Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-16480

Upgrade to 7 when SAML keystore adv server properties are configured in 6.5



    • Bug
    • Status: Resolved
    • Minor
    • Resolution: Fixed
    • 7.0.0
    • 7.0.0
    • SAML, upgrade
    • Rank:


      Bug description

      I was trying to see what happens during upgrade with the secret stores when the advanced server properties to change the SAML2 keystore location were in place. These properties and how to use them have never been really documented, so I have tried my best here.

      Questions that started this Jira:

      • Should upgrade work with the advanced server properties? Are the properties supposed to work with SAML2?
      • What are those properties meant to change, exactly? Keystores for SAML signing assertions? Keystores for SAMLsigning metadata? Both? What about encryption?


      Did 2 types of tests:

      1) Upgrade fails:

      How to reproduce the issue

      • Configure Java Home to JDK 1.8+
      • Install AM
      • Configure a hosted IDP, add a remote SP and a CoT. Add one signing and encryption key from the default keystore to the IDP.

      I used the keys we configure by default nowadays-- But the error messages I get seem to make me think they are wrong? Tested with "test" in both and it didn't work either.  I may be doing this wrong all the way.

      • Copy the original keystore and its files to a different name:
      • Add the advanced server properties that let you change the keystore location for SAML:
      • Restart AM, check it works. I've seen that, if the above config is not ok or readable, there are logs written in the debug files. So check they are clean.
      • Stop tomcat and configure J11
      • Upgrade to 7
      Expected behaviour

      Upgrade happens.

      Current behaviour
      org.forgerock.openam.upgrade.UpgradeException: Unable migrate aliases to key store secret store
              at org.forgerock.openam.upgrade.steps.secrets.CredentialVisitor.visit(CredentialVisitor.java:83)
              at org.forgerock.openam.upgrade.steps.secrets.Credentials$AliasCredential.accept(Credentials.java:80)
              at org.forgerock.openam.upgrade.steps.secrets.Credentials$CompositeCredential.accept(Credentials.java:176)
              at org.forgerock.openam.upgrade.steps.secrets.Saml2EntitySecretsStep$RealmScopedCredential.accept(Saml2EntitySecretsStep.java:317)
              at org.forgerock.openam.upgrade.steps.secrets.Saml2EntitySecretsStep.performMigration(Saml2EntitySecretsStep.java:162)
              at org.forgerock.openam.upgrade.steps.secrets.Saml2EntitySecretsStep.perform(Saml2EntitySecretsStep.java:142)
      Caused by: com.sun.identity.sm.InvalidAttributeValueException: Data validation failed for the attribute, Secret ID
              at com.sun.identity.sm.AttributeValidator.validate(AttributeValidator.java:409)
              at com.sun.identity.sm.ServiceSchemaImpl.validateAttrValues(ServiceSchemaImpl.java:697)
              at com.sun.identity.sm.ServiceSchemaImpl.validateAttributes(ServiceSchemaImpl.java:415)
              at com.sun.identity.sm.ServiceSchemaImpl.validateAttributes(ServiceSchemaImpl.java:381)
              at com.sun.identity.sm.CreateServiceConfig.createSubConfigEntry(CreateServiceConfig.java:322)
              at com.sun.identity.sm.ServiceConfig.addSubConfig(ServiceConfig.java:363)


      2)  Upgrade worked, but  secret store configuration seems odd.


      How to reproduce the issue

      • Install AM with J11
      • Do not configure any SAML provider! (not that you can with J11)
      • Copy the original keystore and its files to a different name
      • Add the advanced server properties that let you change the keystore location for SAML
      • Upgrade to 7

      Sure, this is a silly scenario. Nobody should have the properties set if they don't have SAML configured-- but it is an easy way to see what would happen-- and if I could upgrade at all, based on my problem above.


      One thing I realized is that, even though the adv. properties are saved, they don't show in the configuration screen when you reload/reboot. I know, strange.  But the upgrade process knows about it, as you will see in the screenshot below:

      Expected behaviour

      Not sure. Store configuration making sense with the advanced server properties configuration?  If those should be honored, which I'm not sure at this point.

      Current behaviour

      • The saml metadata signing points to the keystore in the adv server property.
      • Adv server properties are not showing (but are they really removed? They weren't showing in 6.5 either...)
      • The default keystore is still the AM keystore. But it is the one that has the default global saml2 secret ID configured.







            alun.daley Alun Daley
            cristina.herraz Cristina Herraz [X] (Inactive)
            0 Vote for this issue
            2 Start watching this issue