WSO2 IS userstore encryption of Property=password failed error - wso2

At the IS startup the following error log is given from the WSO2 IS.
TID: [-1234] [Framework Event Dispatcher: Equinox Container: d811a5a1-f0c4-4281-a1db-ce17d0928da4] ERROR {org.wso2.carbon.user.core.config.UserStoreConfigXMLProcessor} - [] encryption of Property=password failed
org.bouncycastle.jcajce.provider.util.BadBlockException: unable to decrypt block
at org.bouncycastle.jcajce.provider.asymmetric.rsa.CipherSpi.getOutput(Unknown Source) ~[bcprov-jdk15on-1.70.jar:1.70.0]
at org.bouncycastle.jcajce.provider.asymmetric.rsa.CipherSpi.engineDoFinal(Unknown Source) ~[bcprov-jdk15on-1.70.jar:1.70.0]
at javax.crypto.Cipher.doFinal(Cipher.java:2164) ~[?:1.8.0_191]
at org.wso2.carbon.user.core.config.UserStoreConfigXMLProcessor.decryptProperty(UserStoreConfigXMLProcessor.java:469) ~[org.wso2.carbon.user.core_4.6.0.87.jar:?]
at org.wso2.carbon.user.core.config.UserStoreConfigXMLProcessor.resolveEncryption(UserStoreConfigXMLProcessor.java:338) [org.wso2.carbon.user.core_4.6.0.87.jar:?]
...
The error log is saying that the password is not encrypted. So what are the steps that can be followed to fix this issue?

To fix this issue, follow the steps given below.
1st scenario (For JDBC user stores)
First, try to find whether the erroneous user store is mentioned in
the wso2carbon.log file.
If so, go to the <IS_HOME>/repository/deployment/server/userstores
and open the user store .xml file.
Then find the <Property name="password">****</Property> This might
even contain an extra attribute like encrypted="true"
Here, you will find the encrypted password.
Then change it to this and save. <Property name="password" encrypted="false">the non encrypted password</Property>
Make sure to add the non encrypted password between the <Property name="password">...</Property> with encrypted is set it to false.
And check the wso2carbon.log whether it is giving an error. If not,
the issue is fixed.
2nd scenario
The .xml file change did not work.
Then start the Management Console and go to user stores and list down the user store and update the password there(You should type the non-encrypted password).
And check the wso2carbon.log to see whether it is giving an error. If not, the issue is fixed.
3rd scenario
The issue is still there even if the user store mentioned in the wso2carbon.log is gone under the 1st and 2nd scenarios.
Then open the Management console and list the user stores to check whether the all the user stores are there.
If there is a user store missing, then the error is related to that and not the one mentioned in the wso2carbon.log The wso2carbon.log is only showing a log related to the last user store.
The follow the steps in the scenario 2 to update the password of the user store that is not getting listed.
4th scenario
The scenario 1 and 2 didn't work and all the user stores are getting listed in the management console.
Then list the users and role and list the user stores there. If there is not a user store getting listed there then the issue is related to that.
Then follow the steps in the scenario 2 to fix that.
5th scenario
There is no <Property name="password">***</Property> in the .xml file.
Then the user store related to that user store can be an LDAP or AD.
Try finding <Property name="ConnectionPassword">****</Property> in the .xml file and follow the steps from 1 to 4.
If all of the scenarios are not working and there is a custom user store in action, get the source code of that user store and debug it.
Even if there is a custom user store in action, the above mentioned steps should help to narrow down the issue.

Related

WSO2 password policy error when creating user in multitenancy scenario

I'm evaluating WSO2 5.3.0 so I installed the product on premises. Inside the Super Tenant, I created a sub-tenant TA.
When Connecting to TA with the admin associated to it, I try to create users. It always fails with the error
Could not add user PRIMARY/jfo. Error is: Password pattern policy violated. Password should contain a digit[0-9], a lower case letter[a-z], an upper case letter[A-Z], one of !##$%&* characters
In fact it seems that this is a password policy issue because if I set "admin" as password the error is
Could not add user PRIMARY/JFO. Error is: Password at least should have 6 characters
But it does not work even with "Admin123!" as password value for the account. and from my check :
- Password policy is not accessible (nothing is displayed) in TA when I go to Identity Provider/Resident
- Password policy is not activated in the Super Tenant and it is validated as I can create users with the password "admin" with no issue nor warning.
- All others parameters are set to OOTB value.
Does anyone has an idea ?
Thanks
JF
It seems that it was an error at creation of my first tenant cause the Identity Provider / Persistent pane is empty on the faulty tenant. It prevents me for accessing the Password Policies pane for example.
Deleting the faulty tenant and recreating it solved the problem. I, on other hand, did not get any reason or source of the faulty creation.

