Issue:
A typical scenario is an upgrade of TIBCO JasperReports® Server from v7.5 to v8.0 where the user runs the following export command from the TIBCO JasperReports® Server v7.5 buildomatic directory:
./js-export.sh --everything --keyalias deprecatedImportExportEncSecret --output-zip /tmp/uat-7.5.2-01.zip
or (for users only):
./js-export.sh --users --keyalias deprecatedImportExportEncSecret --output-zip /tmp/uat-users-7.5.2.zip
Under the TIBCO JasperReports® Server v8.0 buildomatic, importing the catalog failed to complete with "Weak password":
Buildfile: C:\jasperreports-server-pro-8.0.2-bin\buildomatic\build.xml
[exec] Result: 128
[echo] Back-End version: fatal: not a git repository (or any of the parent directories): .git-SNAPSHOT
[echo] Front-End version: fatal: not a git repository (or any of the parent directories): .git-SNAPSHOT
[echo] Maven settings: C:/jasperreports-server-pro-8.0.2-bin/buildomatic/build_conf/default/maven_settings.xml
import:
[echo] --- (import-export.xml:run-import-export) archiveArg = --input-zip=C:/jasperreports-server-pro-8.0.2-bin/buildomatic/uat-users-7.5.2.zip ---
[echo] dbType = postgresql
[echo] jdbcJar = postgresql-42.2.20.jar
[echo] currentConf = C:/jasperreports-server-pro-8.0.2-bin/buildomatic/build_conf/default
[echo] importExportConfig = C:/jasperreports-server-pro-8.0.2-bin/buildomatic/conf_source/iePro
[echo]
[echo] Validating JasperServer database connection at jdbc:postgresql://xxxxxxxxx:5432/<db>. Phase: [import-export-test]
[advanced-sql] Executing commands
[advanced-sql] 1 of 1 SQL statements executed successfully
[echo] Connection OK
[java] First resource path: C:\jasperreports-server-pro-8.0.2-bin\buildomatic\conf_source\iePro
[java] Loading configuration resources
[java] Initialization complete
[java] Using default importCommandBean command bean
[java] Processing started
[java] Using com.jaspersoft.jasperserver.export.io.ZipFileInputFactory input factory
[java] Using importerPrototypePro importer prototype bean.
[java] Invoking module com.jaspersoft.jasperserver.multipleTenancy.export.MultiTenancyAuthorityImporter@1b70e1bb
[java] Updated user superuser
[java] Weak password.
BUILD FAILED
C:\work\jasperreports-server-pro-8.0.2-bin\buildomatic\bin\import-export.xml:235: The following error occurred while executing this line:
C:\work\jasperreports-server-pro-8.0.2-bin\buildomatic\bin\import-export.xml:168: Java returned: -1
Note: This error can occur even if users are internally defined users. The import can also fail if the import was done through the TIBCO JasperReports® Server Import page online.
IMPORTANT: For other potential causes of the 'Weak Password' error please see this article:
The Command Line Import Stops with a "Weak password" Error
Solution:
The cause of the problem is the export file content containing a bad/wrong encryption of users passwords.
There are two different sets of keystore files (ks/ksp) referenced by buildomatic and by TIBCO JasperReports® Server which is likely to be due to having two different user accounts, one account for installing buildomatic (jasperadmin) and one for installing the TIBCO JasperReports® Server (tomcat):
Buildomatic
buildomatic/keystore.init.properties has entries:
ks=/home/jasperadmin
ksp=/home/jasperadmin
TIBCO JasperReports® Server
WEB-INF/classes/keystore.init.properties has entries:
ks=/home/tomcat
ksp=/home/tomcat
If we take into account that TIBCO JasperReports® Server using one keystore, and buildomatic using another, here is how the export flow will look like:
1. TIBCO JasperReports® Server running - passwords inside repo db are encrypted using tomcat.passwordEncSecret
2. buildomatic export - uses buildomatic.passwordEncSecret and decrypts the user password from db into plain text
3. buildomatic export - uses deprecatedImportExportEncSecret and encrypts the user password, and puts it into export zip
In step 2, buildomatic uses a totally different key to decrypt passwords and definitely can produce messed up strings and step 3 will add this string to the exported zip file
Even if the import succeeds which can happen if the encrypted password passes the password-matching check, the imported password string stored in the repository will cause TIBCO JasperReports® Server users to fail to log in with password credentials failure because TIBCO JasperReports® Server uses a different set of keys.
Steps:
On the source server instance (for this scenario it is TIBCO JasperReports® Server v7.5):
1. Backup /home/jasperadmin/.jrsks and .jrsksp before deleting them
2. Confirm there is no environment variables set with ks and ksp
3. Edit buildomatic/keystore.init.properties and set ks and ksp to point to the JRS keystore files:
ks=/home/tomcat
ksp=/home/tomcat
4. chmod -R 644 .jrs* and confirm that the user which is used during export (ie. the user logged into linux, jasperadmin) can read these files
5. Perform the command line export using the deprecatedImportExportEncSecret key
6. Check that during export, keystore files were not created under /home/jasperadmin
On the target server instance (for this scenario it is TIBCO JasperReports® Server v8.0):
7. Import the exported zip file using the deprecatedImportExportEncSecret key
Note: Specific to TIBCO JasperReports® Server 7.5 only, there was an extra requirement to update the keystore files which details steps to base64 decode the .jrsksp file, modify the ksPath property and base64 encode the file back. Refer to "Updating Keystore files" from https://community.jaspersoft.com/wiki/encryption-jasperreports-server-75. This extra step is no longer required from TIBCO JasperReports® Server 7.8 onwards.
Note 2: One way of checking whether the keystore files between two locations are the same is to run an md5 checksum on the .jrsks files.
References
For other potential causes of the 'Weak Password' error please see this article:
Recommended Comments
There are no comments to display.
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now