https://jira.opendaylight.org This file is an XML representation of an issue en-us 8.20.10 820010 22-06-2022 https://jira.opendaylight.org/browse/NETCONF-450 netconf <p>I am using TCP<img class="emoticon" src="https://jira.opendaylight.org/images/icons/emoticons/warning.png" height="16" width="16" align="absmiddle" alt="" border="0"/> to mount Honeycomb:</p> <p>feature:install odl-netconf-topology odl-restconf-all</p> <p>then</p> <p>PUT <a href="http://localhost:8181/restconf/config/network-topology:network-topology/topology/topology-netconf/node/vpp" class="external-link" target="_blank" rel="nofollow noopener">http://localhost:8181/restconf/config/network-topology:network-topology/topology/topology-netconf/node/vpp</a></p> <p>{<br/> "node": </p> { "node-id": "vpp", "host": "127.0.0.1", "port": 7777, "username": "admin", "password": "admin", "tcp-only": true, "keepalive-delay": 0 } <p>}</p> <p>Mount itself works fine, but following error is dsplayed:</p> <p>2017-08-10 06:29:47,848 | ERROR | on-dispatcher-43 | AAAEncryptionServiceImpl | 223 - org.opendaylight.aaa.encrypt-service - 0.6.0.SNAPSHOT | Failed to decrypt encoded data<br/> javax.crypto.IllegalBlockSizeException: Input length must be multiple of 16 when decrypting with padded cipher<br/> at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:934)<span class="error">&#91;sunjce_provider.jar:1.8.0_131&#93;</span><br/> at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:845)<span class="error">&#91;sunjce_provider.jar:1.8.0_131&#93;</span><br/> at com.sun.crypto.provider.AESCipher.engineDoFinal(AESCipher.java:446)<span class="error">&#91;sunjce_provider.jar:1.8.0_131&#93;</span><br/> at javax.crypto.Cipher.doFinal(Cipher.java:2165)<span class="error">&#91;:1.8.0_131&#93;</span><br/> at org.opendaylight.aaa.encrypt.AAAEncryptionServiceImpl.decrypt(AAAEncryptionServiceImpl.java:162)<span class="error">&#91;223:org.opendaylight.aaa.encrypt-service:0.6.0.SNAPSHOT&#93;</span><br/> at Proxy344e8f08_8699_442e_8cbc_385cb6efd93a.decrypt(Unknown Source)<span class="error">&#91;:&#93;</span><br/> at Proxya43816b6_ceab_487d_8d0b_01d8b0a3ec86.decrypt(Unknown Source)<span class="error">&#91;:&#93;</span><br/> at org.opendaylight.netconf.sal.connect.util.AuthEncryptor.encryptIfNeeded(AuthEncryptor.java:44)<span class="error">&#91;302:org.opendaylight.netconf.sal-netconf-connector:1.6.0.SNAPSHOT&#93;</span><br/> at org.opendaylight.netconf.topology.AbstractNetconfTopology.setupConnection(AbstractNetconfTopology.java:224)<span class="error">&#91;165:netconf-topology-config:1.3.0.SNAPSHOT&#93;</span><br/> at org.opendaylight.netconf.topology.AbstractNetconfTopology.connectNode(AbstractNetconfTopology.java:202)<span class="error">&#91;165:netconf-topology-config:1.3.0.SNAPSHOT&#93;</span><br/> at org.opendaylight.netconf.topology.impl.NetconfTopologyImpl.onDataTreeChanged(NetconfTopologyImpl.java:127)<span class="error">&#91;165:netconf-topology-config:1.3.0.SNAPSHOT&#93;</span><br/> at org.opendaylight.controller.md.sal.binding.impl.BindingDOMDataTreeChangeListenerAdapter.onDataTreeChanged(BindingDOMDataTreeChangeListenerAdapter.java:41)<span class="error">&#91;246:org.opendaylight.controller.sal-binding-broker-impl:1.6.0.SNAPSHOT&#93;</span><br/> at org.opendaylight.controller.cluster.datastore.DataTreeChangeListenerActor.dataChanged(DataTreeChangeListenerActor.java:59)<span class="error">&#91;259:org.opendaylight.controller.sal-distributed-datastore:1.6.0.SNAPSHOT&#93;</span><br/> at org.opendaylight.controller.cluster.datastore.DataTreeChangeListenerActor.handleReceive(DataTreeChangeListenerActor.java:38)<span class="error">&#91;259:org.opendaylight.controller.sal-distributed-datastore:1.6.0.SNAPSHOT&#93;</span><br/> at org.opendaylight.controller.cluster.common.actor.AbstractUntypedActor.onReceive(AbstractUntypedActor.java:28)<span class="error">&#91;252:org.opendaylight.controller.sal-clustering-commons:1.6.0.SNAPSHOT&#93;</span><br/> at akka.actor.UntypedActor$$anonfun$receive$1.applyOrElse(UntypedActor.scala:165)<span class="error">&#91;141:com.typesafe.akka.actor:2.4.18&#93;</span><br/> at akka.actor.Actor$class.aroundReceive(Actor.scala:502)<span class="error">&#91;141:com.typesafe.akka.actor:2.4.18&#93;</span><br/> at akka.actor.UntypedActor.aroundReceive(UntypedActor.scala:95)<span