Problem with AXL:GetUser - Error 5000 and a stack trace in CUCM

Version 1
    This document was generated from CDN thread

    Created by: Paul Wilkinson on 09-08-2009 11:53:06 PM
    Hi,

    I am using the Axl:GetUser command against CUCM 6.1.3.3190-1.

    The same code is in place at other client sites and is working.

    The problem that is seen in this particular installatin is that for Some users the
    Axl:GetUser call is returning an AXL error 5000.

    The AXL debug trace on CUCM shows the following:

    2009-08-07 09:22:10,841 INFO  [http-8443-Processor46] axl.AXLRouter - Received request
    1243084089409 from CCMAdministrator at IP 23.1.4.39
    2009-08-07 09:22:10,842 INFO  [http-8443-Processor46] axl.AXLRouter -
    <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:xsd="http://www.w3.org/2001/XMLSchema"><SOAP-ENV:Body><axl:getUser
    xmlns:axl="http://www.cisco.com/AXL/1.0" xsi:schemalocation="http://www.cisco.com/AXL/1.0
    http://ccmserver/schema/axlsoap.xsd"
    sequence="1234"><userid>U207229</userid></axl:getUser></SOAP-ENV:B
    ody > </SOAP-ENV:Envelope>
    2009-08-07 09:22:10,844 DEBUG [http-8443-Processor46] axl.AXLRouter - Request is not a
    write request
    2009-08-07 09:22:10,845 INFO  [http-8443-Processor46] axl6_0.Handler - Handler
    initializing
    2009-08-07 09:22:10,847 DEBUG [http-8443-Processor46] axl6_0.UserHandler - select
    enduser.pkid, enduser.firstname, enduser.lastname, enduser.userid,
    enduser.telephoneNumber,  enduser.department, enduser.manager, enduser.tkUserLocale,
    enduser.assocpc, enduser.allowcticontrolflag,  enduser.passwordreverse,
    enduser.enablemobility, enduser.enablemobilevoice, enduser.maxDeskPickupWaitTime,
    enduser.remoteDestinationLimit, UL.name as userLocaleName from enduser, outer
    TypeUserLocale UL   where my_lower(userid)=my_lower('U207229') and
    UL.enum=enduser.tkuserlocale
    2009-08-07 09:22:10,849 DEBUG [http-8443-Processor46] axl6_0.UserHandler - select fkdevice
    from enduserdevicemap where fkenduser='e7f72b0b-7065-4ad1-a58c-523fc33c0db4' and
    tkUserAssociation = '1'
    2009-08-07 09:22:10,852 DEBUG [http-8443-Processor46] axl6_0.UserHandler - select
    endusernumplanmap.*, NP.dnorpattern as dnorpattern from endusernumplanmap left outer join
    numplan NP on NP.pkid = endusernumplanmap.fkNumplan where endusernumplanmap.fkenduser =
    'e7f72b0b-7065-4ad1-a58c-523fc33c0db4' and tkDnUsage ='1'
    2009-08-07 09:22:10,854 DEBUG [http-8443-Processor46] axl6_0.UserHandler - select dg.*
    from enduserdirgroupmap eudgm ,outer dirgroup dg  where eudgm.fkenduser =
    'e7f72b0b-7065-4ad1-a58c-523fc33c0db4' and (dg.pkid=eudgm.fkdirgroup)
    2009-08-07 09:22:10,856 DEBUG [http-8443-Processor46] axl6_0.UserHandler -  select fr.*
    from functionroledirgroupmap frdgm ,outer  functionrole fr  where frdgm.fkdirgroup =
    '64a8af58-7a0d-4a06-a7e9-d8e033510cea' and (fr.pkid=frdgm.fkfunctionrole)
    2009-08-07 09:22:10,858 DEBUG [http-8443-Processor46] axl6_0.UserHandler -  select fr.*
    from functionroledirgroupmap frdgm ,outer  functionrole fr  where frdgm.fkdirgroup =
    'f8f163cb-c670-428f-68aa-f6af97b11fa0' and (fr.pkid=frdgm.fkfunctionrole)
    2009-08-07 09:22:10,866 ERROR [http-8443-Processor46] axl6_0.Handler -
    com.cisco.ccm.axl.axl6_0.UserHandler@1b7b2ca
    com.rsa.jsafe.JSAFE_PaddingException: Could not perform unpadding: invalid pad byte.
    at com.rsa.jsafe.JA_PKCS5Padding.performUnpadding(JA_PKCS5Padding.java:111)
    at com.rsa.jsafe.JG_BlockCipher.decryptFinal(JG_BlockCipher.java:1092)
    at com.cisco.ccm.security.CCMDecryption.decryptPassword(CCMDecryption.java:55)
    at com.cisco.ccm.security.CCMEncryption.decryptPassword(CCMEncryption.java:212)
    at com.cisco.ccm.axl.axl6_0.UserHandler.doGet(UserHandler.java:460)
    at com.cisco.ccm.axl.axl6_0.Handler.execute(Handler.java:453)
    at com.cisco.ccm.axl.axl6_0.AxlListener.onMessage(AxlListener.java:103)
    at com.cisco.ccm.axl.AXLRouter.doPost(AXLRouter.java:208)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:709)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
    at sun.reflect.GeneratedMethodAccessor1382.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:585)
    at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:243)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.Subject.doAsPrivileged(Subject.java:517)
    at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:275)
    at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:161)
    at
    org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.ja
    va:245)
    at
    org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:50)
    at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:156)
    at java.security.AccessController.doPrivileged(Native Method)
    at
    org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:152)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:524)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
    at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:541)
    at org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:392)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)
    at
    org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http
    11BaseProtocol.java:664)
    at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
    at
    org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.jav
    a:80)
    at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)
    at java.lang.Thread.run(Thread.java:595)


