IBM Support

IBM WebSphere DataPower SOA Appliance secure restore operation fails with decryption failure

Troubleshooting


Problem

An IBM WebSphere DataPower SOA Appliance fails to complete the secure restore operation due to one or more of the backup files not matching what was previously backed up.

Symptom

When this issue is encountered, the following message is received:

    Secure restore failed - An decryption failure occurred.

When the decryption failure occurs, entries similar to the following are found in the system logs (default-log):

    20140606T192556Z [mgmt][info] secure-restore(FBR): tid(4783): Restoring raid-volume.tgz from backup directory local:///Backup

    20140606T192556Z [mgmt][error] secure-restore(FBR): tid(4783): A symmetric crypto operation failed during secure-backup request: *Invalid ciphertext for algorithm 'http://www.w3.org/2001/04/xmlenc#tripledes-cbc' * (6324).

    20140606T192556Z [cli][error] : tid(48999): Secure restore failed - An decryption failure occurred.

In the logging above, the log entry before the error entries indicates the file being processed when the error occurs. In this case, the issue is with decrypting the raid-volume.tgz file.

Cause

The following are possible causes for this issue:

  • Except for the backupmanifest.xml file, the *.tgz backup files created by a DataPower appliance for a secure backup are encrypted and are not readable. If these files are created on the appliance and later downloaded off the appliance, the download may fail for files that are extremely large. If the download fails, the downloaded file, when opened, displays the following:
      Unable to download file. Use the copy command.
  • WebSphere Appliance Management Center was used to create the secure backup files but the WebSphere Appliance Management Center is not used to do the secure restore. The secure restore is done using the the DataPower appliance secure restore option directly. The WebSphere Appliance Management Center secure backup creates a zip file that contains all the secure backup files. Each of the files in th secure backup is Base64 encoded because the XML Management Interface is used by WebSphere Appliance Management Center to do the secure backup and restore.

Diagnosing The Problem

  1. Change the log level to debug to get the most logging available. See the following DataPower mustgather for instructions on setting the log level to debug.
  2. Recreate the issue.
  3. Look in the default-log to see if there are any entries similar to the ones listed in the Symptom section and that point to a specific file.
  4. Check the backupmanifest.xml to ensure the file sizes listed in the manifest file matches the corresponding downloaded file sizes.
  5. The example log entry points to the raid-volume.tgz file. Since the hard disk array (RAID) is large and can contain a large amount of data, it is a best practice to not include the RAID in the secure backup. See the Secure backup-restore for WebSphere DataPower SOA Appliances article for a list of best practices for secure backup and restore. In the specific case provided, according to the manifest file, the raid-volume.tgz file should have a file size of 1733136728 bytes but the downloaded file is only 46 bytes.

Resolving The Problem

If a DataPower appliance was used to create the secure backup, use one of the following options to resolve this problem:

  • If iSCSI and RAID data are included in the secure backup, use another method to back up this data.
  • If a downloaded file does not match the size listed for that file in the backupmanifest.xml file, try downloading the file again.
  • If the download still fails, try using the CLI copy command to copy that file off the appliance.

If the WebSphere Appliance Management Center was used to create the secure backup, use one of the following options to resolve this issue:
  • When the WebSphere Appliance Management Center was used to create the secure backup, it is a best practice to use WebSphere Appliance Management Center to do the secure restore.
  • If it is not possible to use WebSphere Appliance Management Center to do the secure restore, when using a DataPower appliance to do the secure restore, use a Base64 decoder to decode all the backup files, including the backupmanifest.xml file, before running the secure restore. Note: A Base64 decoder can be found using a search engine.
If the information provided does not help resolve your issue, or you have any questions regarding this information, please Contact IBM WebSphere DataPower SOA Appliances Support for assistance.

[{"Product":{"code":"SS9H2Y","label":"IBM DataPower Gateway"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"--","Platform":[{"code":"PF009","label":"Firmware"}],"Version":"4.0.2;4.0.1;5.0.0;6.0.0;6.0.1","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
15 June 2018

UID

swg21635986