External authentication - external users are failing to login due to password decryption and encryption errors

Issue:

In a cluster environment where TIBCO JasperReports® Servers are configured with external authentication (such as LDAP authentication) and accessing the same repository database, external users can fail to login to one of the TIBCO JasperReports® Server server nodes. 

In the jasperserver.log file, it was observed that the failure was due to a failed password decryption:

2021-11-15T17:47:08,998  WARN Cipherer,http-nio-8080-exec-6:228 - Decryption failed javax.crypto.BadPaddingException: Given final block not properly padded
    at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:989)
    at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:845)
    at com.sun.crypto.provider.AESCipher.engineDoFinal(AESCipher.java:446)
    at javax.crypto.Cipher.doFinal(Cipher.java:2165)
    at com.jaspersoft.jasperserver.api.common.crypto.Cipherer.decode(Cipherer.java:226)
    at com.jaspersoft.jasperserver.api.common.crypto.Cipherer.decode(Cipherer.java:174)
    at com.jaspersoft.jasperserver.api.common.crypto.PasswordCipherer.decodePassword(PasswordCipherer.java:138)

followed by an encryption of the password which resulted in an encrypted password length greater than the default length limit of 250 as defined for the JIUSER.password column:

2021-11-15T17:47:09,068 DEBUG PasswordCipherer,http-nio-8080-exec-6:154 - Encode password: true
2021-11-15T17:47:09,083 ERROR BatchingBatch,http-nio-8080-exec-6:120 - HHH000315: Exception executing batch [java.sql.BatchUpdateException: Batch entry 0 update JIUser set username='bob', tenantId=2944, fullname='bob', emailAddress=NULL, password='<encrypted password string greater than 250 chars>', externallyDefined='TRUE', enabled='TRUE', previousPasswordChangeTime=NULL where id=3177 was aborted: ERROR: value too long for type character varying(250)  Call getNextException to see other errors in the batch.], SQL: update JIUser set username=?, tenantId=?, fullname=?, emailAddress=?, password=?, externallyDefined=?, enabled=?, previousPasswordChangeTime=? where id=?
2021-11-15T17:47:09,087 ERROR SqlExceptionHelper,http-nio-8080-exec-6:131 - Batch entry 0 update JIUser set username='bob', tenantId=2944, fullname='bob', emailAddress=NULL, password='<encrypted password string greater than 250 chars>', externallyDefined='TRUE', enabled='TRUE', previousPasswordChangeTime=NULL where id=3177 was aborted: ERROR: value too long for type character varying(250)  Call getNextException to see other errors in the batch.
2021-11-15T17:47:09,090 ERROR SqlExceptionHelper,http-nio-8080-exec-6:131 - ERROR: value too long for type character varying(250)

Solution:

The cause of this issue can be attributed to how the application servers were setup. Specifically, this was due to the different keystores that each server node was set up with and hence when an external user logs into the TIBCO JasperReports® Server which was installed with a different keystore, the encryption mechanism can fail to decrypt the stored password and subsequently "double encrypt" (encrypt the already encrypted user password) resulting in an extended encryption length exceeding the default limit allowed by the JIUSER.password column.  

As documented in the article "Encryption in JasperReports Server 7.5+" (https://community.jaspersoft.com/wiki/encryption-jasperreports-server-75), cluster server nodes must have the same keystore.  To rectify this problem, it is necessary to ensure all app servers that participate in a cluster (or when app servers are configured to share the same 'jasperserver' repository database) are installed with the same keystore files. 

Note: The TIBCO JasperReports® Server 8.0 Release Notes has documented a workaround suggesting users to increase the limit of the JIUSER.password column. This is not an ideal workaround as doing this can impact on any future upgrades involving exporting and importing of repository data given that the length of the exported JIUSER.password column from the source database is greater than the length of the JIUSER.password column in the target database. A documention defect was raised to correct this entry in the Release Notes.