SBL-SVC-00281

Applies to:

Siebel CRM - Version 8.0.0.5 [20420] - DO NOT USE and later
Information in this document applies to any platform.
***Checked for relevance on 24-OCT-2012***

Symptoms

Siebel 8.0.0.5 is trying to access the keydbmgr prior to upgrading to the Siebel Strong Encryption Pack. The utility appears to do its initial load properly, but after they press the "c" button to continue they get an error about not being able to decrypt the password. Inspection of the keydbmgr.log shows the following two errors:

Decrypt failed with 10879085. Error during encryption or decryption operation by the RC2 Encryptor.

(keymanager.cpp (268)) SBL-SVC-00281:
Internal: error occurred during password decryption.

Desired behavior is that the keydbmgr would present the password prompt and then allow access to the utility menu.

Cause

Mismatch between keyfile.bin file in the environment (which is standard vanilla) and the S_APP_VER.ENCRYPT_PWD_FL_KEY which should be NULL in this case but has a value since it was imported from another environment.

Customer has noted that the keyfile.bin is vanilla but the S_APP_VER value is clearly populated. This mismatch would cause the keydbmgr.exe program all sorts of problems. Also in all likelihood the value stored in S_APP_VER is encrypted with AES 256 encryption from the environment it came from, but this environment still has been upgraded to have that capacity.

Solution

The fact that there is pre-existing encrypted data somewhat complicates things. We will try the simplest approach first. If that does not work, we may need to go with a more complicated one.

_$#$_ *** CRITICAL: ONCE WE START THIS PROCESS NO ONE CAN CREATE NEW OR MODIFY ANY EXISTING ENCRYPTED DATA UNTIL WE ARE SURE THAT THE KEYFILE IS IN PLACE AND WORKING PROPERLY. IF THEY DO THERE IS A VERY HIGH CHANCE THAT THE DATA WILL BE LOST!!! ***

1. Make a backup of the existing vanilla keyfile.bin. Then make a second backup of the existing vanilla keyfile.bin. Consider making a third copy.

2. Copy the value currently in S_APP_VER.ENCRYPT_PWD_FL_KEY and verify it. Do it again so that you have two known good copies of S_APP_VER.ENCRYPT_PWD_FL_KEY.

(The above may seem a bit excessive, but these are the items that -- if lost -- will move us from complicated to a nightmare.)

3. Install the base Siebel Strong Encryption Pack with the exact same algorithm and bit length as the source environment. DO NOT DO THE KEYDBUPGRADE STEP!!!

4. Install any Fix Packs necessary to bring the SSEP on the target environment to the exact same level as the source environment.

5. Update any masked parameters as indicated in the SSEP installation instructions.

6. Copy the keyfile.bin from the source environment over to the target environment.

7. Stop and restart the Siebel Environment.

8. Attempt to use keydbmgr.exe to access the keyfile.bin utilities. If this fails, please let me know and we will take a look at it.

9. Decision Point: Are you going to do any additional refreshes of this target environment from the source environment?

9 (YES): Exit the keydbmgr utility without changing the password or adding a new key.

9 (NO): Change the keyfile password. Optional -- Add a new encryption key.

10. Inside the application, check to make sure that previously encrypted information is decrypting properly. If no, stop and let me know.

11. Inside the application, create a new record with encrypted data. Does it work properly? If no, stop and let me know.

12. Make backups of the working keyfile.bin and the value in S_APP_VER.ENCRYPT_PWD_FL_KEY. Put these somewhere safe.

Applies to:

Siebel System Software - Version: 7.7.2.8 [18379] and later   [Release: V7 and later ]
Oracle Solaris on SPARC (64-bit)
Product Release: V7 (Enterprise)
Version: 7.7.2.8 [18379]
Database: Oracle 9.2.0.4
Application Server OS: Sun Solaris 9
Database Server OS: Sun Solaris 2.8

This document was previously published as Siebel SR 38-3413239318.

Symptoms

Customer reported the following:
Customer applied Siebel Fix Pack versuib 7.7.2.8 on top of Siebel version 7.7.2.6, and immediately started experiencing crashes whenever using encrypted data.
This stops happening after rolling back the Siebel version 7.7.2.8 Fix Pack.
The Call Stack they are getting is the following:

CSSRandomBytes::GenerateRandomBytes
CSSGenericCrypter::AESDecrypt
CSSGenericCrypter::Decrypt
CSSGenericCrypter::Decrypt
CSSKeyManager::decryptPassword
CSSKeyManager::retrievePassword
CSSKeyManager::init
CSSBCFieldCryptMgr::Encrypt
CSSBCFieldCryptMgr::SetEncryptedFieldValue
CSSBCBase::SqlSetFieldValue
CSSBCFieldCryptMgr::SetSecureDisplayValue
CSSBCBase::SqlSetFieldValue
CSSBusComp::SetFieldValue
CSSSWEFrame::SetFieldValue
CSSSWEFrame::StoreFieldData
CSSSWEFrame::PostChangesToBC
CSSSWEFrame::OnActionsWriterecord
CSSMvgImpl::OnActionsWriterecord
CSSTPopupMvg::DoInvokeMethod
CSSSWEFrame::InvokeMethod
...

This customer is using AES as the encryption type, with encryption level (key length or strength) of 256 bit.

Cause

SBL-DAT-00111, SBL-SVC-00281, SBL-UIF-00299, SBL-OSD-02006

Solution

For the benefit of other readers:

We could locate a known Product Defect which has been recently reported in our Knowledge Base:

    - Bug 10522852: After upgrading to 7.8.2.5 SIA, AES 256 encryption causes object manager to crash.

This behavior had been reported with bug# 10522852 for Siebel version 7.8.2.5. The fix for version 7.8.2 has been introduced with Siebel version 7.8.2.12.
On Siebel version 7.7.2, the issue is fixed on version 7.7.2.9 or higher.

Applies to:

Siebel CRM - Version: 8.0.0.2 [20412] and later   [Release: V8 and later ]
Information in this document applies to any platform.

Symptoms

User has upgraded to 128 bit encryption using the Siebel Strong Encryption Pack (SSEP). Now when they try to go into the keydbmgr utility to add a new encyrption key, they are getting the following error:

Internal: error occurred during password decryption.
(SBL-SVC-00281)
Cleaning up... this may take a while.

Review of the keydbmgr.log further clarifies this error with the following:
CryptEngine CryptEngineError 1 0000000248c604c4:0 2008-09-09 15:42:11 Decrypt failed with 10879086.
Error: Base64 decode failed.

Cause

Behavior was caused by inclusion of the /k parameter on the command line. Verified in TS lab environment and change request 12-1Q9Z858 logged.

Solution

This behavior was caused by the inclusion of the /k parameter in the keydbmgr command line. Although this parameter shows up when you use a help command or enter keydbmgr without parameters, it is not documented anywhere and appears to be non-functional. BugID 12-1Q9Z858 has been filed to either fix the functionality or remove the reference.

The workaround is to simply not use the /k parameter. In this case you will be prompted to manually enter the keyfile password.

Applies to:

Siebel CRM Call Center - Version 8.0 SIA [20405] to 8.1.1.3 SIA[21219] [Release V8]
Information in this document applies to any platform.

Symptoms

SUMMARY
--------------------------
After modifying the default password stored under S_APP_VER.ENCRYPT_PWD_FL_KEY and installing the Strong Encryption Pack (SSEP) with AES 256bit encryption, running utilities such as KEYDBUPGRADE and KEYDBMGR fail - and create a user (core) dump.

ERROR MESSAGES
--------------------------
Internal: error occurred during password decryption.(SBL-SVC-00281)

CALL STACK
--------------------------
/apps/siebel/siebsrvr/lib/libsslcosd.so:0x4ad24
/lib/libc.so.1:0xc8dc8
/lib/libc.so.1:0xbd460
/lib/libc.so.1:0xbd648
/apps/siebel/siebsrvr/mw/lib/libmwsafe.so:B_RandomInit+0x0 [ Signal 4 (ILL)]
/apps/siebel/siebsrvr/lib/libsslcrsa256.so:bool CSSRandomBytes::GenerateRandomBytes(const CCFMemBlock&,unsigned,CCFMemBlock&)+0x64
/apps/siebel/siebsrvr/lib/libsslcrsa.so:int CSSGenericCrypter::AESEncrypt(const CCFMemBlock&,const CCFMemBlock&,CCFMemBlock&,CSSAESCrypter::EnumKeyLength&,const CCFMemBlock*)+0xfc
/apps/siebel/siebsrvr/lib/libsslcrsa.so:int CSSGenericCrypter::Encrypt(const CCFMemBlock&,CCFMemBlock&,CSSGenericCrypter::EnumCryptType,const CCFMemBlock*)+0x30c
/apps/siebel/siebsrvr/lib/libsslcrsa.so:int CSSGenericCrypter::Encrypt(const SSstring&,SSstring&,CSSGenericCrypter::EnumCryptType,const SSstring*)+0x1e8
/apps/siebel/siebsrvr/lib/libsslckm.so:unsigned CSSKeyManager::upgrade()+0x440
/apps/siebel/siebsrvr/bin/keydbupgrade:int upgradeKeyDB(CSSKeyManager*)+0x30
/apps/siebel/siebsrvr/bin/keydbupgrade:wmain+0x800
/apps/siebel/siebsrvr/bin/keydbupgrade:main+0x128
/apps/siebel/siebsrvr/bin/keydbupgrade:_start+0x108

EXPECTED BEHAVIOR
-------------------------------
After updating the KEYFILE.BIN with a non-default password, installing the SSEP and patching to the latest version - the KEYDBUPGRADE utility can be successfully run to completion

Cause

Bug 10590129 [CRASH SIEBEL OM AFTER ENABLING AES 256 ENCRYPTOR]

Solution

1. Install Siebel Fix Pack 8.1.1.4
NOTE:
Bug 10591305 has been fixed in 8.1.1.4 FP
Bug 10592400 has been fixed in 8.2.2 FP
Bug 14043864 has been requested for 8.0.0.13 QF
2. Alternative solution,

1. Uninstall the SSEP with AES 256bit encryption
2. Install the SSEP again, but with AES 128bit encryption
3. Run the KEYDBUPGRADE utility
4. Remask all parameters stored in the SIEBNS.DAT

 

 

Applies to:

Siebel CRM - Version 8.0.0.6 [20423] and later
Information in this document applies to any platform.

Symptoms

Environment:
-------------------
Product Type: Siebel CRM
Version: 8.0.0.6 [20423] ENU
OS platform: N/S
DB: Oracle Database - Enterprise Edition
Env type: Dev

Statement of Issue:
-----------------------------
An ASI has been created to enable an external application to insert a SR and an associated contact into Siebel. When the ASI is called and the field ContactEmail is not set, the SR and the contact are inserted correctly and the call completes correctly. When the ASI is called and ContactEmail is set, the SR and the contact aren’t inserted and the call fails with an error.

Error:
-------
Picklist validation of field 'Contact Last Name' in integration component 'Service Request' did not find any matches satisfying the query '[First Name] = "First Ronnie 160" AND [Last Name] = "Last Ronnie 160"', and an attempt to create a new record through the picklist failed.(SBL-EAI-04186)

Cause

The application has been configured so that contact email addresses are encrypted. However, an error was occurring when the application tried to encrypt a value, which in turn caused the contact insert and the ASI call to fail.

EAIObjMgr_enu_0037_38797322.log shows that the EAI Siebel Adapter was trying to insert a record through the Contact bus comp and the following error occurred executing the GetLatestIndxRef method on the SiebelEncryptKey business service:

CryptEngine CryptEngineError 1 00000174511c05c1:0 2013-02-14 15:42:56 Decrypt failed with 4522127. Internal: input disassembly failed.
ObjMgrLog Error 1 00000174511c05c1:0 2013-02-14 15:42:56 (keymanager.cpp (268)) SBL-SVC-00281:
Internal: error occurred during password decryption.

This caused the WriteRecord method to fail with the following error:

15:42:56 (adptutils.cpp (5614)) SBL-EAI-04376: Method 'WriteRecord' of business component 'Contact' (integration component '') returned the following error:
"
Internal: error occurred during password decryption.

The customer confirmed that the "Internal: error occurred during password decryption." also occurred when a user tried to enter a contact email address in the UI.

Solution

The customer configured the application so that it is able to correctly encrypt contact email addresses. The customer raised a SR in the area of Security / Authentication - Data Encryption to request assistance to do this. Once this was done, the contact insert, the SR insert and the ASI call all completed correctly.