Question
BNZ
BNZ
NZ
BNZ
Posted: Apr 14, 2019
Last activity: Sep 25, 2019
Last activity: 25 Sep 2019 8:15 EDT
Closed
Solved
AWS KMS security token Exception during E-mail account configuration
I’m trying to configure the Default email account in our client PEGA cloud environment for report scheduling purposes. However, during this setup PEGA is using an AWS KMS key store that is available in the system to encrypt the email password with Encode function that is available in the Pega-RULES: Default library
At this point, I’m getting an exception from AWS saying that the security token is invalid. I tested the AWS key store file available in the system and the connectivity is fine. Does anybody know when we might encounter this exception?
Attaching the screenshots that has the exception and detailed rule invocation stack trace.
***Edited by Moderator Marissa to update platform capability tags****
Accepted Solution
Posted: 5 years ago
Pegasystems Inc.
Pegasystems Inc.
IN
Since the user doesn't have the old master key details, suggested with below changes and made the environment to the initial installation stage which uses the OOTB encryption.
delete from data.pr_data_admin_sec_de_key;
delete from data.pr_data_admin_sec_de_cdk where pycdkid=1;
Posted: 5 years ago
BNZ
BNZ
NZ
I've attached the document that has the screenshots and mentioned the rule where we are getting the exception.
After going through the Exception stack trace, here is my analysis which could help us to resolve this.
1. Application tried to encrypt the password with the help of Keystore that is available in the Amazon KMS location.
2. It tried to call the AWSKMS service.
3. AWSKMS service returned that the request call was made from an Unrecognized client, thus returning UnrecognizedClientException.
I’m not entirely sure but the below article says that this might happen if there is an inconsistent date and time between the server (Pega Cloud) & Amazon KMS server (AWSKMS service)
https://aws.amazon.com/premiumsupport/knowledge-center/security-token-expired/
https://github.com/awslabs/amazon-kinesis-scaling-utils/issues/5
Also, I’m pretty sure that the Access/Secret key pair are valid as the connectivity looks good (refer to the document).
Posted: 5 years ago
BNZ
BNZ
NZ
Here is the Exception trace that tells us how pega invoked AWSKMS client to access the keystore.
Show More
Here is the Exception trace that tells us how pega invoked AWSKMS client to access the keystore.
Exception Trace com.amazonaws.services.kms.model.AWSKMSException: The security token included in the request is invalid. (Service: AWSKMS; Status Code: 400; Error Code: UnrecognizedClientException; Request ID: 41d52b79-e7b6-4e7e-9c4f-dee442476155)
Java Stack Trace
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1695)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1350)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1101)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:758)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:732)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:714)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:674)
at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:656)
at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:520)
at com.amazonaws.services.kms.AWSKMSClient.doInvoke(AWSKMSClient.java:4467)
at com.amazonaws.services.kms.AWSKMSClient.invoke(AWSKMSClient.java:4434)
at com.amazonaws.services.kms.AWSKMSClient.invoke(AWSKMSClient.java:4423)
at com.amazonaws.services.kms.AWSKMSClient.executeDecrypt(AWSKMSClient.java:1324)
at com.amazonaws.services.kms.AWSKMSClient.decrypt(AWSKMSClient.java:1296)
at com.pega.pegarules.exec.internal.crypto.dataencryption.AWSKeyManagementService.decrypt(AWSKeyManagementService.java:65)
at com.pega.pegarules.exec.internal.crypto.dataencryption.DataKeyProvider.decryptEncryptedKey(DataKeyProvider.java:283)
at com.pega.pegarules.exec.internal.crypto.dataencryption.DataKeyProvider.getCustomerDataKey(DataKeyProvider.java:130)
at com.pega.pegarules.exec.internal.crypto.dataencryption.EncryptionHandler.encrypt(EncryptionHandler.java:76)
at com.pega.pegarules.exec.internal.util.crypto.PRCryptoImpl.encryptUsingKeyStore(PRCryptoImpl.java:700)
at com.pega.pegarules.exec.internal.util.crypto.PRCryptoImpl.encrypt(PRCryptoImpl.java:686)
at com.pegarules.generated.encryptPW_071017__2196136611982189319.encryptPW07_10_17(encryptPW_071017__2196136611982189319.java:112)
at com.pegarules.generated.encryptPW_071017__2196136611982189319.invoke(encryptPW_071017__2196136611982189319.java:81)
at com.pega.pegarules.generation.internal.library.LibraryRuntime.resolveAndinvokeFunctionViaReflection(LibraryRuntime.java:222)
at com.pega.pegarules.generation.internal.library.LibraryRuntime.invokeLibraryRuntime(LibraryRuntime.java:119)
at com.pega.pegarules.session.internal.mgmt.Executable.invokeLibraryRuntime(Executable.java:9150)
at com.pega.pegarules.priv.generator.LibrarySupport.resolveAndInvokeFunctionViaReflectionWithException(LibrarySupport.java:275)
at com.pegarules.generated.Encode_071017_7082641022236447370.Encode07_10_17(Encode_071017_7082641022236447370.java:124)
at com.pegarules.generated.Encode_071017_7082641022236447370.invoke(Encode_071017_7082641022236447370.java:82)
at com.pega.pegarules.generation.internal.library.LibraryRuntime.resolveAndinvokeFunctionViaReflection(LibraryRuntime.java:222)
at com.pega.pegarules.generation.internal.library.LibraryRuntime.invokeLibraryRuntime(LibraryRuntime.java:119)
at com.pega.pegarules.generation.internal.library.LibraryFunctionUtilityImpl.resolveMethodCall(LibraryFunctionUtilityImpl.java:2923)
at com.pega.pegarules.session.internal.mgmt.Executable.resolveMethodCall(Executable.java:11245)
at com.pegarules.generated.activity.ra_action_pxvalidatesender_3abc36f495cca7e21c67a1d9905749a5.step10_circum0(ra_action_pxvalidatesender_3abc36f495cca7e21c67a1d9905749a5.java:1071)
at com.pegarules.generated.activity.ra_action_pxvalidatesender_3abc36f495cca7e21c67a1d9905749a5.perform(ra_action_pxvalidatesender_3abc36f495cca7e21c67a1d9905749a5.java:228)
at com.pega.pegarules.session.internal.mgmt.Executable.doActivity(Executable.java:3421)
at com.pega.pegarules.session.internal.mgmt.Executable.invokeActivity(Executable.java:10794)
at com.pegarules.generated.activity.ra_action_validate_fb63fb28c3ec5418de4d318c07999095.step1_circum0(ra_action_validate_fb63fb28c3ec5418de4d318c07999095.java:168)
at com.pegarules.generated.activity.ra_action_validate_fb63fb28c3ec5418de4d318c07999095.perform(ra_action_validate_fb63fb28c3ec5418de4d318c07999095.java:70)
at com.pega.pegarules.session.internal.mgmt.Executable.doActivity(Executable.java:3421)
at com.pega.pegarules.session.internal.mgmt.Executable.invokeActivity(Executable.java:10794)
at com.pegarules.generated.activity.ra_action_savesetup_b02f27fca95108f2fb834c0b4d2c51c9.step10_circum0(ra_action_savesetup_b02f27fca95108f2fb834c0b4d2c51c9.java:972)
at com.pegarules.generated.activity.ra_action_savesetup_b02f27fca95108f2fb834c0b4d2c51c9.perform(ra_action_savesetup_b02f27fca95108f2fb834c0b4d2c51c9.java:223)
at com.pega.pegarules.session.internal.mgmt.Executable.doActivity(Executable.java:3421)
at com.pega.pegarules.session.internal.mgmt.Executable.invokeActivity(Executable.java:10794)
at com.pegarules.generated.activity.ra_action_save_42d6fd0440beda0051ccf932f9363bdb.step2_circum0(ra_action_save_42d6fd0440beda0051ccf932f9363bdb.java:580)
at com.pegarules.generated.activity.ra_action_save_42d6fd0440beda0051ccf932f9363bdb.perform(ra_action_save_42d6fd0440beda0051ccf932f9363bdb.java:87)
at com.pega.pegarules.session.internal.mgmt.Executable.doActivity(Executable.java:3421)
at com.pega.pegarules.session.internal.mgmt.Executable.invokeActivity(Executable.java:10794)
at com.pegarules.generated.activity.ra_action_wbsave_f4476f734a9fffad799118a95aed5830.step5_circum0(ra_action_wbsave_f4476f734a9fffad799118a95aed5830.java:752)
at com.pegarules.generated.activity.ra_action_wbsave_f4476f734a9fffad799118a95aed5830.perform(ra_action_wbsave_f4476f734a9fffad799118a95aed5830.java:141)
at com.pega.pegarules.session.internal.mgmt.Executable.doActivity(Executable.java:3421)
at com.pega.pegarules.session.internal.mgmt.Executable.invokeActivity(Executable.java:10794)
at com.pegarules.generated.activity.ra_action_rmactionsave_a909453195466a31b681a35f486c53e6.step4_circum0(ra_action_rmactionsave_a909453195466a31b681a35f486c53e6.java:375)
at com.pegarules.generated.activity.ra_action_rmactionsave_a909453195466a31b681a35f486c53e6.perform(ra_action_rmactionsave_a909453195466a31b681a35f486c53e6.java:121)
at com.pega.pegarules.session.internal.mgmt.Executable.doActivity(Executable.java:3421)
at com.pega.pegarules.session.internal.mgmt.Executable.invokeActivity(Executable.java:10794)
at com.pegarules.generated.activity.ra_action_processrmaction_695ef285353bd79e399d8d2de12e0017.step6_circum0(ra_action_processrmaction_695ef285353bd79e399d8d2de12e0017.java:683)
at com.pegarules.generated.activity.ra_action_processrmaction_695ef285353bd79e399d8d2de12e0017.perform(ra_action_processrmaction_695ef285353bd79e399d8d2de12e0017.java:159)
at com.pega.pegarules.session.internal.mgmt.Executable.doActivity(Executable.java:3421)
at com.pega.pegarules.session.internal.mgmt.Executable.invokeActivity(Executable.java:10794)
at com.pegarules.generated.activity.ra_action_pzruleformtoolbaraction_92e3dff3a770b8ae9e3f0d83f3cb2fbf.step4_circum0(ra_action_pzruleformtoolbaraction_92e3dff3a770b8ae9e3f0d83f3cb2fbf.java:408)
at com.pegarules.generated.activity.ra_action_pzruleformtoolbaraction_92e3dff3a770b8ae9e3f0d83f3cb2fbf.perform(ra_action_pzruleformtoolbaraction_92e3dff3a770b8ae9e3f0d83f3cb2fbf.java:122)
at com.pega.pegarules.session.internal.mgmt.Executable.doActivity(Executable.java:3421)
at com.pegarules.generated.activity.ra_action_pzrunactionwrapper_ce33a3e02079c8316326c276001f0fe5.step1_circum0(ra_action_pzrunactionwrapper_ce33a3e02079c8316326c276001f0fe5.java:321)
at com.pegarules.generated.activity.ra_action_pzrunactionwrapper_ce33a3e02079c8316326c276001f0fe5.perform(ra_action_pzrunactionwrapper_ce33a3e02079c8316326c276001f0fe5.java:70)
at com.pega.pegarules.session.internal.mgmt.Executable.doActivity(Executable.java:3421)
at com.pega.pegarules.session.internal.mgmt.base.ThreadRunner.runActivitiesAlt(ThreadRunner.java:646)
at com.pega.pegarules.session.internal.mgmt.PRThreadImpl.runActivitiesAlt(PRThreadImpl.java:484)
at com.pega.pegarules.session.internal.engineinterface.service.HttpAPI.runActivities(HttpAPI.java:3467)
at com.pega.pegarules.session.external.engineinterface.service.EngineAPI.processRequestInner(EngineAPI.java:417)
at sun.reflect.GeneratedMethodAccessor129.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at com.pega.pegarules.session.internal.PRSessionProviderImpl.performTargetActionWithLock(PRSessionProviderImpl.java:1368)
at com.pega.pegarules.session.internal.PRSessionProviderImpl.doWithRequestorLocked(PRSessionProviderImpl.java:1105)
at com.pega.pegarules.session.internal.PRSessionProviderImpl.doWithRequestorLocked(PRSessionProviderImpl.java:959)
at com.pega.pegarules.session.external.engineinterface.service.EngineAPI.processRequest(EngineAPI.java:354)
at com.pega.pegarules.session.internal.engineinterface.service.HttpAPI.invoke(HttpAPI.java:855)
at com.pega.pegarules.session.internal.engineinterface.etier.impl.EngineImpl._invokeEngine_privact(EngineImpl.java:331)
at com.pega.pegarules.session.internal.engineinterface.etier.impl.EngineImpl.invokeEngine(EngineImpl.java:274)
at com.pega.pegarules.session.internal.engineinterface.etier.impl.EngineImpl.invokeEngine(EngineImpl.java:251)
at com.pega.pegarules.priv.context.JNDIEnvironment.invokeEngineInner(JNDIEnvironment.java:278)
at com.pega.pegarules.priv.context.JNDIEnvironment.invokeEngine(JNDIEnvironment.java:223)
at com.pega.pegarules.web.impl.WebStandardImpl.makeEtierRequest(WebStandardImpl.java:691)
at com.pega.pegarules.web.impl.WebStandardImpl.doPost(WebStandardImpl.java:397)
at sun.reflect.GeneratedMethodAccessor161.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at com.pega.pegarules.internal.bootstrap.PRBootstrap.invokeMethod(PRBootstrap.java:370)
at com.pega.pegarules.internal.bootstrap.PRBootstrap.invokeMethodPropagatingThrowable(PRBootstrap.java:411)
at com.pega.pegarules.boot.internal.extbridge.AppServerBridgeToPega.invokeMethodPropagatingThrowable(AppServerBridgeToPega.java:224)
at com.pega.pegarules.boot.internal.extbridge.AppServerBridgeToPega.invokeMethod(AppServerBridgeToPega.java:273)
at com.pega.pegarules.internal.web.servlet.WebStandardBoot.doPost(WebStandardBoot.java:129)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:650)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:110)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:498)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:683)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:1025)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1139)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)
at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.doRun(AprEndpoint.java:2555)
at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(AprEndpoint.java:2544)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
Show Less
Posted: 5 years ago
BNZ
BNZ
NZ
I got the comprehensive exception stack trace from the log file. If Tracer log file can be helpful, I can create a SR and send it over my support portal.
Posted: 5 years ago
PEGA
Pegasystems Inc.
US
Hi Naveen,
Please go ahead with SR creation and this will be handled by appropriate team from Pega GCS.
Thanks for all the details and please attach them to the SR.
Posted: 5 years ago
BNZ
BNZ
NZ
Hi,
Did anyone faced this issue before. The KMS keys are configured properly in our system and they are working fine with other features(Sending data to Amazon S3 bucket).
The only time we are facing this issue is when we try to update the password in the email account rule.
Regards,
Naveen.
Accepted Solution
Posted: 5 years ago
Pegasystems Inc.
Pegasystems Inc.
IN
Since the user doesn't have the old master key details, suggested with below changes and made the environment to the initial installation stage which uses the OOTB encryption.
delete from data.pr_data_admin_sec_de_key;
delete from data.pr_data_admin_sec_de_cdk where pycdkid=1;