Uploaded image for project: 'OpenIDM'
  1. OpenIDM
  2. OPENIDM-14287

cli.sh keytool export and import causes IDM startup failure with 'Invalid AES key length' error

    Details

      Description

      Problem

      Using the IDM cli.sh with the keytool option to export a secret key from one IDM instance and then importing this into a second IDM instance causes the second IDM to fail to start with the following error:

      Caused by: java.security.InvalidKeyException: Invalid AES key length: 17 bytes 

      The cli.sh keytool documentation: https://backstage.forgerock.com/docs/idm/6.5/integrators-guide/#cli-keytool

      To reproduce

      1). Unzip IDM 7.0 (or 6.x)

      2). Start IDM

      3). Export the default openidm-sym-default SecretKeyEntry using cli.sh:

      ./cli.sh keytool --export openidm-sym-default
      
      [OK] Secret key entry with algorithm AES
       AES:b7b37f6fdb15f28f94e78ca43c2ce0aa  

       

      4). Unzip a second instance of IDM (but do not start it)

      5). Import the exported SecretKeyEntry from instance 1 using cli.sh (use a different alias):

      ./cli.sh keytool --import openidm-sym-default-new 

      6). List the contents of the keystone on instance 2:

      keytool -list -keystore security/keystore.jceks -storepass changeit -storetype JCEKS -v 

      …note that this includes the new key:

      Alias name: openidm-sym-default-new
      Creation date: 17-Jan-2020
      Entry type: SecretKeyEntry 

      7). Update conf/secrets.json with new key alias in the case of 7.0/6.5 (or in the case of 6.0 boot.properties and managed.json) and check all conf files to ensure no passwords have been encrypted (this shouldn't be the case as IDM instance 2 has not been started yet).

      8). Start IDM instance 2 for the first time and the error is seen:

       org.forgerock.openidm.config.enhanced.InternalErrorException: Failure during encryption of configuration org.forgerock.openidm.felix.webconsole-null for property /password : java.security.InvalidKeyException: Invalid AES key length: 17 bytes
       at org.forgerock.openidm.config.crypto.ConfigCrypto.encrypt(ConfigCrypto.java:202)
       at org.forgerock.openidm.config.crypto.ConfigCrypto.encrypt(ConfigCrypto.java:152)
       at org.forgerock.openidm.config.installer.JSONConfigInstaller.setConfig(JSONConfigInstaller.java:338)
       at org.forgerock.openidm.config.installer.JSONConfigInstaller.setConfig(JSONConfigInstaller.java:323)
       at org.forgerock.openidm.config.installer.JSONConfigInstaller.install(JSONConfigInstaller.java:130)
       at org.apache.felix.fileinstall.internal.DirectoryWatcher.install(DirectoryWatcher.java:937)
       at org.apache.felix.fileinstall.internal.DirectoryWatcher.install(DirectoryWatcher.java:871)
       at org.apache.felix.fileinstall.internal.DirectoryWatcher.doProcess(DirectoryWatcher.java:485)
       at org.apache.felix.fileinstall.internal.DirectoryWatcher.process(DirectoryWatcher.java:361)
       at org.apache.felix.fileinstall.internal.DirectoryWatcher.start(DirectoryWatcher.java:243)
       at org.apache.felix.fileinstall.internal.FileInstall.updated(FileInstall.java:253)
       at org.apache.felix.fileinstall.internal.FileInstall$ConfigAdminSupport$Tracker.updated(FileInstall.java:377)
       at org.apache.felix.cm.impl.helper.ManagedServiceFactoryTracker.updated(ManagedServiceFactoryTracker.java:159)
       at org.apache.felix.cm.impl.helper.ManagedServiceFactoryTracker.provideConfiguration(ManagedServiceFactoryTracker.java:93)
       at org.apache.felix.cm.impl.ConfigurationManager$UpdateConfiguration.run(ConfigurationManager.java:1400)
       at org.apache.felix.cm.impl.UpdateThread.run0(UpdateThread.java:138)
       at org.apache.felix.cm.impl.UpdateThread.run(UpdateThread.java:105)
       at java.lang.Thread.run(Thread.java:745)
      Caused by: org.forgerock.json.crypto.JsonCryptoException: java.security.InvalidKeyException: Invalid AES key length: 17 bytes
       at org.forgerock.openidm.crypto.AbstractJsonEncryptor.encrypt(AbstractJsonEncryptor.java:168)
       at org.forgerock.openidm.crypto.PurposeBasedJsonEncryptor.encrypt(PurposeBasedJsonEncryptor.java:27)
       at org.forgerock.openidm.crypto.impl.CryptoServiceImpl.encrypt(CryptoServiceImpl.java:177)
       at org.forgerock.openidm.config.crypto.ConfigCrypto.encrypt(ConfigCrypto.java:196)
       ... 17 more
      Caused by: java.security.InvalidKeyException: Invalid AES key length: 17 bytes
       at com.sun.crypto.provider.AESCrypt.init(AESCrypt.java:87)
       at com.sun.crypto.provider.CipherBlockChaining.init(CipherBlockChaining.java:91)
       at com.sun.crypto.provider.CipherCore.init(CipherCore.java:582)
       at com.sun.crypto.provider.CipherCore.init(CipherCore.java:458)
       at com.sun.crypto.provider.AESCipher.engineInit(AESCipher.java:307)
       at javax.crypto.Cipher.implInit(Cipher.java:802)
       at javax.crypto.Cipher.chooseProvider(Cipher.java:864)
       at javax.crypto.Cipher.init(Cipher.java:1249)
       at javax.crypto.Cipher.init(Cipher.java:1186)
       at org.forgerock.openidm.crypto.AbstractJsonEncryptor.symmetric(AbstractJsonEncryptor.java:101)
       at org.forgerock.openidm.crypto.AbstractJsonEncryptor.encrypt(AbstractJsonEncryptor.java:166)
       ... 20 more
      [129] Jan 17, 2020 10:09:41.804 AM org.forgerock.openidm.config.installer.JSONConfigInstaller setConfig
      WARNING: Loading configuration file /home/forgerock/openidm7_2/conf/authentication.json failed 
      org.forgerock.openidm.config.enhanced.InternalErrorException: Failure during encryption of configuration org.forgerock.openidm.authentication-null for property /serverAuthContext/authModules/0/properties/password : java.security.InvalidKeyException: Invalid AES key length: 17 bytes
       at org.forgerock.openidm.config.crypto.ConfigCrypto.encrypt(ConfigCrypto.java:202)
       at org.forgerock.openidm.config.crypto.ConfigCrypto.encrypt(ConfigCrypto.java:152)
       at org.forgerock.openidm.config.installer.JSONConfigInstaller.setConfig(JSONConfigInstaller.java:338)
       at org.forgerock.openidm.config.installer.JSONConfigInstaller.setConfig(JSONConfigInstaller.java:323)
       at org.forgerock.openidm.config.installer.JSONConfigInstaller.install(JSONConfigInstaller.java:130)
       at org.apache.felix.fileinstall.internal.DirectoryWatcher.install(DirectoryWatcher.java:937)
       at org.apache.felix.fileinstall.internal.DirectoryWatcher.install(DirectoryWatcher.java:871)
       at org.apache.felix.fileinstall.internal.DirectoryWatcher.doProcess(DirectoryWatcher.java:485)
       at org.apache.felix.fileinstall.internal.DirectoryWatcher.process(DirectoryWatcher.java:361)
       at org.apache.felix.fileinstall.internal.DirectoryWatcher.start(DirectoryWatcher.java:243)
       at org.apache.felix.fileinstall.internal.FileInstall.updated(FileInstall.java:253)
       at org.apache.felix.fileinstall.internal.FileInstall$ConfigAdminSupport$Tracker.updated(FileInstall.java:377)
       at org.apache.felix.cm.impl.helper.ManagedServiceFactoryTracker.updated(ManagedServiceFactoryTracker.java:159)
       at org.apache.felix.cm.impl.helper.ManagedServiceFactoryTracker.provideConfiguration(ManagedServiceFactoryTracker.java:93)
       at org.apache.felix.cm.impl.ConfigurationManager$UpdateConfiguration.run(ConfigurationManager.java:1400)
       at org.apache.felix.cm.impl.UpdateThread.run0(UpdateThread.java:138)
       at org.apache.felix.cm.impl.UpdateThread.run(UpdateThread.java:105)
       at java.lang.Thread.run(Thread.java:745)
      Caused by: org.forgerock.json.crypto.JsonCryptoException: java.security.InvalidKeyException: Invalid AES key length: 17 bytes
       at org.forgerock.openidm.crypto.AbstractJsonEncryptor.encrypt(AbstractJsonEncryptor.java:168)
       at org.forgerock.openidm.crypto.PurposeBasedJsonEncryptor.encrypt(PurposeBasedJsonEncryptor.java:27)
       at org.forgerock.openidm.crypto.impl.CryptoServiceImpl.encrypt(CryptoServiceImpl.java:177)
       at org.forgerock.openidm.config.crypto.ConfigCrypto.encrypt(ConfigCrypto.java:196)
       ... 17 more
      Caused by: java.security.InvalidKeyException: Invalid AES key length: 17 bytes
       at com.sun.crypto.provider.AESCrypt.init(AESCrypt.java:87)
       at com.sun.crypto.provider.CipherBlockChaining.init(CipherBlockChaining.java:91)
       at com.sun.crypto.provider.CipherCore.init(CipherCore.java:582)
       at com.sun.crypto.provider.CipherCore.init(CipherCore.java:458)
       at com.sun.crypto.provider.AESCipher.engineInit(AESCipher.java:307)
       at javax.crypto.Cipher.implInit(Cipher.java:802)
       at javax.crypto.Cipher.chooseProvider(Cipher.java:864)
       at javax.crypto.Cipher.init(Cipher.java:1249)
       at javax.crypto.Cipher.init(Cipher.java:1186)
       at org.forgerock.openidm.crypto.AbstractJsonEncryptor.symmetric(AbstractJsonEncryptor.java:101)
       at org.forgerock.openidm.crypto.AbstractJsonEncryptor.encrypt(AbstractJsonEncryptor.java:166)
       ... 20 more

       

      Note the error:

      Caused by: java.security.InvalidKeyException: Invalid AES key length: 17 bytes 

        Attachments

          Activity

            People

            • Assignee:
              cgdrake Chris Drake
              Reporter:
              andy.itter Andy Itter
              QA Assignee:
              Ladislav Folta
            • Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: