Menu Close

WebLogic: JSAFE_PaddingException


WebLogic Server 8.1 does not start. Following errors seen in stdout/stderr/server logs:

 ####<Jun 18, 2009 11:44:13 AM BST> <Error> <Management> <> <admin_mkdom> <main> <<WLS Kernel>> <> <BEA-140001> <An error occurred while getting attribute Credential on MBean mkdom:Location=admin_mkdom,Name=mkdom,Type=EmbeddedLDAPConfig. Method: null. Exception: com.rsa.jsafe.JSAFE_PaddingException: Could not perform unpadding: invalid pad byte..

com.rsa.jsafe.JSAFE_PaddingException: Could not perform unpadding: invalid pad byte.

            at com.rsa.jsafe.JA_PKCS5Padding.a(Unknown Source)

            at com.rsa.jsafe.JG_BlockCipher.decryptFinal(Unknown Source)



Background & Analysis:

JSAFE is an encryption/decryption engine for Java, developed by RSA. So, you can be sure that you have a problem with encryption/decryption whenever you encounter exceptions related to JSAFE.

All passwords in a WebLogic domain are encrypted by hashes in a file called SerializedSystemIni.dat. Read this tutorial to understand how WebLogic uses SerializedSystemIni.dat. If passwords that have been encrypted in one WebLogic domain are used in another WebLogic domain, then all the encrypted passwords will not be decrypted and the WebLogic servers will not start.



As the passwords need to be encrypted using the current domain’s SerializedSystemIni.dat file, do the following to configure valid encrypted passwords and start the WebLogic servers:

(1) In all WebLogic configuration files contain encrypted passwords, find and replace as follows:

ALL occurrences of  PasswordEncrypted=”{3DES}…….” 


                                Password=”plain-text password”


where, plain-text password  =  corresponding plain-text password for encrypted password

Example: If the password for a user used by a connection pool is “olympics” and its encrypted value is “{3DES}hKjgbvd==”, then replace PasswordEncrypted=“{3DES}hKjgbvd==” with Password=”olympics”

(2) Start the WebLogic servers.


Root Cause:

The encrypted passwords used in configuration files within a WebLogic domain were encrypted using SerializedSystemIni.dat in another WebLogic domain.

UPDATE (24th January 2010): For WebLogic Server 9.x+, the solution above will not work. Refer this article for tips.

(1) The solution above describes a successful problem-solving experience and may not be applicable to other problems with similar symptoms.
(2) Your rating of this post will be much appreciated. Also, feel free to leave comments.


VN:F [1.9.22_1171]
Rating: +9 (from 11 votes)
Print Friendly, PDF & Email


  1. ice rider

    I was wondering how can I get the encrypted password, In the example you have given how did you get the encrypted value for the user=’olympics’?

    thanks for your WebLogic posts, they are very helpful!

Leave a Reply

Your email address will not be published. Required fields are marked *