Overview
The Data-Admin-Security-AccessTokenKeys store contains environment-specific cryptographic key pairs used to sign JWT access tokens and to decrypt and validate OAuth tokens issued by the system.
These keys are encrypted using a non-portable, environment-specific encryption key and are not intended to be shared or reused across environments.
Issue
When AccessTokenKeys instances are migrated to a different environment, the target system cannot decrypt the key material. As a result, token generation and validation fail.
Impact
When these keys are migrated across environments, the following issues occur in the target environment:
|
Scenario |
Error |
|
User authentication fails for both Constellation and Hybrid applications.
|
ERROR - Failed to decrypt with Internal Cipher javax.crypto.BadPaddingException: Error finalising cipher data: pad block corrupted com.pega.pegarules.pub.PRRuntimeException: cryptography operation failed ERROR - Not able to generate PegaAAT cookie : OAuth2DataProviderImpl.createAccessToken() failed to generate accessToken |
|
All OAuth-based services fail to authenticate.
|
ERROR - Failed to decrypt with Internal Cipher javax.crypto.BadPaddingException: Error finalising cipher data: pad block corrupted com.pega.pegarules.pub.PRRuntimeException: cryptography operation failed |
|
New access tokens cannot be generated. |
ERROR - Failed to decrypt with Internal Cipher javax.crypto.BadPaddingException: Error finalising cipher data: pad block corrupted com.pega.pegarules.pub.PRRuntimeException: cryptography operation failed. |
This issue occurs in the following scenarios:
- RAP or product rule deployments: Application packages that include Data-Admin-Security-AccessTokenKeys instances
- Manual data migration activities: Customer- or partner-initiated data migration between environments
Root Cause
AccessTokenKeys are encrypted using environment-specific, non-portable encryption keys. Key identifiers are not globally unique across environments. Hence, keys migrated between environments cannot be decrypted and token generation fails immediately after migration.
Best practices
- Exclude AccessTokenKeys from the following:
- RAP files
- Product rules
- Data migration activities
Recovery Procedure (If the Issue has already occurred)
If AccessTokenKeys were accidentally migrated, perform the following steps to recover:
- Remove all AccessTokenKeys instances
Delete all records of the class Data-Admin-Security-AccessTokenKeys from the database.
On Pega Cloud, a CC would be required to execute the below SQL query.
SQL: Delete from <data_schema>.pr_data_admin WHEREE pxObjClass like 'Data-Admin-Security-AccessTokenKeys'
Note – A CC can be requested through My Support portal.
- Restart the environment
Restart all application nodes to ensure the changes are fully applied.
- Allow automatic key regeneration
After the restart, the platform automatically regenerates the AccessTokenKeys.
- Validate functionality
Confirm that the following operations are working as expected:
- User authentication (login)
- OAuth token generation
AccessTokenKeys are bound to a specific environment and must never be migrated between environments. Any attempt to migrate these keys will break authentication and OAuth token generation.