Upgrading PAN-OS to 9.0.x and above causes auto-commit failure due to crpytod error

• Upgrading the PAN-OS to 9.0.x and above causes auto-commit failure.
• Configuration contains IKE pre-shared key 

admin1@fw-bz03-2# show network ike gateway VPN-GW-BZ99-M30
pre-shared-key {
      key jGZCVNfXEYAKOSFdyLPamec8Bo4oqi6xjRZ+uRPw3MKx7HzxpH86XGiDvktFJlLg;
    }

• Following error messages are displayed on ikemgr.log & cryptod.log

2022-04-07 11:18:22.501 +0200 Error: pan_cryptod_sysd_decr(pan_cryptod_sysd_api.c:454): Sysd cryptod encrypted text object modify failed, err=USER
2022-04-07 11:18:22.500 +0200 Error: rcf_fix_pre_shared_key(protocols/lib/cfsetup.c:3028): pan_translate_buffer(jGZCVNfXEYAKOSFdyLPamec8Bo4oqi6xjRZ+uRPw3MKx7HzxpH86XGiDvktFJlLg) failed

2022-04-07 11:18:23.797 +0200 Error:  pan_cryptod_translate_buf(pan_cryptod_crypt.c:863): Invalid encrypted data. Skip decryption

2022-04-07 11:18:24  +0200 Error:  pan_cryptod_sysd_decr_recv_cb(pan_cryptod_crypt.c:1839): Decryption failed, abort

• All firewall platforms
• PAN-OS 9.0.x and above
• IKE gateway configured with PSKs

• IKE pre-shared keys are encrypted using 4.0 ciphers that do not contain the integrity header and other integrity data (like Tag character, version, and hash of encrypted data).
• Until release 8.1, there was a provision in the cryptod code to decrypt the data even if doesn't have the integrity data but that provision was removed starting 9.0
• Due to this change, starting from 9.0, cryptod stopped decrypting pre-4.0 encrypted config, therefore, aborting auto-commit operation. 

• This is expected behavior. Applying the fix for this issue will break the design implemented via PAN-93988 which is intended for vulnerability fix.
• The only solution is to recycle the pre-shared keys on configured IKE gateways

admin1@fw-bz03-2(active)# show network ike gateway test-ike-new

test-ike-new {
  authentication {
    pre-shared-key {
      key -AQ==zPJb3ngM1sGjXlfX2+Qk6rbdv1I=ucInIpBmFcnkQK7zF4VO1w==;
    }
  }
}