SYM_ENCRYPT failing on JGroups 5

[Chintan Mohan Rohila]

Hello there,

We are using JGroups 5.4.6 on a 3 node cluster. Each node is running 4 JChannels with the following protocol stack.

The channels are forming partials views and getting the following message in the application logs.

Partial Views (Probe.out):

#10 (188 bytes):
seliics09759-23814 (ip=192.168.64.68:10603)
view=[seliics09759-23814|1] (2) [seliics09759-23814, seliics09760-24943]
cluster=TRAFFIC
version=5.4.6.Final (Alpe d'Huez) (java 17.0.15+6-LTS)

Application log:

2025-07-14 11:49:41.665 TRACE org.jgroups.protocols.pbcast.STABLE - seliics09759-39735: sending stability msg seliics09759-39735: [0]
  2025-07-14 11:49:41.665 WARN  org.jgroups.protocols.SYM_ENCRYPT - seliics09759-39735: unable to send message down
  2025-07-14 11:49:41.665 TRACE org.jgroups.protocols.pbcast.NAKACK2 - seliics09759-39735: received stable digest seliics09759-39735: [0 (0)]

Has anyone face the similar situation and how was this resolved?

Any help/suggestion is much appreciated.

 <config xmlns="urn:org:jgroups"

        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation="urn:org:jgroups http://www.jgroups.org/schema/jgroups.xsd">
    <UDP 
         bind_addr="192.168.64.67"
         mcast_port="10600"
         bind_port="10601"
         port_range="90"
         diag.port="10599"
    />
  <PING />
    <MERGE3/>
    <FD_SOCK
      bind_addr="192.168.64.67"
      start_port="38001"
    port_range="100"
    />
    <FD_ALL
      timeout="12000"
    interval="3000"
    />
    <VERIFY_SUSPECT bind_addr="192.168.64.67" />
    <SYM_ENCRYPT
        sym_algorithm="AES/CBC/PKCS5Padding"
        sym_keylength="128"
      sym_iv_length="16"
        keystore_name="${jgroups.keystore_name}" 
        store_password="store_password" 
        alias="sym_key"
        keystore_type="JCEKS"
    />
    <pbcast.NAKACK2/>
    <BARRIER />
    <UNICAST3/>
    <pbcast.STABLE/>
    <pbcast.GMS print_local_addr="true" />
    <AUTH 
       auth_class="org.jgroups.auth.X509Token"
      auth_token.keystore_path="${cass_keystore_path}"
      auth_token.keystore_password="keystore_password"
      auth_token.cert_alias="cert_alias"
      auth_token.cert_password="cert_password"
      auth_token.auth_value="auth_value"
      auth_token.cipher_type="RSA"/>
    <UFC/>
    <MFC/>
    <FRAG2/>
</config>  

  

[Bela Ban]

The application log shows that a member cannot join and each of the 10 attempts times out after 2s.
If you comment SYM_ENCRYPT and AUTH, does this succeed?
If you uncomment the 2 protocols separately, does one combination work?

I suggest enable TRACE logging on SYM_ENCRYPT, and look at the logs. I suspect SYM_ENCRYPT is not configured correctly, so that decryption fails...

--
You received this message because you are subscribed to the Google Groups "jgroups-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jgroups-dev...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/jgroups-dev/ab7e9932-13d6-4fa7-aa61-74bf1266e553n%40googlegroups.com.

-- 
Bela Ban | http://www.jgroups.org

[Chintan Mohan Rohila]

Thanks for your prompt reply. 

It works with SYM_ENCRYPT commented out and also both SYM_ENCRYPT and AUTH commented out. 

The issue lies with only SYM_ENCRYPT protocol.

We have been reviewing the code by putting logging statements and it looks like the exception comes from

line# 341 in ENCRYPT.java

if(length > 0)

            encrypted.setArray(code(payload, offset, length, iv, false));

        else // length is 0, but buffer may be "" (empty, but *not null* buffer)! [JGRP-2153]

            encrypted.setArray(payload, offset, length);

        log.warn("Hello this is reached in if end" + encrypted);  ---> this message is never received and we get exception in above lines 

Best regards,
Chintan Rohila

To view this discussion visit https://groups.google.com/d/msgid/jgroups-dev/58d91b19-420c-48df-8893-d259a496ec59%40gmail.com.

[Bela Ban]

I assume you've been using SYM_ENCRYPT for a while and it has worked so far...

Have you changed your config, or the way you generate your secret keys?

Can you add code in Encrypt.down() to print the stack trace, e.g. add (in the catch clause):
e.printStackTrace().

To view this discussion visit https://groups.google.com/d/msgid/jgroups-dev/CADNZpW0uq6LoFjJOjOXBy%3DbgiG%2Bv-VZiq7W%3DTuCDcrYS018TvA%40mail.gmail.com.