Error Checking Password On Authentication Api Call In PROD
(Doc ID 3000918.1)
Last updated on JANUARY 29, 2024
Applies to:
Oracle Policy Automation - Version 12.2.31 and laterInformation in this document applies to any platform.
Symptoms
Triggering REST Request to Authenticate an API client user to get an OAuth 2.0 token to OPA fails with "Error checking password".
Following errors are seen in OPA Hub Log:
<Jan 15, 2024 3:55:52 PM CST> <ERROR> <[[ACTIVE] ExecuteThread: '11' for queue: 'weblogic.kernel.Default (self-tuning)']> (RESTHttpServlet.java:138) - xxx-opa-hub - Fail POST /12.2.19/auth
com.oracle.determinations.web.rest.ex.RESTInternalServerException: Error checking password
at com.oracle.determinations.hub.web.HubREST.createRESTException(HubREST.java:91) ~[opa-hub.jar:12.2.32.485]
at com.oracle.determinations.hub.web.HubREST.validateClientCredentials(HubREST.java:155) ~[opa-hub.jar:12.2.32.485]
at com.oracle.determinations.hub.web.HubREST.createClientCredentialAuthToken(HubREST.java:98) ~[opa-hub.jar:12.2.32.485]
at com.oracle.determinations.hub.web.OPAHubRESTServlet.getClientCredentialAuthToken(OPAHubRESTServlet.java:204) ~[servlet-hub.jar:12.2.32.485]
at com.oracle.determinations.servlet.rest.RESTHttpServlet$ServletAuthTokenDelegator.getClientCredentialAuthToken(RESTHttpServlet.java:216) ~[determinations-servlet-utilities.jar:12.2.32.485]
at com.oracle.determinations.web.rest.OAuthRequestHandlerV0.writeOAuthToken(OAuthRequestHandlerV0.java:93) ~[determinations-web-utilities.jar:12.2.32.485]
at com.oracle.determinations.web.rest.OAuthRequestHandlerV1.writeOAuthToken(OAuthRequestHandlerV1.java:26) ~[determinations-web-utilities.jar:12.2.32.485]
at com.oracle.determinations.web.rest.OAuthRequestHandlerV0.handleAuthRequest(OAuthRequestHandlerV0.java:39) ~[determinations-web-utilities.jar:12.2.32.485]
at com.oracle.determinations.servlet.rest.RESTHttpServlet.service(RESTHttpServlet.java:111) ~[determinations-servlet-utilities.jar:12.2.32.485]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:750) ~[jakarta.servlet.jakarta.servlet-api.jar:4.0.2]
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:295) ~[com.oracle.weblogic.servlet.jar:14.1.1.0]
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:260) ~[com.oracle.weblogic.servlet.jar:14.1.1.0]
at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:137) ~[com.oracle.weblogic.servlet.jar:14.1.1.0]
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:353) ~[com.oracle.weblogic.servlet.jar:14.1.1.0]
at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:25) ~[com.oracle.weblogic.servlet.jar:14.1.1.0]
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:82) ~[com.oracle.weblogic.servlet.jar:14.1.1.0]
at com.oracle.determinations.hub.web.RequiredResponseHeaderFilter.doFilter(RequiredResponseHeaderFilter.java:103) ~[servlet-hub.jar:12.2.32.485]
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:82) ~[com.oracle.weblogic.servlet.jar:14.1.1.0]
at com.oracle.determinations.hub.web.HubCloudFilter.doFilter(HubCloudFilter.java:65) ~[servlet-hub.jar:12.2.32.485]
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:82) ~[com.oracle.weblogic.servlet.jar:14.1.1.0]
at com.oracle.determinations.servlet.LoggingFilter.doFilter(LoggingFilter.java:36) ~[determinations-servlet-utilities.jar:12.2.32.485]
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:82) ~[com.oracle.weblogic.servlet.jar:14.1.1.0]
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3866) ~[com.oracle.weblogic.servlet.jar:14.1.1.0]
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3829) ~[com.oracle.weblogic.servlet.jar:14.1.1.0]
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:344) ~[com.oracle.weblogic.security.subject.jar:14.1.1.0]
at weblogic.security.service.SecurityManager.runAsForUserCode(SecurityManager.java:197) ~[com.oracle.weblogic.security.subject.jar:14.1.1.0]
