Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-17272

Encountering unknown key aliases in configuration error after upgrade

    XMLWordPrintable

    Details

    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 7.0.0, 7.0.1
    • None
    • SAML, upgrade
    • None
    • Rank:
      1|i03a2v:

      Description

      Bug description

      Upgrading an AM 6.5.3 SAML integrated mode to AM 7.0.1 was successful. However, it encountered an unknown key aliases in configuration error when attempting to run SAML SSO in integrated mode

      How to reproduce the issue

      #1. Setup the AM 6.5.3 using the documentation found in

      https://backstage.forgerock.com/docs/am/6.5/saml2-guide/index.html#saml2-integrated-mode-sso

      #2. Testing the above setup and ensure that it is working before upgrading to AM 7.0.1 ( Everything is default )

      #3. Upgrade to 7.0.1

      #4. Upgrade is successful.

      #5. Apply the workaround as described in OPENAM-16581

      #6. Test the SAML SSO in integrated mode again

      Expected behaviour
      SAML SSO in integrated mode is successful 
      
      Current behaviour
      Authentication Error ! and the following stack trace was observed 
      
      [CONTINUED]javax.security.auth.login.LoginException: com.google.common.util.concurrent.UncheckedExecutionException: org.forgerock.openam.secrets.SecretInitialisationException: Could not load some secret stores
      	at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2051)
      	at com.google.common.cache.LocalCache.get(LocalCache.java:3951)
      	at com.google.common.cache.LocalCache.getOrLoad(LocalCache.java:3974)
      	at com.google.common.cache.LocalCache$LocalLoadingCache.get(LocalCache.java:4958)
      	at com.google.common.cache.LocalCache$LocalLoadingCache.getUnchecked(LocalCache.java:4964)
      	at org.forgerock.openam.secrets.Secrets.getRealmSecrets(Secrets.java:145)
      	at org.forgerock.openam.saml2.plugins.SecretsSaml2CredentialResolver.resolveValidSecrets(SecretsSaml2CredentialResolver.java:155)
      	at org.forgerock.openam.saml2.plugins.SecretsSaml2CredentialResolver.resolveValidDecryptionCredentials(SecretsSaml2CredentialResolver.java:132)
      	at com.sun.identity.saml2.profile.SPACSUtils.getSsoResultWithoutLocalLogin(SPACSUtils.java:2005)
      	at org.forgerock.openam.authentication.modules.saml2.SAML2.handleReturnFromRedirect(SAML2.java:270)
      	at org.forgerock.openam.authentication.modules.saml2.SAML2.process(SAML2.java:201)
      	at com.sun.identity.authentication.spi.AMLoginModule.wrapProcess(AMLoginModule.java:1094)
      	at com.sun.identity.authentication.spi.AMLoginModule.login(AMLoginModule.java:1293)
      	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
      	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      
      Caused by: org.forgerock.openam.secrets.SecretInitialisationException: Could not load some secret stores
      	at org.forgerock.openam.secrets.Secrets.resolveSecretStores(Secrets.java:264)
      	at org.forgerock.openam.secrets.Secrets.loadSecretStores(Secrets.java:233)
      	at org.forgerock.openam.secrets.Secrets.loadRealmSecrets(Secrets.java:202)
      	at com.google.common.cache.CacheLoader$FunctionToCacheLoader.load(CacheLoader.java:165)
      	at com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3529)
      	at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2278)
      	at com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2155)
      	at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2045)
      	... 136 more
      
      Caused by: java.lang.IllegalArgumentException: Unknown key aliases in configuration: 
      	at org.forgerock.secrets.keystore.KeyStoreSecretStore.validateAliases(KeyStoreSecretStore.java:214)
      	at java.base/java.util.HashMap$Values.forEach(HashMap.java:976)
      	at org.forgerock.secrets.keystore.KeyStoreSecretStore.setKeysForPurposes(KeyStoreSecretStore.java:142)
      	at org.forgerock.openam.secrets.config.KeyStoreBasedSecretStoreProvider.getStore(KeyStoreBasedSecretStoreProvider.java:76)
      	at org.forgerock.openam.secrets.config.KeyStoreBasedSecretStoreProvider.getStore(KeyStoreBasedSecretStoreProvider.java:37)
      	at org.forgerock.openam.secrets.Secrets.resolveSecretStores(Secrets.java:251)
      	... 143 more
      
      

      Work around

      It has been observed that there is an "empty"  ( missing ) aliases in the both  Secret Stores -> default-keystore -> 

      am.applications.federation.entity.providers.saml2.<your secret identififer >.encryption

       

      and am.applications.federation.entity.providers.saml2.<your secret identififer>.signing

      The workaround is to delete the both the entries and replace them with the correct aliase eg Test 

       

        Attachments

          Activity

            People

            Unassigned Unassigned
            sam.phua Sam Phua
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated: