Question

AWS KMS security token Exception during E-mail account configuration

I’m trying to configure the Default email account in our client PEGA cloud environment for report scheduling purposes. However, during this setup PEGA is using an AWS KMS key store that is available in the system to encrypt the email password with Encode function that is available in the Pega-RULES: Default library

At this point, I’m getting an exception from AWS saying that the security token is invalid. I tested the AWS key store file available in the system and the connectivity is fine. Does anybody know when we might encounter this exception?

Attaching the screenshots that has the exception and detailed rule invocation stack trace.

***Edited by Moderator Marissa to update platform capability tags****

Group Tags

Correct Answer
September 24, 2019 - 10:11pm

Since the user doesn't have the old master key details, suggested with below changes and made the environment to the initial installation stage which uses the OOTB encryption.
delete  from data.pr_data_admin_sec_de_key;

delete from data.pr_data_admin_sec_de_cdk where pycdkid=1; 

Comments

Keep up to date on this post and subscribe to comments

April 15, 2019 - 8:25am

Can you attach your Email Account rule form? I thought this is all client specific, independent of Pegacloud env itself.

April 15, 2019 - 6:22pm

I've attached the document that has the screenshots and mentioned the rule where we are getting the exception.

After going through the Exception stack trace, here is my analysis which could help us to resolve this.

1. Application tried to encrypt the password with the help of Keystore that is available in the Amazon KMS location.
2. It tried to call the AWSKMS service.
3. AWSKMS service returned that the request call was made from an Unrecognized client, thus returning UnrecognizedClientException.

I’m not entirely sure but the below article says that this might happen if there is an inconsistent date and time between the server (Pega Cloud) & Amazon KMS server (AWSKMS service)

https://aws.amazon.com/premiumsupport/knowledge-center/security-token-expired/

https://github.com/awslabs/amazon-kinesis-scaling-utils/issues/5

Also, I’m pretty sure that the Access/Secret key pair are valid as the connectivity looks good (refer to the document).

 

April 15, 2019 - 6:26pm

Here is the Exception trace that tells us how pega invoked AWSKMS client to access the keystore.

Exception Trace com.amazonaws.services.kms.model.AWSKMSException: The security token included in the request is invalid. (Service: AWSKMS; Status Code: 400; Error Code: UnrecognizedClientException; Request ID: 41d52b79-e7b6-4e7e-9c4f-dee442476155) 

 

 Java Stack Trace 

 at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1695) 

 at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1350) 

 at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1101) 

 at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:758) 

 at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:732) 

 at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:714) 

 at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:674) 

 at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:656) 

 at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:520) 

 at com.amazonaws.services.kms.AWSKMSClient.doInvoke(AWSKMSClient.java:4467) 

 at com.amazonaws.services.kms.AWSKMSClient.invoke(AWSKMSClient.java:4434) 

 at com.amazonaws.services.kms.AWSKMSClient.invoke(AWSKMSClient.java:4423) 

 at com.amazonaws.services.kms.AWSKMSClient.executeDecrypt(AWSKMSClient.java:1324) 

 at com.amazonaws.services.kms.AWSKMSClient.decrypt(AWSKMSClient.java:1296) 

 at com.pega.pegarules.exec.internal.crypto.dataencryption.AWSKeyManagementService.decrypt(AWSKeyManagementService.java:65) 

 at com.pega.pegarules.exec.internal.crypto.dataencryption.DataKeyProvider.decryptEncryptedKey(DataKeyProvider.java:283) 

 at com.pega.pegarules.exec.internal.crypto.dataencryption.DataKeyProvider.getCustomerDataKey(DataKeyProvider.java:130) 

 at com.pega.pegarules.exec.internal.crypto.dataencryption.EncryptionHandler.encrypt(EncryptionHandler.java:76) 

 at com.pega.pegarules.exec.internal.util.crypto.PRCryptoImpl.encryptUsingKeyStore(PRCryptoImpl.java:700) 

 at com.pega.pegarules.exec.internal.util.crypto.PRCryptoImpl.encrypt(PRCryptoImpl.java:686) 

 at com.pegarules.generated.encryptPW_071017__2196136611982189319.encryptPW07_10_17(encryptPW_071017__2196136611982189319.java:112) 

