Date Posted:
Product: TIBCO Spotfire®
Product: TIBCO Spotfire®
Problem:
TIBCO Spotfire server unable to decrypt passwords
Solution:
The TIBCO Spotfire server often needs to login to external systems such as database or LDAP servers. In order to increase security the passwords are stored in an encrypted form instead of clear text and is decrypted by the server only when access is required. An encryption password is used for encrypting and decrypting other passwords and it must match the one that was used when the password was encrypted, otherwise decryption will fail and the server cannot use the credentials for logging in.
Symptoms:
The symptoms from an end user perspective are:
- Users cannot login, using LDAP
- Information links do not work.
Server log file example:
<TIBCO Spotfire Server install dir>\tomcat\logs\server.log:
WARN 2013-04-01T16:15:15,040+0200 [*Initialization*] util.transform.DefaultCredentialTransform: Decryption failed com.spotfire.server.util.sql.StoredCredentialException: Internal error: pad padding at com.spotfire.server.util.sql.StoredCredential.decryptDatabaseCredential(StoredCredential.java:249) [...] ERROR 2013-04-01T16:15:16,040+0200 [user, #1] api.common.InformationModelServiceCommon: Failed to initialize connection pool: Access denied for user 'username'@'hostname' (using password: YES) com.spotfire.ws.api.common.InformationModelWebServiceException: Failed to initialize connection pool: Access denied for user 'username'@'hostname' (using password: YES) [...] Caused by: com.spotfire.ws.im.IMException: Failed to initialize connection pool: Access denied for user 'username'@'hostname' (using password: YES) [...] Caused by: java.sql.SQLException: Access denied for user 'username'@'hostname' (using password: YES) [...]
Cause:
The Spotfire server is unable decrypt the password because the encrypted password in the file bootstrap.xml has been changed since the password was stored or the encrypted password is not the same for all servers in the cluster. Recreating the bootstrap file with a new encryption-password will invalidate all passwords that were already saved.
<TIBCO Spotfire Server install dir>\tomcat\webapps\spotfire\WEB-INF\bootstrap.xml defines an encryption password which is also not stored in clear text:
<bootstrap> ... <encryption-password>A$2yhKT[...]U6UBYqA</encryption-password> </bootstrap>
Alternative 1:
Save all stored passwords again. This means that any LDAP configurations should be saved again or updated with a new password and data sources must be resaved in the Information Designer tool in the Spotfire desktop client.
Alternative 2:
Restore the encrypted password by creating a new bootstrap file or restore a backup using the same encryption password as was used when the data sources were created. A new bootstrap file with an altered encryption password can either be created using the graphical server configuration tool (available in TIBCO Spotfire Server 5.0 and higher), using the "Connect to Database > Create new bootstrap file..." function or from the command line using the bootstrap command. Example:
config bootstrap --driver-class=tibcosoftwareinc.jdbc.oracle.OracleDriver --database-url="jdbc:tibcosoftwareinc:oracle://server:1521;SID=spotfire" --username=spotuserm --password=spotpass --encryption-password=mysecretpassword
All servers within the same cluster should use the same encryption password and any data sources stored with a previous encryption password must be resaved.
https://docs.tibco.com/pub/spotfire_server/7.10.0/doc/html/TIB_sfire_server_tsas_admin_help/GUID-240E0D48-7570-4EA3-A07C-D8E49B4C9CB2.html bootstrap
https://docs.tibco.com/pub/spotfire_server/7.10.0/doc/html/TIB_sfire_server_tsas_admin_help/GUID-A193BE5D-0047-4389-8CE4-837CBBDD00D6.html bootstrap.xml file
https://docs.tibco.com/pub/spotfire_server/7.10.0/doc/html/TIB_sfire_server_tsas_admin_help/GUID-A193BE5D-0047-4389-8CE4-837CBBDD00D6.html bootstrap.xml file