commit a91b457abfd61c39e1e4318c2443e38b2dd93c5c
Author: Ade Lee <alee@redhat.com>
Date:   Fri Jun 16 19:25:05 2017 -0400

    Fix token enrollment and recovery ivs
    
    In encryption mode, the archival of the geenrated key uses the
    wrapIV, while the recovery uses the encryptIV.  To make sure
    these are consistent, they need to be set to be the same.
    
    Bugzilla BZ #1458043
    
    Change-Id: I1ecece74bd6e486c0f37b5e1df4929744fac262b

diff --git a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
index 96d7aae..07333b7 100644
--- a/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
+++ b/base/kra/src/com/netscape/kra/NetkeyKeygenService.java
@@ -406,6 +406,12 @@ public class NetkeyKeygenService implements IService {
 
                     try {
                         params = mStorageUnit.getWrappingParams(allowEncDecrypt_archival);
+
+                        // In encrypt mode, the recovery side is doing a decrypt() using the
+                        // encryption IV.  To be sure this is successful, we will make sure'
+                        // the IVs are the same.
+                        params.setPayloadEncryptionIV(params.getPayloadWrappingIV());
+
                         privateKeyData = mStorageUnit.wrap((org.mozilla.jss.crypto.PrivateKey) privKey, params);
                     } catch (Exception e) {
                         request.setExtData(IRequest.RESULT, Integer.valueOf(4));