It is always a nice feeling when something working one moment and then the next it doesn’t when nothing seemingly changes. At least that is my story and I’m sticking to it.
So while I was out on vacation, well prior to, I gave instructions to my colleagues on how to do a simple update to our RPM spec (running RHEL 6 obvi) and I knew it worked, because I tested it. Anyways, my instructions were simple and all they had to do was run the rpm after they built in on the s390x boxes. No problem right? Wrong… The RPM built and installed fine, but the keystore (baked into rpm) could not be decrypted using the same credentials as always.
$ keytool -list -v -alias myalias -keystore my.keystore -storetype jceks -keyalg AES keytool error (likely untranslated): java.io.IOException: com.sun.crypto.provider.SealedObjectForKeyProtector
Weird… So I was able to narrow the issue to the JDK versions, because I was able to decrypt the keystore on x86 box without issue, but when I copied over to s390x the same keystore couldn’t be decrypted with the same params…
Now you’re probably thinking, what that is so obvious these are two different architectures, duh. Well, I would agree however I couldn’t imagine that the implementation of the encryption algorithims would change and/or be incompatible between archs AND when I created the rpm initially I tested that the keystore could be decrypted on both machines…
Anyway, lesson learned always make sure to build your keystores in each architecture.