Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-17410

am.global.services.saml2.client.storage.jwt.encryption mapping is not created after upgrade

    XMLWordPrintable

    Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Not a defect
    • 7.0.0, 6.5.3, 7.0.1
    • None
    • SAML, upgrade
    • AM Sustaining Sprint 86
    • 3
    • No
    • No
    • No
    • Yes but I used my own steps. (If so, please add them in a new comment)

      Description

      Bug description

      After upgrade from AM 6.x to AM 6.5.3 or AM 7.0, the customer may encountered the following error

      Not resolved at realm level: Purpose{secretType=DataEncryptionKey, label='am.global.services.saml2.client.storage.jwt.encryption'}
      org.forgerock.secrets.NoSuchSecretException: No secret configured for purpose am.global.services.saml2.client.storage.jwt.encryption
              at org.forgerock.secrets.keystore.KeyStoreSecretStore.getActive(KeyStoreSecretStore.java:249)
              at org.forgerock.secrets.SecretsProvider.lambda$getActiveSecret$3(SecretsProvider.java:138)
              at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:193)
              at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:193)
              at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:175)
              at java.util.Spliterators$ArraySpliterator.forEachRemaining(Spliterators.java:948)
              at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:481)
      

       How to reproduce the issue

      Upgrade from AM 6.5.2 to AM 6.5.3 or AM 7.x,

      check the setting in Secret Stores -> default Key store -> Mapping. the following flag is missing : am.global.services.saml2.client.storage.jwt.encryption

      Note : This flag is available if you installed a standalone AM 6.5.3 or AM 7.x

      Expected behaviour
      The flag should be available after upgrade
      Current behaviour
      The flag is missing after upgrade 
      

      Work around

      Run the following script to re-create the entry

       

      openam="http://openam.internal.example.com:8080"
      user="amadmin"
      password="password"
      tokenid=`curl -k -s --request POST --header "Accept-API-Version: resource=2.0, protocol=1.0" --header "X-OpenAM-Username: $user" --header "X-OpenAM-Password: $password" --header "Content-Type: application/json" --data "{}" "$openam/openam/json/authenticate?authIndexType=service&authIndexValue=adminconsoleservice" | python -m json.tool | grep tokenId | cut -f4 -d'"'`
      echo "tokenid is " $tokenid
      curl -X POST -k -H 'Content-type: application/json' --header "Accept-API-Version:resource=1.0" --cookie "iPlanetDirectoryPro=$tokenid" --data ' {"secretId": "am.global.services.saml2.client.storage.jwt.encryption", "_id": "am.global.services.saml2.client.storage.jwt.encryption", "aliases":["directenctest"]}' "$openam/openam/json/global-config/secrets/stores/KeyStoreSecretStore/default-keystore/mappings"
      

        Attachments

          Issue Links

            Activity

              People

              lawrence.yarham Lawrence Yarham
              sam.phua Sam Phua
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: