KB-2353 Webapp pod fails to start due to incorrect data source password factory

The webapp pod requires properly configured data source credentials to be able to communicate with the RDBMS. In Appian on Kubernetes (AoK), these credentials are often contained within a Kubernetes secret, but may also be specified in plaintext within the CR. webapp makes use of a data source factory in order to authenticate and create connections with the primary data source RDBMS.

Customers on Legacy Self-Managed Appian (Windows or Linux) typically encode data source passwords using the configure script as recommended in documentation, however the default data source factory for AoK does not expect an encoded password. This difference can sometimes prevent the webapp pod from coming up the first time the environment is configured, especially common for those customers who have migrated to AoK from Legacy Self-Managed using Appian's AoK migration tool.

Symptoms

The webapp pod refuses to start, as it is waiting for the primary data source RDBMS to be healthy. The following error traces may be present in the pod logs:

YYYY-MM-DD HH:MM:SS,mmm [wait-for-component] ERROR com.appiancorp.common.startup.healthcheck.PrimaryRdbmsHealthCheck - javax.naming.NamingException: Unexpected exception resolving reference with name [AppianDS] [Root exception is java.lang.IllegalArgumentException: Illegal base64 character 21]
YYYY-MM-DD HH:MM:SS,mmm [wait-for-component] INFO com.appiancorp.common.startup.WaitForStatefulComponents - Waiting for Appian component Primary datasource RDBMS to be healthy...
YYYY-MM-DD HH:MM:SS WARNING [wait-for-component] org.apache.naming.NamingContext.lookup Unexpected exception resolving reference with name [AppianDS]
java.lang.IllegalArgumentException: Illegal base64 character 21
at java.base/java.util.Base64$Decoder.decode0(Base64.java:848)
at java.base/java.util.Base64$Decoder.decode(Base64.java:566)
at java.base/java.util.Base64$Decoder.decode(Base64.java:589)
at com.appiancorp.tomcat.encoding.EncodingCryptographer.decodePassword(EncodingCryptographer.java:25)
at com.appiancorp.tomcat.datasource.EncodedPasswordDataSourceFactory.getObjectInstance(EncodedPasswordDataSourceFactory.java:44)

Additionally, the following field is set within the Appian CR:

spec:
  webapp:
    dataSources:
      primary:
        factory: com.appiancorp.tomcat.datasource.EncodedPasswordDataSourceFactory

Cause

The Appian CR is configured to use the com.appiancorp.tomcat.datasource.EncodedPasswordDataSourceFactory factory for the primary data source, which expects a password that has been encoded using Appian's configure script. However, the password specified (which may be contained within a secret or specified within the CR) is not encoded. As a result, the webapp pod is not able to authenticate with the primary data source using the specified password.

Action

Edit the Appian CR as so that webapp expects a non-encoded password by changing the factory to org.apache.tomcat.jdbc.pool.DataSourceFactory. This is the default factory for Appian on Kubernetes:

spec:
  webapp:
    dataSources:
      primary:
        factory: org.apache.tomcat.jdbc.pool.DataSourceFactory

Affected Versions

This article applies to all versions of Appian on Kubernetes.

Last Reviewed: August 2025

Related
Recommended