    This seems to indicate that a cryptographic function is having a problem decrypting some
    stored credential,  but I don't know which credential this is.

    The AXL:GetUser call can retrieve data for some users in this system, while others will
    return this error.  There does not appear to be a pattern.

    The CUCM is integrated with AD via LDAP.

    Can anyone from Cisco have a look at com.cisco.ccm.axl.axl6_0.UserHandler.doGet(UserHandler.java:460)
    and offer a clue as to what is happening?

    Thanks,
      Paul

    Subject: RE: Problem with AXL:GetUser - Error 5000 and a stack trace in CUCM
    Replied by: BHUVANESWARI RAJAMANICKAM on 13-08-2009 09:48:33 AM
    Hi Paul,
     
    From the logs I can deduce that the request is failing for 'digest credentials' tag/field. I guess you are using some special characters for digest credentials.
     
    From the logs we can see:-
     
    com.rsa.jsafe.JSAFE_PaddingException: Could not perform unpadding: invalid pad byte.
    at com.rsa.jsafe.JA_PKCS5Padding.performUnpadding(JA_PKCS5Padding.java:111)
    at com.rsa.jsafe.JG_BlockCipher.decryptFinal(JG_BlockCipher.java:1092)
    at com.cisco.ccm.security.CCMDecryption.decryptPassword(CCMDecryption.java:55)
    at com.cisco.ccm.security.CCMEncryption.decryptPassword(CCMEncryption.java:212)
    at com.cisco.ccm.axl.axl6_0.UserHandler.doGet(UserHandler.java:460)  
     
    That the failure occurs at line at - com.cisco.ccm.axl.axl6_0.UserHandler.doGet(UserHandler.java:460).

    We are calling CCMEncryption. decryptPassword function at this point. From your query, I understand that it passes for some users but fails for others. CCMEncryption calls JSAFE APIS which is a black box to us. Hence, I need to know for which Passwords it's failing if we have to proceed further investigation on your query.

    Thanks and Regards,
    Bhuvana
    Developer Services

    Subject: RE: Problem with AXL:GetUser - Error 5000 and a stack trace in CUCM
    Replied by: Paul Wilkinson on 13-08-2009 09:50:34 AM
    Hi,
     
    Thanks for the information.  I will try changing the digest password for an affected user and see if that resolves the problem for that particular user.
     
    Regards,
      Paul Wilkinson

    Subject: RE: Problem with AXL:GetUser - Error 5000 and a stack trace in CUCM
    Replied by: Paul Wilkinson on 16-08-2009 11:40:16 PM
    Hi,
     
    I have confirmed that clearing or resetting the digest credentials for the affected user.  The customer said that the digest credentials should just be "123456", so I can't see that causing a problem so obviously the credentials were actually something else.
     
    As they aren't using SIP anyway we are just going to clear the digest credentials for all users and it should resolve our issue.
     
    Thanks again for your assistance.
     
    Paul