Encrypt Private Key failed: unrecognized algorithm name: PBEWithSHA1AndDESede

  • 7025202
  • 21-Jul-2021
  • 29-Jul-2021

Environment

Advanced Authentication 6.3.5

Situation

Errors attempting to login to the new enrollment portal
OAuth/OpenID event failures
SAML event failure

Installed New AAF server with 6.3.0 download
Logged into appliance 9443 console
Registered new appliance
Applied all latest patches and updates to bring server to version 6.3.5

After update one or more symptoms are seen
  • New Enrollment portal displays errors indicating that the name or service cannot be found
  • Web Auth logs report an error - No such file or directory
  • Logs display error message:
    Log Data: Failed to start: Tenant[Bootstrap Authentication (id=bootstrap)]: internal.osp.framework.exception.OSPKeyStoreUnavailableException: Unable to read key store: /usr/local/tomcat/conf/osp-bootstrap-keystore.ks
             =>java.security.KeyStoreException: Key protection  algorithm not found: java.security.UnrecoverableKeyException: Encrypt Private Key failed: unrecognized algorithm name: PBEWithSHA1AndDESede
             =>java.security.UnrecoverableKeyException: Encrypt Private Key failed: unrecognized algorithm name: PBEWithSHA1AndDESede
             =>java.security.NoSuchAlgorithmException: unrecognized algorithm name: PBEWithSHA1AndDESede

Resolution

This issue can be resolved by installing new servers with the following steps.
  • Install new AAF server with 6.3.0 download
  • Login to the Admin portal and configure server
  • Register new appliance
  • Apply all latest patches

Cause

This issue is caused during the upgrade process when no AAF configuration is found. By configuring the AAF server prior to upgrading the server to 6.3.5, the issue will no longer occur.
This upgrade issue will be resolved when version 6.3.5.1 or later is released.

Additional Information

Notes:
  • After upgrading a server and restarting, it is normal for the server to take up to 5 minutes before it is completely functional. This delay is required to completely load and initialize the new server configuration.
  • The new enrollment portal is enabled in the admin portal under the enrollment policy.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.