Edge Proxy Startup Fails Due to Keystore, Certificate, and/or "Given final block not properly padded" Error - Support and Troubleshooting

Edge Proxy Startup Fails Due to Keystore, Certificate, and/or "Given final block not properly padded" Error Issue  Problem Starting the Edge Encryption Proxy and one of the following Errors appears in the $proxy_installation_location/logs/edgeencryption.log :

2018-03-07 07:39:45,611 ERROR Error occured during proxy startup: Error reading keystore file keystore.jceks: Keystore was tampered with, or password was incorrect

2018-03-07 07:40:20,834 ERROR Error occured during proxy startup: Unable to resolve certificate for . Ensure that the certificate alias exists and its password is the same as that of its keystore.

2018-03-07 07:22:38,085 ERROR Error occured during proxy startup: Failed to read the certificate:

2018-03-07 09:04:50,925 ERROR Error occured during proxy startup

java.security.UnrecoverableKeyException: Given final block not properly padded

at com.sun.crypto.provider.KeyProtector.recover(KeyProtector.java:187)

at com.sun.crypto.provider.JceKeyStore.engineGetKey(JceKeyStore.java:129)

at java.security.KeyStore.getKey(Unknown Source)

at sun.security.ssl.SunX509KeyManagerImpl. (Unknown Source)

at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(Unknown Source)

at javax.net.ssl.KeyManagerFactory.init(Unknown Source)

at org.eclipse.jetty.util.ssl.SslContextFactory.getKeyManagers(SslContextFactory.java:1067)

at org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:300)

at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:220)

at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)

at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:131)

at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:113)

at org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:72)

at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)

at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:131)

at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:113)

at org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:268)

at org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:81)

at org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:235)

at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)

at org.eclipse.jetty.server.Server.doStart(Server.java:401)

at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)

at com.snc.edgeencryption.proxy.CloudEdgeProxyServer.start(CloudEdgeProxyServer.java:221)

at com.snc.edgeencryption.CloudEdge.start(CloudEdge.java:155)

at com.snc.edgeencryption.Main.main(Main.java:30)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)

at java.lang.reflect.Method.invoke(Unknown Source)

at org.tanukisoftware.wrapper.WrapperSimpleApp.run(WrapperSimpleApp.java:240)

at java.lang.Thread.run(Unknown Source)

Cause Any of the above errors result if one of the keys (aliases) in the Edge Proxy keystore file have a different password from the keystore itself.

Resolution As stated in the Edge Enryption documentation:

https://docs.servicenow.com/csh?topicname=t_SetUpSecureSSLConnection.html&version=latest Make sure that the private key password is the same as the Java KeyStore password. This means that the passwords for all of the keystore's keys (aliases) must match the keystore's password. For example if there are two SSL keys called ssl_alias1 and ssl_alias2 in the keystore and configure the edgeencryption.properties as follows: edgeencryption.proxy.https.keystore.path = keystore/keystore.jceks edgeencryption.proxy.https.keystore.password = alias2 edgeencryption.proxy.https.cert.alias = ssl_alias2 You have pointed the proxy to use the ssl_alias2 key (alias) for SSL with ssl_alias2's correct password which is alias2. Both alias and password are correct in the edgeencryption.properties file, but say that the ssl_alias1 key (alias) and the keystore password is changeme - you will see one of the mentioned errors. For this to work you must change the password of all of the keys (aliases) and the keystore to be the same if there is any mismatch across the keystore file. This can be done using the java keytool, refer to the java keytool documentation: https://docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.html Remember the rule is: All keys in a keystore should have the same password as the keystore. Example on how to change the keystore password using keytool - the keystore is called keystore.jceks:

$ keytool -storepasswd -keystore keystore.jceks -storetype jceks Enter keystore password: changeme New keystore password: changemenew Re-enter new keystore password: changemenew Example on how to change the key (alias) password using keytool - the keystore is called keystore.jceks, the key (alias) is called ssl_alias2: $ keytool -keypasswd -keystore keystore.jceks -alias ssl_alias2 -storetype jceks Enter keystore password: changemenew Enter key password for : alias2 New key password for : changemenew Re-enter new key password for : changemenew