How to resolve authtoken encryption error on APM Plugin Standby server in Failover?
Overview
After a failover switch in OpManager, the APM Plugin on the Standby server throws authtoken encryption errors and plugin functionalities such as monitoring, alerts, and data collection do not work.
How to Confirm ?
When accessing the Applications tab in OpManager UI, the following error is displayed:
Hint: Applications Manager plugin might be facing an issue with connecting OpManager database.
The following errors also appear in the APM Plugin logs on the Standby server:
<OPM_Home>\AppManager\logs\stderr.txtjava.lang.NullPointerException
at com.adventnet.appmanager.util.UserScopeUtil.getEARKeyForDBPoll(UserScopeUtil.java:513)
at com.adventnet.appmanager.util.UserScopeUtil.regenerateUserToken(UserScopeUtil.java:368)java.lang.Exception: keyToken/plainText is invalid.
at com.adventnet.appmanager.util.AMEncryption.encrypt_AES_CBC_withKey(AMEncryption.java:293)
<OPM_Home>\AppManager\logs\syncout.txt
PluginUtil.getPluginAuthTokenFromOpManagerDB() | EARKey is null |
Returning to avoid setting encrypted authtoken in cacheCause
Both Primary and Standby APM Plugin servers share the same database, but each installation generates its own MasterEncryptionKey in <APM_Plugin_Home>\conf\DB_Crypt.properties.
During failover, the Standby cannot decrypt data that was encrypted by the Primary's key, resulting in the errors above.
MasterEncryptionKey mismatch between Primary and Standby APM Plugin servers.
Resolution Steps
Ensure both Primary and Standby APM Plugin servers use the same MasterEncryptionKey so encrypted data in the shared database can be decrypted by either server.
A. Steps for Fresh Installation
For a freshly installed APM Plugin on the Standby server, the steps depend on whether the Standby server has already been started at least once.
Case 1: Standby server has NOT been started yet
If the Standby APM Plugin has never been started, DB_Crypt.properties does not exist yet. Perform these steps before starting the Standby server or triggering failover:
- Navigate to <APM_Plugin_Home>\conf\ on the Primary server.
- Copy the entire
DB_Crypt.propertiesfile. - Place it in the same location <APM_Plugin_Home>\conf\ on the Standby server.
DB_Crypt.properties does not exist — neither AMCryptKey nor MasterEncryptionKey have been generated. Copying the full file from Primary ensures both encryption keys are in sync from the start. No instance-specific data has been encrypted on Standby yet, so sharing the AMCryptKey does not cause any conflict.
Case 2: Standby server has already been started
If the Standby APM Plugin has been started at least once, DB_Crypt.properties already exists with its own unique AMCryptKey and MasterEncryptionKey. The AMCryptKey has already been used to encrypt instance-specific data (e.g., database passwords) on the Standby server. Only the MasterEncryptionKey needs to be synchronized:
- Open <APM_Plugin_Home>\conf\DB_Crypt.properties on the Primary server.
- Copy the value of
MasterEncryptionKey. - Open the same file on the Standby server.
- Replace the
MasterEncryptionKeyvalue with the one copied from Primary. - Save the file.
DB_Crypt.properties file or modify the AMCryptKey. The AMCryptKey is instance-specific — it has already been used to encrypt the Standby's local database passwords. Replacing it will cause the Standby to fail decrypting its own DB connection credentials.
B. Steps for Existing Installation (Post-Upgrade)
From build 179200, the MasterEncryptionKey is used for encrypting shared database data. Since each server already has its own different key, they must be synchronized. Copy the key from the server that was started first after the upgrade, as that server's key is used to encrypt data in the shared database:
<OPM_Home>\AppManager\logs\console1.txt<OPM_Home>\AppManager\logs\StartUpLogs_out.txt
DB_Crypt.properties on both servers. This preserves the unique MasterEncryptionKey generated on each server during upgrade, and ensures the AMCryptKey can be restored in case the file is accidentally replaced instead of only updating the MasterEncryptionKey value.
If the Primary server was started first after upgrade:
- Open <APM_Plugin_Home>\conf\DB_Crypt.properties on the Primary server.
- Copy the value of
MasterEncryptionKey. - Open the same file on the Standby server.
- Replace the
MasterEncryptionKeyvalue with the one copied from Primary. - Save the file.
If the Standby server was started first after upgrade:
- Open <APM_Plugin_Home>\conf\DB_Crypt.properties on the Standby server.
- Copy the value of
MasterEncryptionKey. - Open the same file on the Primary server.
- Replace the
MasterEncryptionKeyvalue with the one copied from Standby. - Save the file.
MasterEncryptionKey must be copied from the server that was started first after upgrade, as that server's key is used to encrypt data in the shared database. Only replace the MasterEncryptionKey value — do not modify AMCryptKey or replace the entire file.
Verification
After applying the fix, trigger a failover and confirm:
- The APM Plugin web console is accessible on the Standby server.
- No
NullPointerExceptionor "EARKey is null" errors in the logs. - Monitors are active and collecting data.
New to ADSelfService Plus?
Related Articles
How to upgrade APM Plugin in Failover with OPM Smart upgrade without Authtoken encryption error?
Overview This guide covers the upgrade procedure for APM Plugin to build 179200 or above in a Failover environment using the OpManager Upgrade Manager, and the steps to resolve the authtoken encryption error that occurs after upgrade. Compatibility: ...Troubleshooting Applications Manager Plugin database migration failure after service pack upgrade of OPM and APM plugin
When upgrading OpManager from version 12.6.xxx to 12.7.xxx and updating the APM Plugin to 1651x, particularly when using Postgresql as the backend database, an essential one-time migration occurs. This migration involves moving our backend Postgresql ...Upgrade guide for OpManager v 12.7 and APM Plugin
After downloading the service pack for OpManager and the compatible service pack for Applications Manager Plugin (APM Plugin) to OpManager installed server, start the upgrade process for OpManager and APM Plugin by following the steps below: Note: If ...Resolving License Exceed Issues in APM Plugin (Failover Setup)
Overview In failover (Primary–Secondary) deployments of the APM Plugin, license exceed or license validation issues may occur in the secondary APM Plugin server after a switchover. This typically happens when the license file is not properly applied ...Troubleshooting Applications Manager Plugin (APM Plugin) issues in OpManager/OpManager Plus
Browse through the following topics to troubleshoot the actual problems encountered in Applications Manager Plugin (APM Plugin) for OpManager and resolve them accordingly: APM Plugin is down abnormally If the APM plugin is installed as a service, ...