IBM Support

How to resolve Crypto and Cryptox ( Encryption ) keys mismatch error during Manage Activation

How To


Summary

How to resolve Crypto and Cryptox keys mismatch error during Manage Activation.

Objective

How to correct Crypto and Cryptox (encryption) keys mismatch.
  • when maxinst is rerun manually after the initial activation of Manage got completed.
  • when keys are either incorrect or missing from maximo.properties file, encryptionsecret, or encryptionsecret-operator.
  • when the old encryption keys do not match with the new keys stored in the database. In these cases, the error is seen as follows:
Reencrypt:status:failure: MXE_SECURITY_OLD_CRYPTO_KEY & MXE_SECURITY_OLD_CRYPTOX_KEY does not match what the database uses.
This error can be seen either in
  •  MAS Suite Administration > Applications > Manage > workspace details OR
  • Red Hat OpenShift > CustomResourceDefinitions > ManageWorkspace > Instance > Conditions
If you run validatecryptokey.sh script from Manage instance > maxinst pod > terminal then you see system#major exception in its output result or log with error BMXAA6819I - ValidateCryptoKey completed with errors.

Steps

MAS 8.8.x with Manage 8.4.x and above:
  • One way to resolve this problem is by running resetcryptocryptox.sh from Manage instance > maxinst pod > terminal. After the script has run, the resulting output can be seen:
sh-4.4$ ./resetcryptocryptox.sh
Wed May 10 13:54:57 GMT 2023 --- Starting ----
BMXAA6806I - Reading the properties file maximo.properties.
Instance of psdi.tools.ResetCryptoCryptox
BMXAA6818I - ResetCryptoCryptox started for schema dbo, connected to database jdbc:sqlserver://xxxxxx.fyre.ibm.com:1433;databaseName=xxxxxx;encrypt=false; Wed May 10 04:44:19 GMT 2023
Updating CRYPTOX: MAXUSER.ESIGPASS Wed May 10 04:44:19 GMT 2023
Skipping required CRYPTOX records MAXUSER.PASSWORD Wed May 10 04:44:20 GMT 2023
Updating CRYPTO: CRONTASKPARAM.CRYPTOVALUE Wed May 10 04:44:20 GMT 2023
Updating CRYPTO: DDUSERAUTH.KEYID Wed May 10 04:44:20 GMT 2023
Updating CRYPTO: DMPKGDSTTRGT.PASSWORD Wed May 10 04:44:20 GMT 2023
Skipping required CRYPTO records for INBOUNDCOMMCFG.EMAILPASSWORD Wed May 10 04:44:20 GMT 2023
Updating CRYPTO: INBOUNDCOMMCFG.OAUTHACCESSTOKEN Wed May 10 04:44:20 GMT 2023
Updating CRYPTO: INBOUNDCOMMCFG.OAUTHCLIENTID Wed May 10 04:44:20 GMT 2023
Updating CRYPTO: INBOUNDCOMMCFG.OAUTHCLIENTSECRET Wed May 10 04:44:20 GMT 2023
Updating CRYPTO: INBOUNDCOMMCFG.OAUTHREFRESHTOKEN Wed May 10 04:44:20 GMT 2023
Updating CRYPTO: MAXENDPOINTDTL.PASSWORD Wed May 10 04:44:20 GMT 2023
Updating CRYPTO: MAXINTMAPPINGDETAIL.PASSWORD Wed May 10 04:44:20 GMT 2023
Updating CRYPTO: MAXOAUTHCLIENT.ACCESSTOKEN Wed May 10 04:44:20 GMT 2023
Skipping required CRYPTO records for MAXOAUTHCLIENT.CLIENTSECRET Wed May 10 04:44:20 GMT 2023
Updating CRYPTO: MAXOAUTHCLIENT.REFRESHTOKEN Wed May 10 04:44:20 GMT 2023
Resetting property mxe.adminPasswd Wed May 10 04:44:20 GMT 2023
Resetting property mxe.system.regpassword Wed May 10 04:44:20 GMT 2023
Updating CRYPTO: MAXPROPVALUE.ENCRYPTEDVALUE Wed May 10 04:44:20 GMT 2023
Updating CRYPTO: MAXPUSHPROVIDERDEVTYPE.APNCERTIFICATEPASSWORD Wed May 10 04:44:20 GMT 2023
Updating CRYPTO: MAXPUSHPROVIDERDEVTYPE.IPNAPIKEY Wed May 10 04:44:20 GMT 2023
Updating CRYPTO: MAXPUSHPROVIDERDEVTYPE.IPNCLIENTSECRET Wed May 10 04:44:20 GMT 2023
Updating CRYPTO: MAXQUEUE.PASSWORD Wed May 10 04:44:20 GMT 2023
Updating CRYPTO: MAXQUEUE.PROVIDERPASSWORD Wed May 10 04:44:20 GMT 2023
Updating CRYPTO: MAXUSER.PWHINTANSWER Wed May 10 04:44:20 GMT 2023
Updating CRYPTO: MSGHUBPROVIDERCFG.PROPENCVALUE Wed May 10 04:44:20 GMT 2023
Updating CRYPTO: MXODMAPP.OPTSNDBPASSWORD Wed May 10 04:44:20 GMT 2023
Skipping required CRYPTO records for REPORTDSPARAM.PASSWORD Wed May 10 04:44:20 GMT 2023
Updating CRYPTO: WEATHERENDPOINT.PASSWORD Wed May 10 04:44:20 GMT 2023
Updating CRYPTO: WEATHERORG.CLIENTSECRET Wed May 10 04:44:20 GMT 2023
Deleting APIKEYTOKEN rows  Wed May 10 04:44:20 GMT 2023
BMXAA6820I - ResetCryptoCryptox completed without errors. Wed May 10 04:44:20 GMT 2023
To validate the crypto key, you can run validatecryptokey.sh script from the same location. This script is complete when there is no error or exception. 
sh-4.4$ ./validatecryptokey.sh
Thu May 10 04:45:28 GMT 2023 --- Starting ----
BMXAA6806I - Reading the properties file maximo.properties.
Instance of psdi.tools.ValidateCryptoKey
18 May 2023 04:45:35:978 [WARN ] [maximo] BMXAA6423W - The value for MAXPROP mxe.db.DB2sslConnection could not be cached.  No value for the property was found.
18 May 2023 04:45:35:992 [WARN ] [maximo] BMXAA6423W - The value for MAXPROP mxe.db.DB2sslTrustStoreLocation could not be cached.  No value for the property was found.
18 May 2023 04:45:35:995 [WARN ] [maximo] BMXAA6423W - The value for MAXPROP mxe.db.DB2sslTrustStorePassword could not be cached.  No value for the property was found.
18 May 2023 04:45:37:627 [WARN ] [maximo] BMXAA6423W - The value for MAXPROP mxe.externaleam.url could not be cached.  No value for the property was found.
18 May 2023 04:45:37:631 [WARN ] [maximo] BMXAA6423W - The value for MAXPROP mxe.externaleam.apikey could not be cached.  No value for the property was found.
18 May 2023 04:45:37:814 [WARN ] [maximo] BMXAA6423W - The value for MAXPROP maximo.mobile.statusforphysicalsignature could not be cached.  No value for the property was found.
BMXAA6818I - ValidateCryptoKey started for schema MAXIMO, connected to database jdbc:sqlserver://xxxxxx.fyre.ibm.com:1433;databaseName=xxxxxx;encrypt=false; Thu May 10 04:45:38 GMT 2023
BMXAA6818I - ValidateCryptoKey started for schema MAXIMO, connected to database jdbc:sqlserver://mxossql-1.fyre.ibm.com:1433;databaseName=support1mx2;encrypt=false; Thu May 10 04:45:38 GMT 2023
...... Start to validate CRYPTO...... with key yR*****ku Thu May 10 04:45:38 GMT 2023
...... Start to validate CRYPTO...... with key yR*****ku Thu May 10 04:45:38 GMT 2023
New crypto =    yREMnlPQSdgNZLbzbtGQeEku   true Thu May 10 04:45:38 GMT 2023
New crypto =    yREMnlPQSdgNZLbzbtGQeEku   true Thu May 10 04:45:38 GMT 2023
Validating CRONTASKPARAM.CRYPTOVALUE Thu May 10 04:45:38 GMT 2023
Validating CRONTASKPARAM.CRYPTOVALUE Thu May 10 04:45:38 GMT 2023
Validating DDUSERAUTH.KEYID Thu May 10 04:45:39 GMT 2023
Validating DDUSERAUTH.KEYID Thu May 10 04:45:39 GMT 2023
Validating DMPKGDSTTRGT.PASSWORD Thu May 10 04:45:39 GMT 2023
Validating DMPKGDSTTRGT.PASSWORD Thu May 10 04:45:39 GMT 2023
Validating INBOUNDCOMMCFG.EMAILPASSWORD Thu May 10 04:45:39 GMT 2023
Validating INBOUNDCOMMCFG.EMAILPASSWORD Thu May 10 04:45:39 GMT 2023
Validating INBOUNDCOMMCFG.OAUTHACCESSTOKEN Thu May 10 04:45:39 GMT 2023
Validating INBOUNDCOMMCFG.OAUTHACCESSTOKEN Thu May 10 04:45:39 GMT 2023
Validating INBOUNDCOMMCFG.OAUTHCLIENTID Thu May 10 04:45:39 GMT 2023
Validating INBOUNDCOMMCFG.OAUTHCLIENTID Thu May 10 04:45:39 GMT 2023
Validating INBOUNDCOMMCFG.OAUTHCLIENTSECRET Thu May 10 04:45:39 GMT 2023
Validating INBOUNDCOMMCFG.OAUTHCLIENTSECRET Thu May 10 04:45:39 GMT 2023
Validating INBOUNDCOMMCFG.OAUTHREFRESHTOKEN Thu May 10 04:45:39 GMT 2023
Validating INBOUNDCOMMCFG.OAUTHREFRESHTOKEN Thu May 10 04:45:39 GMT 2023
