[DM_CRYPTO_E_CANT_FETCH_CRYPTO_OBJECTS]error

Srihari S
edited June 30, 2021 in Documentum #1

Hi All,

Recently we have upgraded from DCTM 16.4 to 20.4 version. Exported the data(content and metadata) from 16.4 system and imported to 20.4. Verified the metadata and it looks good.

Database: Oracle 19c

O/S: RHEL 7.9

But when I try to open any document, I am getting the below error in DA.

Could not download content file for document 'xxxxxxx'. : The Filestore Key associated with the storage area filestore_02 could not be retrieved. Internal error - 1.

Below is the docbase log:

2021-06-30T16:45:46.120657   2458[2458]   0000000000000000    [DM_CRYPTO_E_CANT_FETCH_CRYPTO_OBJECTS]error: "The Filestore Key associated with the storage area filestore_02 could not be retrieved. Internal error - 1."
2021-06-30T16:45:46.143541   2458[2458]   0000000000000000    [DM_SESSION_I_INIT_BEGIN]info: "Initialize National Language Character Translation."
2021-06-30T16:45:46.152882   2458[2458]   0000000000000000    [DM_CHARTRANS_I_TRANSLATOR_OPENED]info: "Translator in directory (../install/external_apps/nls_chartrans) was added succesfully initialized. Translator specifics: (Chararacter Translator: , Client Locale: (Windows :(4099), Version: 4.0), CharSet: ISO_8859-1, Language: English_US, UTC Offset: 0, Date Format:%2.2d/%2.2d/%2.2d %2.2d:%2.2d:%2.2d, Java Locale:en, Server Locale: (Linux :(8201), Version: 2.4), CharSet: UTF-8, Language: English_US, UTC Offset: 0, Date Format:%2.2d/%2.2d/%2.2d %2.2d:%2.2d:%2.2d, Java Locale:en, Shared Library: ../install/external_apps/nls_chartrans/unitrans.so)"
2021-06-30T16:45:46.156675   2458[2458]   0000000000000000    [DM_SESSION_I_INIT_BEGIN]info: "Initialize LDAP setup."
2021-06-30T16:45:46.204931   2458[2458]   0000000000000000    [DM_CRYPTO_E_PASSWORD_DECRYPTION_FAILED]error: "Decryption of password present in file /opt/app/documentum/dba/config/CDDM/ldap_0850fa8780001114.cnt failed, status - 2"  


Permission also looks fine on the data folder and it's sub folders. We are unable to proceed. Could you please help on the error. Anything else I am missing here..

Comments

  • Are you using encrypted filestores? Did you copy the aek.key from the source installation to the new one? If not I suppose the repository wouldn't start up but I'm confused by your logs: it looks like the log messages when the docbase starts up.

  • Srihari S
    edited July 6, 2021 #3

    Hi Bacham3,

    The Filestore is not encrypted. Below is the process we followed. Please let us know if you see something wrong in it.

    Once all the DCTM components are installed and the binaries are installed/deployed(DAR and custom webservices). We started with the DB migration.

    When we did the DB(metadata) export from 16.4 and Import to 20.4 and copy the content, we got the below errors in the docbase log.

    2021-06-29T18:50:51.298032   2491[2491]   0000000000000000    [DM_SERVER_F_CANT_CREATE_TICKET_MANAGER]fatal: "Unable to create ticket manager on server startup. Likely reason is corrupted aek.key file or docbase config object. The server will shutdown."
    [DM_CRYPTO_E_PASSWORD_DECRYPTION_FAILED]error: "Decryption of password present in file /opt/app/documentum/dba/config/CDDM/ldap_0850fa8780001114.cnt failed, status - 2"
    2021-06-29T18:50:50.997810   2491[2491]   0000000000000000    [DM_CRYPTO_E_CANT_FETCH_CRYPTO_OBJECTS]error: "The Filestore Key associated with the storage area filestore_02 could not be retrieved. Internal error - 1057226578."
    

    Actually we have imported all the tables(including dm_docbase_config as well). But later identified that dm_docbase_config contains crypto key in the table and should not be overridden. So, excluded this table and Imported everything again.

    Now I could see only Filestore key error in the log. But after digging further, we realised that the Issue might also be due to TCS(trusted content services).

    we have enabled TCS in 16.4 and 20.4. We have the same license key in both the versions. Will it work or do we need to get a new license key for 20.4 version? We haven't copied the aek.key, but noticed that the file is same in both the servers.

  • TCS license is the same regardless of server version. Aek.key though is not. You MUST copy the aek.key (overwriting the one on existing server if there is one).

  • Thanks Bacham3. We will do this. One more query, we can also override the dm_docbase_config table(s) right in DB from 16.4 to 20.4 version?

  • Sorry but I don't understand your question.

  • Ok. My question is: Can we export the full schema right from 16.4 DB and Import in 20.4 version or any tables to be excluded?

  • You MUST export/import the full schema! If you leave out tables it won't work.

  • Srihari S
    edited July 1, 2021 #9

    Hi Bacham3,

    Getting the below error when we replace the aek.key file from 16.4 server. Are we missing anything here? I am doing this for first time, so these many questions..

    Thu Jul 1 14:18:14 2021[DM_STARTUP_W_DOCBASE_OWNER_NOT_FOUND] *** warning *** : The database user, CDDM as specified by your server.ini is not a valid user as determined using the system password check api. This will likely severly impair the operation of your docbase.

    2021-07-01T14:18:14.151412 16381[16381] 0000000000000000 [DM_CRYPTO_F_KEYSTORE_INIT]fatal: "Failed to initialize keystore at /opt/app/documentum/dba/secure/aek.key. Internal error - 1057226525"

    Do we need to override the database password also? Do we need to re-generate the dfc.keystore after copying the aek.key file?