 at com.pegarules.generated.encryptPW_071017__2196136611982189319.invoke(encryptPW_071017__2196136611982189319.java:81) 

 at com.pega.pegarules.generation.internal.library.LibraryRuntime.resolveAndinvokeFunctionViaReflection(LibraryRuntime.java:222) 

 at com.pega.pegarules.generation.internal.library.LibraryRuntime.invokeLibraryRuntime(LibraryRuntime.java:119) 

 at com.pega.pegarules.session.internal.mgmt.Executable.invokeLibraryRuntime(Executable.java:9150) 

 at com.pega.pegarules.priv.generator.LibrarySupport.resolveAndInvokeFunctionViaReflectionWithException(LibrarySupport.java:275) 

 at com.pegarules.generated.Encode_071017_7082641022236447370.Encode07_10_17(Encode_071017_7082641022236447370.java:124) 

 at com.pegarules.generated.Encode_071017_7082641022236447370.invoke(Encode_071017_7082641022236447370.java:82) 

 at com.pega.pegarules.generation.internal.library.LibraryRuntime.resolveAndinvokeFunctionViaReflection(LibraryRuntime.java:222) 

 at com.pega.pegarules.generation.internal.library.LibraryRuntime.invokeLibraryRuntime(LibraryRuntime.java:119) 

 at com.pega.pegarules.generation.internal.library.LibraryFunctionUtilityImpl.resolveMethodCall(LibraryFunctionUtilityImpl.java:2923) 

 at com.pega.pegarules.session.internal.mgmt.Executable.resolveMethodCall(Executable.java:11245) 

 at com.pegarules.generated.activity.ra_action_pxvalidatesender_3abc36f495cca7e21c67a1d9905749a5.step10_circum0(ra_action_pxvalidatesender_3abc36f495cca7e21c67a1d9905749a5.java:1071) 

 at com.pegarules.generated.activity.ra_action_pxvalidatesender_3abc36f495cca7e21c67a1d9905749a5.perform(ra_action_pxvalidatesender_3abc36f495cca7e21c67a1d9905749a5.java:228) 

 at com.pega.pegarules.session.internal.mgmt.Executable.doActivity(Executable.java:3421) 

 at com.pega.pegarules.session.internal.mgmt.Executable.invokeActivity(Executable.java:10794) 

 at com.pegarules.generated.activity.ra_action_validate_fb63fb28c3ec5418de4d318c07999095.step1_circum0(ra_action_validate_fb63fb28c3ec5418de4d318c07999095.java:168) 

 at com.pegarules.generated.activity.ra_action_validate_fb63fb28c3ec5418de4d318c07999095.perform(ra_action_validate_fb63fb28c3ec5418de4d318c07999095.java:70) 

 at com.pega.pegarules.session.internal.mgmt.Executable.doActivity(Executable.java:3421) 

 at com.pega.pegarules.session.internal.mgmt.Executable.invokeActivity(Executable.java:10794) 

 at com.pegarules.generated.activity.ra_action_savesetup_b02f27fca95108f2fb834c0b4d2c51c9.step10_circum0(ra_action_savesetup_b02f27fca95108f2fb834c0b4d2c51c9.java:972) 

 at com.pegarules.generated.activity.ra_action_savesetup_b02f27fca95108f2fb834c0b4d2c51c9.perform(ra_action_savesetup_b02f27fca95108f2fb834c0b4d2c51c9.java:223) 

 at com.pega.pegarules.session.internal.mgmt.Executable.doActivity(Executable.java:3421) 

 at com.pega.pegarules.session.internal.mgmt.Executable.invokeActivity(Executable.java:10794) 

 at com.pegarules.generated.activity.ra_action_save_42d6fd0440beda0051ccf932f9363bdb.step2_circum0(ra_action_save_42d6fd0440beda0051ccf932f9363bdb.java:580) 

 at com.pegarules.generated.activity.ra_action_save_42d6fd0440beda0051ccf932f9363bdb.perform(ra_action_save_42d6fd0440beda0051ccf932f9363bdb.java:87) 