at weblogic.servlet.provider.WlsSecurityProvider.runAsForUserCode(WlsSecurityProvider.java:203) ~[com.oracle.weblogic.servlet.jar:14.1.1.0]
at weblogic.servlet.provider.WlsSubjectHandle.run(WlsSubjectHandle.java:71) ~[com.oracle.weblogic.servlet.jar:14.1.1.0]
at weblogic.servlet.internal.WebAppServletContext.processSecuredExecute(WebAppServletContext.java:2502) ~[com.oracle.weblogic.servlet.jar:14.1.1.0]
at weblogic.servlet.internal.WebAppServletContext.doSecuredExecute(WebAppServletContext.java:2351) ~[com.oracle.weblogic.servlet.jar:14.1.1.0]
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2326) ~[com.oracle.weblogic.servlet.jar:14.1.1.0]
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2304) ~[com.oracle.weblogic.servlet.jar:14.1.1.0]
at weblogic.servlet.internal.ServletRequestImpl.runInternal(ServletRequestImpl.java:1779) ~[com.oracle.weblogic.servlet.jar:14.1.1.0]
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1733) ~[com.oracle.weblogic.servlet.jar:14.1.1.0]
at weblogic.servlet.provider.ContainerSupportProviderImpl$WlsRequestExecutor.run(ContainerSupportProviderImpl.java:272) ~[com.oracle.weblogic.servlet.jar:14.1.1.0]
at weblogic.invocation.ComponentInvocationContextManager._runAs(ComponentInvocationContextManager.java:352) ~[com.bea.core.utils.full.jar:14.1.1.0]
at weblogic.invocation.ComponentInvocationContextManager.runAs(ComponentInvocationContextManager.java:337) ~[com.bea.core.utils.full.jar:14.1.1.0]
at weblogic.work.LivePartitionUtility.doRunWorkUnderContext(LivePartitionUtility.java:57) ~[com.oracle.weblogic.work.jar:14.1.1.0]
at weblogic.work.PartitionUtility.runWorkUnderContext(PartitionUtility.java:41) ~[com.bea.core.weblogic.workmanager.jar:14.1.1.0]
at weblogic.work.SelfTuningWorkManagerImpl.runWorkUnderContext(SelfTuningWorkManagerImpl.java:651) ~[com.bea.core.weblogic.workmanager.jar:14.1.1.0]
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:420) ~[com.bea.core.weblogic.workmanager.jar:14.1.1.0]
at weblogic.work.ExecuteThread.run(ExecuteThread.java:360) ~[com.bea.core.weblogic.workmanager.jar:14.1.1.0]
Caused by: com.oracle.determinations.hub.exception.HubRuntimeException: Error checking password
at com.oracle.determinations.hub.service.UserService.authenticateAndGetClient(UserService.java:184) ~[opa-hub.jar:12.2.32.485]
at com.oracle.determinations.hub.web.HubREST.validateClientCredentials(HubREST.java:139) ~[opa-hub.jar:12.2.32.485]
... 40 more
Caused by: com.oracle.determinations.hub.encoding.HubIncorrectKeyEncodingException: Incorrect key for string to be decrypted
at com.oracle.determinations.hub.encoding.AESDecodingEncoder.decrypt(AESDecodingEncoder.java:100) ~[determinations-utilities.jar:12.2.32.485]
at com.oracle.determinations.hub.encoding.AESDecodingEncoder.decode(AESDecodingEncoder.java:248) ~[determinations-utilities.jar:12.2.32.485]
at com.oracle.determinations.hub.encoding.AESDecodingEncoder.compare(AESDecodingEncoder.java:291) ~[determinations-utilities.jar:12.2.32.485]
at com.oracle.determinations.hub.service.UserService.authenticateAndGetClient(UserService.java:112) ~[opa-hub.jar:12.2.32.485]
at com.oracle.determinations.hub.web.HubREST.validateClientCredentials(HubREST.java:139) ~[opa-hub.jar:12.2.32.485]
... 40 more
Customer had load balance environment with 2 separated OPA deployments using same database, when accessing direct only request to one environment was working and other failing with above error.
To reproduce the behavior follow steps from REST API for Intelligent Advisor>Authenticate an API client user to get an OAuth 2.0 token
Changes
Customer deployed 12.2.31 environment, same configuration works on 12.2.19
Cause
To view full details, sign in with your My Oracle Support account. |
|
Don't have a My Oracle Support account? Click to get started! |
In this Document
| Symptoms |
| Changes |
| Cause |
| Solution |