KB Article #181869

Portal upgrade fails at decrypt db password

Problem

API Portal db password enryption / decryption option was originally developped with openssl "-md md5" option as message digest algorithm.

Since md5 algorithm is considered not secure enough any more in API Portal v2021 August we changed the encryption / decryption implementation to use the OpenSSL default message digest option (SHA256 in versions 1.1.x). This might cause upgrade issues, because when the API Portal was installed it was explicitly used md5 option for encryption / decryption but on upgrade it is set to the default option which might be different. This means that the db password can't be successfully decrypted and the upgrade fails . The error shown is usually similar to this : 


digital envelope routines:EVP_DecryptFinal_ex:bad decrypt


Similar issue might happen if :

1. The version of OpenSSl is upgraded to version with different default md algorithm from the one that the API Portal has been installed with

2. If by some reason your db passphrase (the one used as an encryption key for encrypting db password) has been modified or corrupted

Resolution

No matter what is the reason for decryption failure, the solution is as follows :

  1. Revert the instance to the previouse state before the upgrade ( usually revert a snapshot of the VM) . This step is required only in case of upgrade failure.
  2. Edit {INSTALL_DIR}/configuration.php by adding the mysql password in plain text ($password = 'PLAIN_TEXT_PASSWORD')and change the $dbtype value to 'mysqli'. This way API Portal will start using the default db adapter and will not try to decrypt the password.
  3. If it was an upgrade failure, just run the upgrade again. If the issue is not caused by the upgrade skip this step.
  4. Execute the apiportal_db_pass_encryption.sh script. It comes with your API Portal installation / upgrade package. The script will encrypt the db password using the default md algorhytm for the installed OpenSSL version and will change the $dbtype value to 'mysqli_enc'. API Portal will then start using mysqli_enc adapter which decrypts using the default md option.

Still need help?

If this information wasn't helpful to you, just drop us a line. We'll get back to you as soon as possible.