Troubleshooting
Problem
com.ibm.ecm.crypto.CipherException: The system is not capable of generating 256-bit keys
This error occurs when the Java version being used cannot generate 256-bit keys. Update either the Java version or the policy files as described in the following technote:
com.ibm.ecm.crypto.CipherException: Failed to encrypt/decrypt
This error occurs when either the data encryption key (DEK) was not encrypted using the current key encryption key (KEK) or the secret was not encrypted using the current DEK. Follow the steps below to fix the issue by rotating DEKs and resetting secrets.
Note: If you have a backup of the KEK, you can try restoring the KEK as described in the following technote without rotating DEKs and resetting secrets.
Important: In case the ICN configuration directory is not shared with all ICN server, ensure all ICN servers use the same KEK as described in the following technote.
1. Rotate the DEKs as described in the following technote. You can skip the last step as you will start all ICN servers later.
Note: The KEK does not need to be rotated.
2. Reset secrets by going to the ICN admin desktop and saving configurations that contain secrets. For example, to reset the Task Manager administrator password, go to the settings page (and the repository configuration page) and save the configuration after entering the password.
3. Start all ICN servers.
com.ibm.ecm.crypto.CipherException: Failed to prepare material
Caused by: java.io.IOException: Unexpected number of data files found
This error occurs when the KEK directory, .ikm, in the IBM Content Navigator configuration directory contains unexpected files. Back up and remove all files under the KEK directory, restart the ICN server, and review the previous error (com.ibm.ecm.crypto.CipherException: Failed to encrypt/decrypt) to rotate the DEKs.
com.ibm.ecm.crypto.CipherException: call failed
Caused by: java.nio.channels.OverlappingFileLockException
Upgrade to ICN 3.0.7 interim fix 1, 3.0.6 interim fix 4, 3.0.5 interim fix 8, or later.
Additional Note
Ensure the KEK is backed up and reused every time you upgrade ICN. In case a KEK not found, ICN will generate a new one which won't be able to decrypt existing DEKs.
Related Information
Document Location
Worldwide
[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSEUEX","label":"IBM Content Navigator"},"Component":"","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF051","label":"Linux on IBM Z Systems"},{"code":"PF033","label":"Windows"}],"Version":"3.0.5 iFix 1 or later","Edition":"","Line of Business":{"code":"LOB18","label":"Miscellaneous LOB"}}]
Product Synonym
ICN
Was this topic helpful?
Document Information
Modified date:
01 April 2022
UID
ibm11120245