 at com.pega.pegarules.session.internal.mgmt.Executable.doActivity(Executable.java:3421) 

 at com.pega.pegarules.session.internal.mgmt.Executable.invokeActivity(Executable.java:10794) 

 at com.pegarules.generated.activity.ra_action_wbsave_f4476f734a9fffad799118a95aed5830.step5_circum0(ra_action_wbsave_f4476f734a9fffad799118a95aed5830.java:752) 

 at com.pegarules.generated.activity.ra_action_wbsave_f4476f734a9fffad799118a95aed5830.perform(ra_action_wbsave_f4476f734a9fffad799118a95aed5830.java:141) 

 at com.pega.pegarules.session.internal.mgmt.Executable.doActivity(Executable.java:3421) 

 at com.pega.pegarules.session.internal.mgmt.Executable.invokeActivity(Executable.java:10794) 

 at com.pegarules.generated.activity.ra_action_rmactionsave_a909453195466a31b681a35f486c53e6.step4_circum0(ra_action_rmactionsave_a909453195466a31b681a35f486c53e6.java:375) 

 at com.pegarules.generated.activity.ra_action_rmactionsave_a909453195466a31b681a35f486c53e6.perform(ra_action_rmactionsave_a909453195466a31b681a35f486c53e6.java:121) 

 at com.pega.pegarules.session.internal.mgmt.Executable.doActivity(Executable.java:3421) 

 at com.pega.pegarules.session.internal.mgmt.Executable.invokeActivity(Executable.java:10794) 

 at com.pegarules.generated.activity.ra_action_processrmaction_695ef285353bd79e399d8d2de12e0017.step6_circum0(ra_action_processrmaction_695ef285353bd79e399d8d2de12e0017.java:683) 

 at com.pegarules.generated.activity.ra_action_processrmaction_695ef285353bd79e399d8d2de12e0017.perform(ra_action_processrmaction_695ef285353bd79e399d8d2de12e0017.java:159) 

 at com.pega.pegarules.session.internal.mgmt.Executable.doActivity(Executable.java:3421) 

 at com.pega.pegarules.session.internal.mgmt.Executable.invokeActivity(Executable.java:10794) 

 at com.pegarules.generated.activity.ra_action_pzruleformtoolbaraction_92e3dff3a770b8ae9e3f0d83f3cb2fbf.step4_circum0(ra_action_pzruleformtoolbaraction_92e3dff3a770b8ae9e3f0d83f3cb2fbf.java:408) 

 at com.pegarules.generated.activity.ra_action_pzruleformtoolbaraction_92e3dff3a770b8ae9e3f0d83f3cb2fbf.perform(ra_action_pzruleformtoolbaraction_92e3dff3a770b8ae9e3f0d83f3cb2fbf.java:122) 

 at com.pega.pegarules.session.internal.mgmt.Executable.doActivity(Executable.java:3421) 

 at com.pegarules.generated.activity.ra_action_pzrunactionwrapper_ce33a3e02079c8316326c276001f0fe5.step1_circum0(ra_action_pzrunactionwrapper_ce33a3e02079c8316326c276001f0fe5.java:321) 

 at com.pegarules.generated.activity.ra_action_pzrunactionwrapper_ce33a3e02079c8316326c276001f0fe5.perform(ra_action_pzrunactionwrapper_ce33a3e02079c8316326c276001f0fe5.java:70) 

 at com.pega.pegarules.session.internal.mgmt.Executable.doActivity(Executable.java:3421) 

 at com.pega.pegarules.session.internal.mgmt.base.ThreadRunner.runActivitiesAlt(ThreadRunner.java:646) 

 at com.pega.pegarules.session.internal.mgmt.PRThreadImpl.runActivitiesAlt(PRThreadImpl.java:484) 

 at com.pega.pegarules.session.internal.engineinterface.service.HttpAPI.runActivities(HttpAPI.java:3467) 

 at com.pega.pegarules.session.external.engineinterface.service.EngineAPI.processRequestInner(EngineAPI.java:417) 

 at sun.reflect.GeneratedMethodAccessor129.invoke(Unknown Source) 

