Uploaded image for project: 'OpenIDM'
  1. OpenIDM
  2. OPENIDM-12214

OpenAMSessionModule doesn't work with OBF/CRYPT openidm truststore password

    Details

      Description

      To reproduce this issue:

      1) In IDM admin UI, select Configure > Authentication -> Modules > Select OpenAM Session > Add

      2) Accept the default attributes and ensure the new module is enabled

      3) Restart IDM with clear text password for /path/to/idm/conf/boot/boot.properties openidm.truststore.password. IDM restarts fine.

      4) Set openidm.truststore.password to OBF or CRYPT password. Restart IDM.

      [16] Nov 28, 2018 1:11:12 PM org.forgerock.openidm.logging.LogServiceTracker logEntry
      SEVERE: Bundle: org.forgerock.openidm.authnfilter [72] [org.forgerock.openidm.authentication(20)] The activate method has thrown an exception
      org.apache.felix.log.LogException: org.forgerock.openidm.idp.impl.IdentityProviderServiceException: Cannot build TrustManagerFactory[alg:SunX509] from KeyStore[type:JKS] stored in security/truststore
      	at org.forgerock.openidm.auth.AuthenticationService.activate(AuthenticationService.java:345)
      	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
      	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      	at java.lang.reflect.Method.invoke(Method.java:498)
      	...
      	at org.forgerock.openidm.router.RouterRegistryImpl.addingService(RouterRegistryImpl.java:151)
      	at org.forgerock.openidm.router.RouterRegistryImpl.addingService(RouterRegistryImpl.java:37)
      	...
      	at org.apache.felix.framework.FrameworkStartLevelImpl.run(FrameworkStartLevelImpl.java:308)
      	at java.lang.Thread.run(Thread.java:748)
      Caused by: org.apache.felix.log.LogException: org.forgerock.caf.authentication.api.AuthenticationException: Cannot build TrustManagerFactory[alg:SunX509] from KeyStore[type:JKS] stored in security/truststore
      	at org.forgerock.jaspi.modules.session.openam.OpenAMSessionModule.getTrustManagers(OpenAMSessionModule.java:223)
      	at org.forgerock.jaspi.modules.session.openam.OpenAMSessionModule.configureSsl(OpenAMSessionModule.java:206)
      	at org.forgerock.jaspi.modules.session.openam.OpenAMSessionModule.initialize(OpenAMSessionModule.java:170)
      	at org.forgerock.openidm.auth.modules.IDMAuthModuleWrapper.initialize(IDMAuthModuleWrapper.java:181)
      	at org.forgerock.caf.authentication.framework.AuthenticationFilter$AuthenticationFilterBuilder.initializeModule(AuthenticationFilter.java:290)
      	at org.forgerock.caf.authentication.framework.AuthenticationFilter$AuthenticationFilterBuilder.build(AuthenticationFilter.java:280)
      	at org.forgerock.openidm.auth.AuthenticationService.configureAuthenticationFilter(AuthenticationService.java:433)
      	at org.forgerock.openidm.auth.AuthenticationService.activate(AuthenticationService.java:342)
      	... 78 more
      Caused by: org.apache.felix.log.LogException: java.lang.IllegalStateException: Unable to load keystore
      	at org.forgerock.security.keystore.KeyStoreBuilder.build(KeyStoreBuilder.java:250)
      	at org.forgerock.jaspi.modules.session.openam.OpenAMSessionModule.buildKeyStore(OpenAMSessionModule.java:234)
      	at org.forgerock.jaspi.modules.session.openam.OpenAMSessionModule.getTrustManagers(OpenAMSessionModule.java:218)
      	... 85 more
      Caused by: org.apache.felix.log.LogException: java.io.IOException: Keystore was tampered with, or password was incorrect
      	at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:780)
      	at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56)
      	at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224)
      	at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70)
      	at java.security.KeyStore.load(KeyStore.java:1445)
      	at org.forgerock.security.keystore.KeyStoreBuilder.build(KeyStoreBuilder.java:245)
      	... 87 more
      Caused by: java.security.UnrecoverableKeyException: Password verification failed
      	at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:778)
      	... 92 more
      
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                patrickdiligent patrick diligent
                Reporter:
                yinyan.cao Yinyan Cao
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: