)
    at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:264)
    at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:222)
    at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:261)
    at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:185)
    at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:164)
    at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:269)
    at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:104)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyPropertyValues(AbstractAutowireCapableBeanFactory.java:1245)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.populateBean(AbstractAutowireCapableBeanFactory.java:1011)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:472)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory$1.run(AbstractAutowireCapableBeanFactory.java:409)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:380)
    at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:264)
    at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:222)
    at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:261)
    at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:185)
    at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:164)
    at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:423)
    at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:729)
    at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:380)
    at org.springframework.context.support.ClassPathXmlApplicationContext.<init>(ClassPathXmlApplicationContext.java:139)
    at org.springframework.context.support.ClassPathXmlApplicationContext.<init>(ClassPathXmlApplicationContext.java:94)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
    at java.lang.reflect.Constructor.newInstance(Constructor.java:513)
    at org.springframework.beans.BeanUtils.instantiateClass(BeanUtils.java:100)
    at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:87)
    at org.springframework.beans.factory.support.ConstructorResolver.autowireConstructor(ConstructorResolver.java:248)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.autowireConstructor(AbstractAutowireCapableBeanFactory.java:925)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:835)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:440)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory$1.run(AbstractAutowireCapableBeanFactory.java:409)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:380)
    at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:264)
    at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:222)
    at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:261)
    at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:185)
    at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:168)
    at org.springframework.context.support.AbstractApplicationContext.getBean(AbstractApplicationContext.java:884)
    at org.springframework.beans.factory.access.SingletonBeanFactoryLocator.useBeanFactory(SingletonBeanFactoryLocator.java:397)
    at org.springframework.ejb.support.AbstractEnterpriseBean.loadBeanFactory(AbstractEnterpriseBean.java:118)
    at org.springframework.ejb.support.AbstractStatelessSessionBean.ejbCreate(AbstractStatelessSessionBean.java:66)
    at oracle.bpm.bpmn.engine.instancemanagement.ejb.InternalInstanceManagementServiceBean_c6peyo_Impl.ejbCreate(Unknown Source)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:597)
    at com.oracle.pitchfork.inject.Jsr250Metadata.invokeLifecycleMethod(Jsr250Metadata.java:331)
    at com.oracle.pitchfork.inject.Jsr250Metadata.invokeLifecycleMethod(Jsr250Metadata.java:325)
    at com.oracle.pitchfork.inject.Jsr250Metadata.invokeLifecycleMethods(Jsr250Metadata.java:319)
    at com.oracle.pitchfork.intercept.InterceptionMetadata.invokeLifecycleMethods(InterceptionMetadata.java:469)
    at com.oracle.pitchfork.intercept.InterceptionMetadata$AdvisorChainProxyControl.invokeLifecycleMethod(InterceptionMetadata.java:417)
    at sun.reflect.GeneratedMethodAccessor946.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:597)
    at com.bea.core.repackaged.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:310)
    at com.bea.core.repackaged.springframework.aop.support.DelegatingIntroductionInterceptor.invoke(DelegatingIntroductionInterceptor.java:106)
    at com.bea.core.repackaged.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
    at com.bea.core.repackaged.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
    at com.sun.proxy.$Proxy241.invokeLifecycleMethod(Unknown Source)
    at weblogic.ejb.container.pool.StatelessSessionPool.createBean(StatelessSessionPool.java:212)
    at weblogic.ejb.container.pool.Pool.createInitialBeans(Pool.java:299)
    at weblogic.ejb.container.manager.StatelessManager.initializePool(StatelessManager.java:449)
    at weblogic.ejb.container.deployer.EJBDeployer.initializePools(EJBDeployer.java:1649)
    at weblogic.ejb.container.deployer.EJBDeployer.start(EJBDeployer.java:1479)
    at weblogic.ejb.container.deployer.EJBModule.start(EJBModule.java:616)
    at weblogic.application.internal.flow.ModuleListenerInvoker.start(ModuleListenerInvoker.java:249)
    at weblogic.application.internal.flow.ModuleStateDriver$3.next(ModuleStateDriver.java:427)
    at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:52)
    at weblogic.application.internal.flow.ModuleStateDriver.start(ModuleStateDriver.java:119)
    at weblogic.application.internal.flow.StartModulesFlow.activate(StartModulesFlow.java:28)
    at weblogic.application.internal.BaseDeployment$2.next(BaseDeployment.java:672)
    at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:52)
    at weblogic.application.internal.BaseDeployment.activate(BaseDeployment.java:212)
    at weblogic.application.internal.EarDeployment.activate(EarDeployment.java:59)
    at weblogic.application.internal.DeploymentStateChecker.activate(DeploymentStateChecker.java:161)
    at weblogic.deploy.internal.targetserver.AppContainerInvoker.activate(AppContainerInvoker.java:79)
    at weblogic.deploy.internal.targetserver.BasicDeployment.activate(BasicDeployment.java:184)
    at weblogic.deploy.internal.targetserver.BasicDeployment.activateFromServerLifecycle(BasicDeployment.java:361)
    at weblogic.management.deploy.internal.DeploymentAdapter$1.doActivate(DeploymentAdapter.java:52)
    at weblogic.management.deploy.internal.DeploymentAdapter.activate(DeploymentAdapter.java:200)
    at weblogic.management.deploy.internal.AppTransition$2.transitionApp(AppTransition.java:31)
    at weblogic.management.deploy.internal.ConfiguredDeployments.transitionApps(ConfiguredDeployments.java:240)
    at weblogic.management.deploy.internal.ConfiguredDeployments.activate(ConfiguredDeployments.java:170)
    at weblogic.management.deploy.internal.ConfiguredDeployments.deploy(ConfiguredDeployments.java:124)
    at weblogic.management.deploy.internal.DeploymentServerService.resume(DeploymentServerService.java:181)
    at weblogic.management.deploy.internal.DeploymentServerService.start(DeploymentServerService.java:97)
Any help would be apprreciated.
J

I was able to resolve it myself. I started the SOA managed server via the command scripts and it came up with no errors. Issue is more than likely with the server arguments I added in the Admin console. I will try this and it it does not work I will add further updates to ths thread.
J

I need a help to Configure the Encryption Key of btm

I have download OracleBTM_1of2.zip and I am trying to install it, so I am following this link
http://download.oracle.com/docs/cd/E11857_01/install.111/e20124/install.htm#sthref20
how can I do this ?
Configuring the Encryption Key
You must configure the encryption key on each application server that hosts a Business Transaction Management component. To configure the encryption key, create a Java system property named com.amberpoint.security.encryption.aes.defaultKey in the server and set its value to your encryption key, for example:
-Dcom.amberpoint.security.encryption.aes.defaultKey=MyEncryptionKey
where MyEncryptionKey is a base 64-encoded, AES, 128-bit key.
After generating your encryption key, you can copy and paste it in order to set the value of your com.amberpoint.security.encryption.aes.defaultKey property. If your key includes special characters, you should enclose it in double quotes, for example:
-Dcom.amberpoint.security.encryption.aes.defaultKey="oylJKoTGXTHasOYwtjwA7g=="
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

You use the command line tool btmcli under the 'tools' directory:
./btmcli.sh encryptpassword -password mypassword
ARECQVBBRVMCX2FwXzEyOAPKsNtwbzzI8j5g7u8UBV7qvp8QOnCA8Tj/ZJiSjqJa/w==

I need help to Configure the Encryption Key of btm

In order to monitor the osb 11g.
I have download OracleBTM_1of2.zip and I am trying to install it, so I am following this link
http://download.oracle.com/docs/cd/E11857_01/install.111/e20124/install.htm#sthref20
how can I do this ?
Configuring the Encryption Key
You must configure the encryption key on each application server that hosts a Business Transaction Management component. To configure the encryption key, create a Java system property named com.amberpoint.security.encryption.aes.defaultKey in the server and set its value to your encryption key, for example:
-Dcom.amberpoint.security.encryption.aes.defaultKey=MyEncryptionKey
where MyEncryptionKey is a base 64-encoded, AES, 128-bit key.
After generating your encryption key, you can copy and paste it in order to set the value of your com.amberpoint.security.encryption.aes.defaultKey property. If your key includes special characters, you should enclose it in double quotes, for example:
-Dcom.amberpoint.security.encryption.aes.defaultKey="oylJKoTGXTHasOYwtjwA7g=="

You use the command line tool btmcli under the 'tools' directory:
./btmcli.sh encryptpassword -password mypassword
ARECQVBBRVMCX2FwXzEyOAPKsNtwbzzI8j5g7u8UBV7qvp8QOnCA8Tj/ZJiSjqJa/w==

Can't start manager server on other machine from admin console

hi, m fredzh
i have weblogic 10.3.2 where i created a cluster named cluster1 on production mode
the machines and servers list as follow:
cluster1 192.168.1.100
--machine1
--server1 192.168.1.100
--machine2
-server2 192.168.1.101
i create nodemanager on machine2, and set the type as ssl, the listener address 192.168.1.101,
then login on 192.168.1.101, and run wlst.sh , nmEnroll and then start startNodemanaged.sh ..
start server2 on the admin console(on 192.168.1.100), failed and the log as follow:
can anbody help me, thank you..
==============================================================================
<Critical> <WebLogicServer> <localhost.localdomain> <managerServer2> <main> <<WLS Kernel>> <> <> <1286788326928> <BEA-000386> <Server subsystem failed. Reason: java.lang.AssertionError: java.lang.reflect.InvocationTargetException
java.lang.AssertionError: java.lang.reflect.InvocationTargetException
at weblogic.descriptor.DescriptorManager$SecurityServiceImpl$SecurityProxy._invokeServiceMethod(DescriptorManager.java:175)
at weblogic.descriptor.DescriptorManager$SecurityServiceImpl$SecurityProxy.decrypt(DescriptorManager.java:192)
at weblogic.descriptor.DescriptorManager$SecurityServiceImpl.decrypt(DescriptorManager.java:114)
at weblogic.descriptor.internal.AbstractDescriptorBean._decrypt(AbstractDescriptorBean.java:991)
at weblogic.management.configuration.SecurityConfigurationMBeanImpl.getCredential(SecurityConfigurationMBeanImpl.java:709)
at weblogic.security.internal.ServerPrincipalValidatorImpl.getSecret(ServerPrincipalValidatorImpl.java:88)
at weblogic.security.internal.ServerPrincipalValidatorImpl.sign(ServerPrincipalValidatorImpl.java:67)
at weblogic.security.service.PrivilegedActions$SignPrincipalAction.run(PrivilegedActions.java:62)
at java.security.AccessController.doPrivileged(Native Method)
at weblogic.security.service.SecurityServiceManager.createServerID(SecurityServiceManager.java:1098)
at weblogic.security.service.SecurityServiceManager.getServerID(SecurityServiceManager.java:1111)
at weblogic.security.service.SecurityServiceManager.sendASToWire(SecurityServiceManager.java:602)
at weblogic.server.channels.ChannelService.resetQOS(ChannelService.java:284)
at weblogic.server.channels.ChannelService.start(ChannelService.java:250)
at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
Caused By: java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at weblogic.descriptor.DescriptorManager$SecurityServiceImpl$SecurityProxy._invokeServiceMethod(DescriptorManager.java:173)
at weblogic.descriptor.DescriptorManager$SecurityServiceImpl$SecurityProxy.decrypt(DescriptorManager.java:192)
at weblogic.descriptor.DescriptorManager$SecurityServiceImpl.decrypt(DescriptorManager.java:114)
at weblogic.descriptor.internal.AbstractDescriptorBean._decrypt(AbstractDescriptorBean.java:991)
at weblogic.management.configuration.SecurityConfigurationMBeanImpl.getCredential(SecurityConfigurationMBeanImpl.java:709)
at weblogic.security.internal.ServerPrincipalValidatorImpl.getSecret(ServerPrincipalValidatorImpl.java:88)
at weblogic.security.internal.ServerPrincipalValidatorImpl.sign(ServerPrincipalValidatorImpl.java:67)
at weblogic.security.service.PrivilegedActions$SignPrincipalAction.run(PrivilegedActions.java:62)
at java.security.AccessController.doPrivileged(Native Method)
at weblogic.security.service.SecurityServiceManager.createServerID(SecurityServiceManager.java:1098)
at weblogic.security.service.SecurityServiceManager.getServerID(SecurityServiceManager.java:1111)
at weblogic.security.service.SecurityServiceManager.sendASToWire(SecurityServiceManager.java:602)
at weblogic.server.channels.ChannelService.resetQOS(ChannelService.java:284)
at weblogic.server.channels.ChannelService.start(ChannelService.java:250)
at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
Caused By: weblogic.security.internal.encryption.EncryptionServiceException: com.rsa.jsafe.JSAFE_PaddingException: Could not perform unpadding: invalid pad byte.
at weblogic.security.internal.encryption.JSafeEncryptionServiceImpl.decryptBytes(JSafeEncryptionServiceImpl.java:125)
at weblogic.security.internal.encryption.JSafeEncryptionServiceImpl.decryptString(JSafeEncryptionServiceImpl.java:173)
at weblogic.security.internal.encryption.ClearOrEncryptedService.decrypt(ClearOrEncryptedService.java:96)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at weblogic.descriptor.DescriptorManager$SecurityServiceImpl$SecurityProxy._invokeServiceMethod(DescriptorManager.java:173)
at weblogic.descriptor.DescriptorManager$SecurityServiceImpl$SecurityProxy.decrypt(DescriptorManager.java:192)
at weblogic.descriptor.DescriptorManager$SecurityServiceImpl.decrypt(DescriptorManager.java:114)
at weblogic.descriptor.internal.AbstractDescriptorBean._decrypt(AbstractDescriptorBean.java:991)
at weblogic.management.configuration.SecurityConfigurationMBeanImpl.getCredential(SecurityConfigurationMBeanImpl.java:709)
at weblogic.security.internal.ServerPrincipalValidatorImpl.getSecret(ServerPrincipalValidatorImpl.java:88)
at weblogic.security.internal.ServerPrincipalValidatorImpl.sign(ServerPrincipalValidatorImpl.java:67)
at weblogic.security.service.PrivilegedActions$SignPrincipalAction.run(PrivilegedActions.java:62)
at java.security.AccessController.doPrivileged(Native Method)
at weblogic.security.service.SecurityServiceManager.createServerID(SecurityServiceManager.java:1098)
at weblogic.security.service.SecurityServiceManager.getServerID(SecurityServiceManager.java:1111)
at weblogic.security.service.SecurityServiceManager.sendASToWire(SecurityServiceManager.java:602)
at weblogic.server.channels.ChannelService.resetQOS(ChannelService.java:284)
at weblogic.server.channels.ChannelService.start(ChannelService.java:250)
at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
Edited by: fredzh on 2010-10-12 下午6:54

hi,Jay
i followed the steps as follow:
1、change prod mode to dev
2、modified the config.xml entrys on the all two servers:
<node-manager-password-encrypted>test</node-manager-password-encrypted>
<credential-encrypted>test</credential-encrypted>
<embedded-ldap>
<name>cluster_domain</name>
<credential-encrypted>test</credential-encrypted>
</embedded-ldap>
3、enrolled the node, then started the two adminservers, started server2's nodemanager..server2 can be started from the cluster admin console.
4、change the dev mode to prod mode on admin console, it failed throw error:
"in production mode, it's not allowed to set a clear text value to the property: CredentialEncrypted of SecurityConfigurationMBean"
i checked the config.xml ,the entrys i had changed were not aotomatically encrypted,may i manually encryp the clear text value? ..follow is the config.xml :
<?xml version='1.0' encoding='UTF-8'?>
<domain xmlns="http://xmlns.oracle.com/weblogic/domain" xmlns:sec="http://xmlns.oracle.com/weblogic/security" xmlns:wls="http://xmlns.oracle.com/weblogic/security/wls" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.oracle.com/weblogic/security/xacml http://xmlns.oracle.com/weblogic/security/xacml/1.0/xacml.xsd http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator/1.0/passwordvalidator.xsd http://xmlns.oracle.com/weblogic/domain http://xmlns.oracle.com/weblogic/1.0/domain.xsd http://xmlns.oracle.com/weblogic/security http://xmlns.oracle.com/weblogic/1.0/security.xsd http://xmlns.oracle.com/weblogic/security/wls http://xmlns.oracle.com/weblogic/security/wls/1.0/wls.xsd">
<name>cluster_domain</name>
<domain-version>10.3.2.0</domain-version>
<security-configuration>
<name>cluster_domain</name>
<realm>
<sec:authentication-provider xsi:type="wls:default-authenticatorType"></sec:authentication-provider>
<sec:authentication-provider xsi:type="wls:default-identity-asserterType">
<sec:active-type>AuthenticatedUser</sec:active-type>
</sec:authentication-provider>
<sec:role-mapper xmlns:xac="http://xmlns.oracle.com/weblogic/security/xacml" xsi:type="xac:xacml-role-mapperType"></sec:role-mapper>
<sec:authorizer xmlns:xac="http://xmlns.oracle.com/weblogic/security/xacml" xsi:type="xac:xacml-authorizerType"></sec:authorizer>
<sec:adjudicator xsi:type="wls:default-adjudicatorType"></sec:adjudicator>
<sec:credential-mapper xsi:type="wls:default-credential-mapperType"></sec:credential-mapper>
<sec:cert-path-provider xsi:type="wls:web-logic-cert-path-providerType"></sec:cert-path-provider>
<sec:cert-path-builder>WebLogicCertPathProvider</sec:cert-path-builder>
<sec:name>myrealm</sec:name>
<sec:password-validator xmlns:pas="http://xmlns.oracle.com/weblogic/security/providers/passwordvalidator" xsi:type="pas:system-password-validatorType">
<sec:name>SystemPasswordValidator</sec:name>
<pas:min-password-length>8</pas:min-password-length>
<pas:min-numeric-or-special-characters>1</pas:min-numeric-or-special-characters>
</sec:password-validator>
</realm>
<default-realm>myrealm</default-realm>
<anonymous-admin-lookup-enabled>false</anonymous-admin-lookup-enabled>
<credential-encrypted>test</credential-encrypted>
<web-app-files-case-insensitive>false</web-app-files-case-insensitive>
<compatibility-connection-filters-enabled>false</compatibility-connection-filters-enabled>
<node-manager-username>weblogic</node-manager-username>
<node-manager-password-encrypted>test</node-manager-password-encrypted>
<principal-equals-case-insensitive>false</principal-equals-case-insensitive>
<principal-equals-compare-dn-and-guid>false</principal-equals-compare-dn-and-guid>
<downgrade-untrusted-principals>false</downgrade-untrusted-principals>
<enforce-strict-url-pattern>true</enforce-strict-url-pattern>
<cross-domain-security-enabled>false</cross-domain-security-enabled>
</security-configuration>
<jta>
<security-interop-mode>default</security-interop-mode>
</jta>
<server>
<name>AdminServer</name>
<ssl>
<hostname-verifier xsi:nil="true"></hostname-verifier>
<hostname-verification-ignored>true</hostname-verification-ignored>
<export-key-lifespan>500</export-key-lifespan>
<client-certificate-enforced>false</client-certificate-enforced>
<two-way-ssl-enabled>false</two-way-ssl-enabled>
<ssl-rejection-logging-enabled>true</ssl-rejection-logging-enabled>
<inbound-certificate-validation>BuiltinSSLValidationOnly</inbound-certificate-validation>
<outbound-certificate-validation>BuiltinSSLValidationOnly</outbound-certificate-validation>
<allow-unencrypted-null-cipher>false</allow-unencrypted-null-cipher>
<use-server-certs>false</use-server-certs>
</ssl>
<listen-port>7110</listen-port>
<listen-address></listen-address>
</server>
<server>
<name>server2</name>
<machine>machine2</machine>
<listen-port>7110</listen-port>
<listen-address>192.168.1.101</listen-address>
<server-start>
<java-vendor>Sun</java-vendor>
<java-home>/opt/jdk1.6.0_21</java-home>
<bea-home>/root/Oracle/Middleware</bea-home>
<root-directory>/root/Oracle/Middleware/user_projects/domains/cluster_domain</root-directory>
<username>weblogic</username>
<password-encrypted>{AES}xhSI75AxXtXdMrCXRgA2uY5pfcxUGE9X4YXTjfe1XEY=</password-encrypted>
</server-start>
</server>
<embedded-ldap>
<name>cluster_domain</name>
<credential-encrypted>test</credential-encrypted>
</embedded-ldap>
<configuration-version>10.3.2.0</configuration-version>
<machine xsi:type="unix-machineType">
<name>machine2</name>
<node-manager>
<nm-type>SSL</nm-type>
<listen-address>192.168.1.101</listen-address>
<listen-port>5556</listen-port>
<debug-enabled>false</debug-enabled>
</node-manager>
</machine>
<admin-server-name>AdminServer</admin-server-name>
</domain>
Edited by: fredzh on 2010-10-13 下午7:57

Migrate osb deployment from Admin Server to Managed Server

Hi,
I had create the OSB Development environment.
Configuration was such that OSB was deployed to Admin Server.
However, I have a new requirement, wish to deploy OSB to a Managed Server and no longer Admin Server, to reduce the load on Admin Server and for future high availability plans.
I have created a Managed Server for OSB deployment. I was of the opinion that I should just simply use the console for deploying OSB to the newly created Managed Server.
However, I seemed to have missed some steps and therefore OSB was not working.
Kindly help me.
Lammeki

bobm53 wrote:
Hi,
look at this:
http://www.oracle.com/technetwork/database/migration/sqlserver-095136.html
About expected results from such db migration, I can only say that because all IDM objects (forms, wf, customizations etc) are stored on its waveset db, at the end of db migration, you should have same functionalities. Obviously you need to change (with lhconsole) the db iDM should refer to. This information is stored in a special (encrypted) xml file.
HTHAnd don't forget that you also need to replace your JDBC driver (jar file) with the oracle JDBC driver and ensure it is in the classpath that LH and the appserver need.

Issue with installing second Service Manager server

We decided to install a second SM server to use as a test following the KB from MS below:
http://technet.microsoft.com/en-us/library/dn520899.aspx
We later found out that this install process had some issues and we needed a hotfix from MS to resolve it. The hotfix is basically a whole new installer MSI. MS had me uninstall SM and then reinstall using the MSI they gave me.
I am not getting the following error trying to do the install
Install Services
An error occurred while executing a custom action:_CreateMOMRegKey.
The upgrade attempt has failed before permanent modifications were made.
Upgrade has successfully rolled back to the original state of the syste. Once
the corrections are made, you can retry upgrade for this role.
The install rolls back and thats it. MS has been somewhat helpful but we still haven't gotten it resolved. Anyone else try installing this hotfix version of SM and run into the same issue?
The KB that refers to the replacement MSI is
KB2862620.

among other things, _CreateMOMRegKey creates registry keys related to ops manager and service manager. This is a common error with a management server reinstall, since these keys are not removed by an uninstall, and the creation method apparently does
not handle the case where they already exists. Consider
this thread.
The long and short of it is that you will probably need to remove the registry keys [HKLM\Software\Microsoft\Microsoft Operations Manager] and [HKLM\Software\Microsoft\System Center] as well as restore your management server's encryption key from the backup
you made after installing the first time.

SP2010 Secure Store Encryption Key Must Be Refreshed After Reboots

We use a Secure Store Service Application for several external connections. All else appears normal, however, we frequently find that the master encryption key requires a manual refresh. In the meantime, the secure store service application is
non-functional, and of course so is everything beyond it, for users.
The issue has been occurring since we set SSSA up months ago. It's been difficult to pinpoint exactly the types of actions that produce this state. It appears common that a reboot of the SharePoint server (all-inclusive, one server in farm, SQL
services elsewhere on different server) triggers the need for a key refresh. We have reproduced the issue each of the past two nights, with scheduled reboots.
When in Central Administration, the Secure Store Service Application page shows "Unable to obtain master key".
If we try to access a data connection beyond the SSSA, Windows logs receive a few events:
Windows Application log shows Event ID 7522 from Secure Store, saying "[...] encountered a failure while restoring the encryption key. The error returned was: 'Exception of type 'Microsoft.Office.SecureStoreService.Server.KeyManagement.InvalidMasterKeyException'
was thrown.'."
Another event, ID 7535 is also thrown: "[...] failed to retrieve the master secret key. The error returned was: 'Unable to obtain master key.'"
Any help or insight is greatly appreciated!

Hi John,
After you create the Secure Store service application and the proxy, you have to refresh the encryption key.Here is the steps to refresh the encryption key:
1.On the Central Administration home page, in the Application Management section, click
Manage service applications.
2.Click the Secure Store service application.
3.In the Key Management group, click Refresh Key.
4.In the Pass Phrase box, type the pass phrase that you first used to generate the encryption key.
This phrase is either the pass phrase that you used when you initialized the Secure Store Service service application or one that you used when you created a new key by using the
Generate a New Key command.
5.Click OK.
Thanks,
Eric
Forum Support
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
[email protected]
Eric Tao
TechNet Community Support

Managing Server Encryption Keys in IDM 8.1

Similar Messages

Maybe you are looking for