 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) 

 at java.lang.reflect.Method.invoke(Method.java:498) 

 at com.pega.pegarules.session.internal.PRSessionProviderImpl.performTargetActionWithLock(PRSessionProviderImpl.java:1368) 

 at com.pega.pegarules.session.internal.PRSessionProviderImpl.doWithRequestorLocked(PRSessionProviderImpl.java:1105) 

 at com.pega.pegarules.session.internal.PRSessionProviderImpl.doWithRequestorLocked(PRSessionProviderImpl.java:959) 

 at com.pega.pegarules.session.external.engineinterface.service.EngineAPI.processRequest(EngineAPI.java:354) 

 at com.pega.pegarules.session.internal.engineinterface.service.HttpAPI.invoke(HttpAPI.java:855) 

 at com.pega.pegarules.session.internal.engineinterface.etier.impl.EngineImpl._invokeEngine_privact(EngineImpl.java:331) 

 at com.pega.pegarules.session.internal.engineinterface.etier.impl.EngineImpl.invokeEngine(EngineImpl.java:274) 

 at com.pega.pegarules.session.internal.engineinterface.etier.impl.EngineImpl.invokeEngine(EngineImpl.java:251) 

 at com.pega.pegarules.priv.context.JNDIEnvironment.invokeEngineInner(JNDIEnvironment.java:278) 

 at com.pega.pegarules.priv.context.JNDIEnvironment.invokeEngine(JNDIEnvironment.java:223) 

 at com.pega.pegarules.web.impl.WebStandardImpl.makeEtierRequest(WebStandardImpl.java:691) 

 at com.pega.pegarules.web.impl.WebStandardImpl.doPost(WebStandardImpl.java:397) 

 at sun.reflect.GeneratedMethodAccessor161.invoke(Unknown Source) 

 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) 

 at java.lang.reflect.Method.invoke(Method.java:498) 

 at com.pega.pegarules.internal.bootstrap.PRBootstrap.invokeMethod(PRBootstrap.java:370) 

 at com.pega.pegarules.internal.bootstrap.PRBootstrap.invokeMethodPropagatingThrowable(PRBootstrap.java:411) 

 at com.pega.pegarules.boot.internal.extbridge.AppServerBridgeToPega.invokeMethodPropagatingThrowable(AppServerBridgeToPega.java:224) 

 at com.pega.pegarules.boot.internal.extbridge.AppServerBridgeToPega.invokeMethod(AppServerBridgeToPega.java:273) 

 at com.pega.pegarules.internal.web.servlet.WebStandardBoot.doPost(WebStandardBoot.java:129) 

 at javax.servlet.http.HttpServlet.service(HttpServlet.java:650) 

 at javax.servlet.http.HttpServlet.service(HttpServlet.java:731) 

 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303) 

 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) 

 at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) 

 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) 

 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) 

 at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219) 

 at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:110) 

 at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:498) 

 at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169) 

 at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) 

 at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:683) 

 at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:1025) 

 at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) 

 at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445) 

 at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1139) 

 at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637) 

 at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.doRun(AprEndpoint.java:2555) 

 at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(AprEndpoint.java:2544) 

 at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) 

 at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) 

 at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) 

 at java.lang.Thread.run(Thread.java:748) 

April 15, 2019 - 6:42pm

I got the comprehensive exception stack trace from the log file. If Tracer log file can be helpful, I can create a SR and send it over my support portal.

April 15, 2019 - 8:30pm

Hi Naveen,

Please go ahead with SR creation and this will be handled by appropriate team from Pega GCS.

Thanks for all the details and please attach them to the SR.

April 16, 2019 - 12:32am

SR-D8285 is raised for the GCS team to help us in resolving this issue.

April 30, 2019 - 10:39pm

Hi,

Did anyone faced this issue before. The KMS keys are configured properly in our system and they are working fine with other features(Sending data to Amazon S3 bucket).

The only time we are facing this issue is when we try to update the password in the email account rule.

Regards,

Naveen.

Pega
September 24, 2019 - 10:11pm

Since the user doesn't have the old master key details, suggested with below changes and made the environment to the initial installation stage which uses the OOTB encryption.
delete  from data.pr_data_admin_sec_de_key;

delete from data.pr_data_admin_sec_de_cdk where pycdkid=1;