class="error">&#91;141:com.typesafe.akka.actor:2.4.18&#93;</span><br/> at akka.actor.ActorCell.receiveMessage(ActorCell.scala:526)<span class="error">&#91;141:com.typesafe.akka.actor:2.4.18&#93;</span><br/> at akka.actor.ActorCell.invoke(ActorCell.scala:495)<span class="error">&#91;141:com.typesafe.akka.actor:2.4.18&#93;</span><br/> at akka.dispatch.Mailbox.processMailbox(Mailbox.scala:257)<span class="error">&#91;141:com.typesafe.akka.actor:2.4.18&#93;</span><br/> at akka.dispatch.Mailbox.run(Mailbox.scala:224)<span class="error">&#91;141:com.typesafe.akka.actor:2.4.18&#93;</span><br/> at akka.dispatch.Mailbox.exec(Mailbox.scala:234)<span class="error">&#91;141:com.typesafe.akka.actor:2.4.18&#93;</span><br/> at scala.concurrent.forkjoin.ForkJoinTask.doExec(ForkJoinTask.java:260)<span class="error">&#91;321:org.scala-lang.scala-library:2.11.11.v20170413-090219-8a413ba7cc&#93;</span><br/> at scala.concurrent.forkjoin.ForkJoinPool$WorkQueue.runTask(ForkJoinPool.java:1339)<span class="error">&#91;321:org.scala-lang.scala-library:2.11.11.v20170413-090219-8a413ba7cc&#93;</span><br/> at scala.concurrent.forkjoin.ForkJoinPool.runWorker(ForkJoinPool.java:1979)<span class="error">&#91;321:org.scala-lang.scala-library:2.11.11.v20170413-090219-8a413ba7cc&#93;</span><br/> at scala.concurrent.forkjoin.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:107)<span class="error">&#91;321:org.scala-lang.scala-library:2.11.11.v20170413-090219-8a413ba7cc&#93;</span><br/> 2017-08-10 06:29:47,856 | INFO | on-dispatcher-43 | AuthEncryptor | 302 - org.opendaylight.netconf.sal-netconf-connector - 1.6.0.SNAPSHOT | Encrypting the provided credentials<br/> 2017-08-10 06:29:47,993 | INFO | CommitFutures-1 | AuthEncryptor | 302 - org.opendaylight.netconf.sal-netconf-connector - 1.6.0.SNAPSHOT | Encrypted netconf username/password successfully</p> <p>Operating System: All<br/> Platform: All</p> NETCONF-450

Failed to decrypt encoded data while mounting NETCONF

Bug Resolved Won't Do Unassigned Marek Gradzki Thu, 10 Aug 2017 04:39:42 +0000 Fri, 15 Mar 2019 22:22:43 +0000 Thu, 12 Oct 2017 14:04:16 +0000 netconf 0 3 <p>Same issue occurs when SSH is used</p> <p>Well, this is related to mountpoint's credentials encryption and not to the actual encryption of netconf session, so it does not really matter whether you are using SSH or TCP.</p> <p>I can confirm that this error is being emitted, but otherwise mountpoint seems to work.</p> <p>Right. Thanks for investigation!</p> <p>After brief investigation, it turns out, that the password encryption logic during mountpoint initialization goes as follows:</p> <p>1) netconf node's password is tried to be decrypted with help of AAA AAAEncryptionService's decrypt method. If the password cannot be decrypted, method returns password unchanged and logs the above mentioned error. Our implementation depends on the fact that unencrypted password is returned unchanged (this is not even documented in the netconf code nor in the AAA's AAAEncryptionService API). If the password is already encrypted (thus can be decrypted), we are not doing anything. I guess this wants to solve the problems with reconnects after ODL restart and similar cases (we don't want to encrypt already encrypted password in DS).</p> <p>2) password is actually encrypted and stored in DS.</p> <p>I think this is not the best solution, since the error log is being emitted and this can confuse users. But also this can cause problems if someone specifies plaintext password that actually can be decrypted (although this is very unlikely scenario). ODL will then try to use decrypted plaintext password during session negotiation with device and not the actual password.</p> <p>Jakub is correct that this is harmlessly coming from AAA when you have unencrypted password stored, best way to get rid of this and attempting to decrypt unencrypted passwords is to just change to model for credentials like I proposed in <a href="https://bugs.opendaylight.org/show_bug.cgi?id=9261" class="external-link" target="_blank" rel="nofollow noopener">https://bugs.opendaylight.org/show_bug.cgi?id=9261</a> and only run encryption/decryption in the cases that need it.<br/> This log is harmless so closing this, the model change will be handled as a part of 9261</p> Development External issue ID 8971 External issue URL Rank 0|i01ym7: