-
Type:
Bug
-
Status: Closed
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 7.0.0, 6.0.0.5, 6.5.0.2
-
Component/s: Module - Command line
-
Labels:
Problem
Using the IDM cli.sh with the keytool option to export a secret key from one IDM instance and then importing this into a second IDM instance causes the second IDM to fail to start with the following error:
Caused by: java.security.InvalidKeyException: Invalid AES key length: 17 bytes
The cli.sh keytool documentation: https://backstage.forgerock.com/docs/idm/6.5/integrators-guide/#cli-keytool
To reproduce
1). Unzip IDM 7.0 (or 6.x)
2). Start IDM
3). Export the default openidm-sym-default SecretKeyEntry using cli.sh:
./cli.sh keytool --export openidm-sym-default
[OK] Secret key entry with algorithm AES
AES:b7b37f6fdb15f28f94e78ca43c2ce0aa
4). Unzip a second instance of IDM (but do not start it)
5). Import the exported SecretKeyEntry from instance 1 using cli.sh (use a different alias):
./cli.sh keytool --import openidm-sym-default-new
6). List the contents of the keystone on instance 2:
keytool -list -keystore security/keystore.jceks -storepass changeit -storetype JCEKS -v
…note that this includes the new key:
Alias name: openidm-sym-default-new Creation date: 17-Jan-2020 Entry type: SecretKeyEntry
7). Update conf/secrets.json with new key alias in the case of 7.0/6.5 (or in the case of 6.0 boot.properties and managed.json) and check all conf files to ensure no passwords have been encrypted (this shouldn't be the case as IDM instance 2 has not been started yet).
8). Start IDM instance 2 for the first time and the error is seen:
org.forgerock.openidm.config.enhanced.InternalErrorException: Failure during encryption of configuration org.forgerock.openidm.felix.webconsole-null for property /password : java.security.InvalidKeyException: Invalid AES key length: 17 bytes at org.forgerock.openidm.config.crypto.ConfigCrypto.encrypt(ConfigCrypto.java:202) at org.forgerock.openidm.config.crypto.ConfigCrypto.encrypt(ConfigCrypto.java:152) at org.forgerock.openidm.config.installer.JSONConfigInstaller.setConfig(JSONConfigInstaller.java:338) at org.forgerock.openidm.config.installer.JSONConfigInstaller.setConfig(JSONConfigInstaller.java:323) at org.forgerock.openidm.config.installer.JSONConfigInstaller.install(JSONConfigInstaller.java:130) at org.apache.felix.fileinstall.internal.DirectoryWatcher.install(DirectoryWatcher.java:937) at org.apache.felix.fileinstall.internal.DirectoryWatcher.install(DirectoryWatcher.java:871) at org.apache.felix.fileinstall.internal.DirectoryWatcher.doProcess(DirectoryWatcher.java:485) at org.apache.felix.fileinstall.internal.DirectoryWatcher.process(DirectoryWatcher.java:361) at org.apache.felix.fileinstall.internal.DirectoryWatcher.start(DirectoryWatcher.java:243) at org.apache.felix.fileinstall.internal.FileInstall.updated(FileInstall.java:253) at org.apache.felix.fileinstall.internal.FileInstall$ConfigAdminSupport$Tracker.updated(FileInstall.java:377) at org.apache.felix.cm.impl.helper.ManagedServiceFactoryTracker.updated(ManagedServiceFactoryTracker.java:159) at org.apache.felix.cm.impl.helper.ManagedServiceFactoryTracker.provideConfiguration(ManagedServiceFactoryTracker.java:93) at org.apache.felix.cm.impl.ConfigurationManager$UpdateConfiguration.run(ConfigurationManager.java:1400) at org.apache.felix.cm.impl.UpdateThread.run0(UpdateThread.java:138) at org.apache.felix.cm.impl.UpdateThread.run(UpdateThread.java:105) at java.lang.Thread.run(Thread.java:745) Caused by: org.forgerock.json.crypto.JsonCryptoException: java.security.InvalidKeyException: Invalid AES key length: 17 bytes at org.forgerock.openidm.crypto.AbstractJsonEncryptor.encrypt(AbstractJsonEncryptor.java:168) at org.forgerock.openidm.crypto.PurposeBasedJsonEncryptor.encrypt(PurposeBasedJsonEncryptor.java:27) at org.forgerock.openidm.crypto.impl.CryptoServiceImpl.encrypt(CryptoServiceImpl.java:177) at org.forgerock.openidm.config.crypto.ConfigCrypto.encrypt(ConfigCrypto.java:196) ... 17 more Caused by: java.security.InvalidKeyException: Invalid AES key length: 17 bytes at com.sun.crypto.provider.AESCrypt.init(AESCrypt.java:87) at com.sun.crypto.provider.CipherBlockChaining.init(CipherBlockChaining.java:91) at com.sun.crypto.provider.CipherCore.init(CipherCore.java:582) at com.sun.crypto.provider.CipherCore.init(CipherCore.java:458) at com.sun.crypto.provider.AESCipher.engineInit(AESCipher.java:307) at javax.crypto.Cipher.implInit(Cipher.java:802) at javax.crypto.Cipher.chooseProvider(Cipher.java:864) at javax.crypto.Cipher.init(Cipher.java:1249) at javax.crypto.Cipher.init(Cipher.java:1186) at org.forgerock.openidm.crypto.AbstractJsonEncryptor.symmetric(AbstractJsonEncryptor.java:101) at org.forgerock.openidm.crypto.AbstractJsonEncryptor.encrypt(AbstractJsonEncryptor.java:166) ... 20 more [129] Jan 17, 2020 10:09:41.804 AM org.forgerock.openidm.config.installer.JSONConfigInstaller setConfig WARNING: Loading configuration file /home/forgerock/openidm7_2/conf/authentication.json failed org.forgerock.openidm.config.enhanced.InternalErrorException: Failure during encryption of configuration org.forgerock.openidm.authentication-null for property /serverAuthContext/authModules/0/properties/password : java.security.InvalidKeyException: Invalid AES key length: 17 bytes at org.forgerock.openidm.config.crypto.ConfigCrypto.encrypt(ConfigCrypto.java:202) at org.forgerock.openidm.config.crypto.ConfigCrypto.encrypt(ConfigCrypto.java:152) at org.forgerock.openidm.config.installer.JSONConfigInstaller.setConfig(JSONConfigInstaller.java:338) at org.forgerock.openidm.config.installer.JSONConfigInstaller.setConfig(JSONConfigInstaller.java:323) at org.forgerock.openidm.config.installer.JSONConfigInstaller.install(JSONConfigInstaller.java:130) at org.apache.felix.fileinstall.internal.DirectoryWatcher.install(DirectoryWatcher.java:937) at org.apache.felix.fileinstall.internal.DirectoryWatcher.install(DirectoryWatcher.java:871) at org.apache.felix.fileinstall.internal.DirectoryWatcher.doProcess(DirectoryWatcher.java:485) at org.apache.felix.fileinstall.internal.DirectoryWatcher.process(DirectoryWatcher.java:361) at org.apache.felix.fileinstall.internal.DirectoryWatcher.start(DirectoryWatcher.java:243) at org.apache.felix.fileinstall.internal.FileInstall.updated(FileInstall.java:253) at org.apache.felix.fileinstall.internal.FileInstall$ConfigAdminSupport$Tracker.updated(FileInstall.java:377) at org.apache.felix.cm.impl.helper.ManagedServiceFactoryTracker.updated(ManagedServiceFactoryTracker.java:159) at org.apache.felix.cm.impl.helper.ManagedServiceFactoryTracker.provideConfiguration(ManagedServiceFactoryTracker.java:93) at org.apache.felix.cm.impl.ConfigurationManager$UpdateConfiguration.run(ConfigurationManager.java:1400) at org.apache.felix.cm.impl.UpdateThread.run0(UpdateThread.java:138) at org.apache.felix.cm.impl.UpdateThread.run(UpdateThread.java:105) at java.lang.Thread.run(Thread.java:745) Caused by: org.forgerock.json.crypto.JsonCryptoException: java.security.InvalidKeyException: Invalid AES key length: 17 bytes at org.forgerock.openidm.crypto.AbstractJsonEncryptor.encrypt(AbstractJsonEncryptor.java:168) at org.forgerock.openidm.crypto.PurposeBasedJsonEncryptor.encrypt(PurposeBasedJsonEncryptor.java:27) at org.forgerock.openidm.crypto.impl.CryptoServiceImpl.encrypt(CryptoServiceImpl.java:177) at org.forgerock.openidm.config.crypto.ConfigCrypto.encrypt(ConfigCrypto.java:196) ... 17 more Caused by: java.security.InvalidKeyException: Invalid AES key length: 17 bytes at com.sun.crypto.provider.AESCrypt.init(AESCrypt.java:87) at com.sun.crypto.provider.CipherBlockChaining.init(CipherBlockChaining.java:91) at com.sun.crypto.provider.CipherCore.init(CipherCore.java:582) at com.sun.crypto.provider.CipherCore.init(CipherCore.java:458) at com.sun.crypto.provider.AESCipher.engineInit(AESCipher.java:307) at javax.crypto.Cipher.implInit(Cipher.java:802) at javax.crypto.Cipher.chooseProvider(Cipher.java:864) at javax.crypto.Cipher.init(Cipher.java:1249) at javax.crypto.Cipher.init(Cipher.java:1186) at org.forgerock.openidm.crypto.AbstractJsonEncryptor.symmetric(AbstractJsonEncryptor.java:101) at org.forgerock.openidm.crypto.AbstractJsonEncryptor.encrypt(AbstractJsonEncryptor.java:166) ... 20 more
Note the error:
Caused by: java.security.InvalidKeyException: Invalid AES key length: 17 bytes