Error in WSO2 claims configuration with LDAP(Active directory)

We have done WSO2 IS configurations with multiple LDAPs with multiple clients successfully before. This time with a new client we are getting an error as show in image. "Error occured while getting all user claims for ... in carbon.super.
The case is we have created a service and mapped custom claims to map to LDAP. The issue is with a field mapped with http://wso2.org/claims/role attribute . If we remove this attribute from the custom claims the error goes away.
But we are using roles in business logic(Internal roles created in WSO2) which we get as null in case we remove this attribute.
We want to know the solution. Is there some change required at LDAP side ? Or how we can achieve the roles without mapping as a claim with LDAP?

WSO2 -> Active Directory -> user - role mapping

I use WSO2 5.0.0 as IdP and the user store is an Active Directory (AD). User and Roles are listed in WSO2 Management console and I'am also being able to login in WSO2 with User/PW stored in AD.
Therefore everything works fine.
The only problem I have is that if I request roles of users (e.g. over RemoteUserStoreManagement- WebService with method getUserClaimValues) than I get the WSO2 roles and not the Active Directory Roles assigned to the users in the AD. Also only the WSO2- Roles are mapped to users in WSO2.
Actually I have only basic knowledge in AD (I haven't adjust the current connection between WSO2 and AD) - therefore I have no idea where I should have a look at in order to resolve this problem.
Has anybody a hint concerning this issue (user-mgt.xml or WSO2 console or ...)
Thanks a lot for help!
So, you need to retrieve the roles of the user? According what you have mentioned, Please do following to resolve this issue.
Please add following attributes under user store manager configuration in user-mgt.xml file, if there are not with the configuration.
<Property name="BackLinksEnabled">true</Property>
<Property name="MemberOfAttribute">memberOf</Property>
Please restart the server and verify.
Please enable the debug logs in the user kernel and verify where is the issue has been generated.
To enable logs,
Locate log4j.properties file which can be found at /repository/conf directory.
Add following entry in to the file
log4j.logger.org.wso2.carbon.identity.sso.saml=DEBUG
Restart the server and try to invoke the server. You would see LDAP related logs where it would help to identify the issue.

WSO2 Identity Server: Storing user password as PlainText

I am creating user using UserInformationRecoveryServiceStub, but Identity store saves the user password as Plain Text, but user-mgt.xml has SHA
I think this must be due to configuration issue defined in here. Could you please try to change the configuration as following, i.e with capital P and restart the server. Then try to create a new user and see
<Property name="PasswordHashMethod">SHA</Property>

Unable to connect to Siebel Thick Client

I am unable to connect to the Thick Client.
I am getting the below mentioned error:
"The User ID or Password that u entered is incorrect".
But i am sure that the User ID and Password is correct because i use the same credentials to log into my thin client.
Siebel always shows that error message if anything goes wrong while authenticating the user. Anything may be:
Wrong username or password.
Database not available.
SRF file is corrupted.
SRF file is out of date (specially, if there have been any changes to the tables and those changes are not compiled in your SRF).
CFG file is not properly configured.
Custom code on ApplicationStart produces an exception.
...
Doesn't matter what the problem is, Siebel will always tell you that the username/password are wrong.
You may find what your actual problem is by checking the latest siebel.log file, which should be placed in .../Client/log/, unless you changed its location.
As an alternative, you can keep reentering your username and password. Siebel gives you 3 attempts to enter your credentials. The 2 first ones will show the "wrong password" message; however, the third and last attempt will show you the actual problem instead. At least, that's how it works in Siebel 7.8.
Anyway, it's better to just check the log file, since it will contain more information.
1st check your password. Connect to database. Now test connection with thick client ODBC if you are able to successfully connect.And if this works then delete local spf file of user and also delete diccache.dat file created in bin directly.
Then try login. This resolved my issue.
You can refer Oracle support as well if this issue is replicated for you.
https://support.oracle.com/epmos/faces/SearchDocDisplay?_adf.ctrl-state=ntde4ixli_1004&_afrLoop=479412795573402