KB-1048 Errors related to Appian keystore during application server startup

Symptoms

When starting the application server after a migration or an upgrade, one of the following errors are observed in the application server log:

FATAL com.appiancorp.common.crypto.KeyStoreConfig - The internal encryption module is in an inconsistent state. The keystore password is not present in the primary data source. If migrating or restoring from backup, ensure that the primary data source contains all of the tables and data. (APNX-1-4210-004)
ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/suite]] (ServerService Thread Pool -- 75) JBWEB000287: Exception sending context initialized event to listener instance of class com.appiancorp.common.config.ConfigurationLoader: com.appiancorp.common.config.FatalConfigurationException: com.appiancorp.suiteapi.common.exceptions.AppianException: The internal encryption module is in an inconsistent state. The keystore password is not present in the primary data source. If migrating or restoring from backup, ensure that the primary data source contains all of the tables and data. (APNX-1-4210-004)

Caused by: com.appiancorp.common.config.FatalConfigurationException: com.appiancorp.suiteapi.common.exceptions.AppianException: An unexpected error occurred while trying to load the keystore. (APNX-1-4210-005)
Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect

Cause

The appian.keystore is a secured placeholder for keys and is encrypted during its creation (first application server startup that successfully connected to the primary database). The encrypted password used to secure the appian.keystore is stored in the primary database in the cfg table along with the character set and the initialization vector for the random part of the encryption phase. When the application server starts, the appian.keystore is opened and validated. For this step to be successful, the password in the cfg table must be the one originally used to encrypt the appian.keystore.

The error is caused by one of the following:

  • The appian.keystore file is missing from <APPIAN_HOME>/_admin/shared.
  • The appian.keystore file cannot be opened/decrypted using the password from the cfg table.

This error is common when users backload data from environment A to environment B and forget to copy the <APPIAN_HOME>/_admin/shared directory or to copy the primary database. Any of these omissions can lead to the inability to start the application server.

Note: The appian.keystore file cannot be shared between environments. 

Action

Copy the <APPIAN_HOME>/_admin/shared directory containing the original appian.keystore from the previous installation to the upgraded installation and make sure the primary database corresponds to the environment.

Affected Versions

This article applies to all versions of Appian.

Last Reviewed: May 2020

Related
Recommended