Validating MAPMANAGER.CLIENTSECRET Thu May 10 04:45:39 GMT 2023
Validating MAPMANAGER.CLIENTSECRET Thu May 10 04:45:39 GMT 2023
Validating MAPMANAGER.GEOMSERVTOKENPWD Thu May 10 04:45:39 GMT 2023
Validating MAPMANAGER.GEOMSERVTOKENPWD Thu May 10 04:45:39 GMT 2023
Validating MAPMANAGER.PRINTSRVTOKENPWD Thu May 10 04:45:39 GMT 2023
Validating MAPMANAGER.PRINTSRVTOKENPWD Thu May 10 04:45:39 GMT 2023
Validating MAPMANAGER.SPATIALTOKENPSWD Thu May 10 04:45:39 GMT 2023
Validating MAPMANAGER.SPATIALTOKENPSWD Thu May 10 04:45:39 GMT 2023
Validating MAXENDPOINTDTL.PASSWORD Thu May 10 04:45:39 GMT 2023
Validating MAXENDPOINTDTL.PASSWORD Thu May 10 04:45:39 GMT 2023
Validating MAXINTMAPPINGDETAIL.PASSWORD Thu May 10 04:45:39 GMT 2023
Validating MAXINTMAPPINGDETAIL.PASSWORD Thu May 10 04:45:39 GMT 2023
Validating MAXOAUTHCLIENT.ACCESSTOKEN Thu May 10 04:45:39 GMT 2023
Validating MAXOAUTHCLIENT.ACCESSTOKEN Thu May 10 04:45:39 GMT 2023
Validating MAXOAUTHCLIENT.CLIENTSECRET Thu May 10 04:45:39 GMT 2023
Validating MAXOAUTHCLIENT.CLIENTSECRET Thu May 10 04:45:39 GMT 2023
Validating MAXOAUTHCLIENT.REFRESHTOKEN Thu May 10 04:45:39 GMT 2023
Validating MAXOAUTHCLIENT.REFRESHTOKEN Thu May 10 04:45:39 GMT 2023
Validating MAXPROPVALUE.ENCRYPTEDVALUE Thu May 10 04:45:39 GMT 2023
Validating MAXPROPVALUE.ENCRYPTEDVALUE Thu May 10 04:45:39 GMT 2023
BMXAA6820I - ValidateCryptoKey completed without errors. Thu May 10 04:45:39 GMT 2023
BMXAA6820I - ValidateCryptoKey completed without errors. Thu May 10 04:45:39 GMT 2023
Once ./resetcryptocryptox.sh completes without any error, the maxinst pod picks up from where it stopped earlier and completes the updatedb process. Later, the run-db.log and run_db_completed.log show that the updatedb process completed. After this, Manage workspace reconciliation runs again and rebuilds and redeploys the application.
  • Another way is to copy the existing unencrypted Crypto and Cryptox key values from maximo.properties file and add them in MAS. It can be found in Suite Administration > Applications > Manage > Actions > Update Configuration > Advanced Settings > Database > Encryption Secret (optional) as shown in the following image and then click Activate.
image-20230511114143-1
The old crypto and cryptox key values are kept similar to the unencrypted existing crypto and cryptox key values. Clicking Activate runs Manage workspace reconciliation again and rebuilds and redeploys the application.
MAS 8.7.x with Manage 8.3.x and below:
In MAS 8.7 or below versions, there is no ./resetcryptocryptox.sh script. So, you can use the 2nd method as shown to resolve the issue for this Manage version.
Note:
  • In any version, avoid adding MXE_SECURITY_OLD_CRYPTO_KEY and MXE_SECURITY_OLD_CRYPTOX_KEY in encryptionsecret-operator YAML directly as that might not resolve the issue.
  • Avoid adding mxe.security.old.crypto.key and mxe.security.old.cryptox.key properties to maximo.properties file as that requires running maxinst or updatedb manually.
  • Avoid adding these properties to bundle.properties file, which can be found under server bundle pods: All or UI at opt/ibm/wlp/usr/servers/defaultServer/manage/properties.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB59","label":"Sustainability Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSRHPA","label":"IBM Maximo Application Suite"},"ARM Category":[{"code":"a8m3p000000hAeaAAE","label":"Maximo Application Suite-\u003EMAS Applications-\u003EManage"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.7.0;8.8.0;8.9.0"}]

Document Information

Modified date:
22 June 2023

UID

ibm16989531

Page Feedback