Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Junos Space] JBoss does not come up after performing backup restore on version 15.2 R2.

0

0

Article ID: KB31044 KB Last Updated: 21 Jul 2016Version: 2.0
Summary:

When restoring Junos space DB backup version 15.2R2 on a different setup from where it was downloaded, JBoss does not come up due to a new DB field introduced in 15.2R2 release for security reasons.

Symptoms:

Although the 'service jboss status' output shows it is running, it is unable to complete the 'ear' package deployment and remains in startup mode. The UI is stuck with the message, "Junos Space is preparing to start up" and will not move to the next stage where it should say, "Junos Space is starting, please standby...".

Logs seen in /var/log/jboss/server/server1/server.log:

JBOSS is not able to complete cmp.ear deploymnet.

2016-06-08 11:51:14,884 WARN [net.juniper.jmp.cmp.system.AppInitializer] (MSC service thread 1-38) opennms is waiting for cmp to complete application initialization.
2016-06-08 11:51:16,272 WARN [net.juniper.jmp.cmp.system.AppInitializer] (MSC service thread 1-56) seci is waiting for cmp to complete application initialization.
2016-06-08 11:51:17,337 WARN [net.juniper.jmp.cmp.system.AppInitializer] (MSC service thread 1-12) appvisibility is waiting for cmp to complete application initialization.
2016-06-08 11:51:17,400 WARN [net.juniper.jmp.cmp.system.AppInitializer] (MSC service thread 1-39) ecm is waiting for cmp to complete application initialization.
2016-06-08 11:51:17,448 WARN [net.juniper.jmp.cmp.system.AppInitializer] (MSC service thread 1-63) sm is waiting for cmp to complete application initialization.


OR

Specific logs to NMA password decode error due to new AES key restore from backup.

2016-07-08 01:24:58,403 ERROR [net.juniper.jmp.crypt.CryptUtil] (EJB ts-pool - 2) Decode device password error, please check the AESKey!AESKEY:PiPU4k8KMaUq1lVFOEIvcuvESd8gqHlpmIx0ne9+HwA=
2016-07-08 01:24:59,004 ERROR [net.juniper.jmp.crypt.CryptUtil] (EJB ts-pool - 1) Decode device password error, please check the AESKey!AESKEY:PiPU4k8KMaUq1lVFOEIvcuvESd8gqHlpmIx0ne9+HwA=
2016-07-08 01:24:59,005 ERROR [net.juniper.jmp.crypt.CryptUtil] (EJB ts-pool - 1) Decode device password error, please check the AESKey!AESKEY:PiPU4k8KMaUq1lVFOEIvcuvESd8gqHlpmIx0ne9+HwA=

Cause:
In version 15.2R2, the Node Management Agent (NMA) Passwords are encrypted using Advanced Encryption Standard (AES) keys for all nodes. The encrypted password will be in the database whereas the AES keys will be in the file system [/etc/pki/sck/adminpassword_aes.key].

When the database is restored from a different cluster setup to the current setup, the AES keys available in the current setup are overwritten by AES keys taken from the different setup in the file system. However, the current setup will have the NMA passwords which were encrypted using the old AES keys. This is the reason the NMA passwords were not encrypted using the new AES keys. As a result, NMA calls fail due to authentication failure.
Solution:
The workaround is to update the NMA passwords to default (NULL in the database and "abc123" in the htpasswd file for NMA). After applying this workaround, when the JBoss stop/start, new NMA passwords are generated using the new restored AES keys. This will happen only when the NMA password is Null in the database.
  1. Set Null in DB against nmaPassword:
    echo update build_db.FABRIC_NODE set nmaPassword = NULL | mysql -u jboss -pnetscreen [Execute in DB node]
  2. Set default password for nma:
    htpasswd -cb /var/www/cgi-bin/.htpasswd admin abc123 [Execute In all node]
  3. Stop JBOSS service on all nodes:
    service jboss stop [jmp-watchdog will start service again, check /var/log/watchdog]

Note: This workaround will work only for the Space nodes (JBoss, DB and Cassandra nodes). It will not work for Special nodes (FMPM nodes).


Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search