Uploaded image for project: 'OpenIDM'
  1. OpenIDM
  2. OPENIDM-15254

no more possible to change the default Encryption Keys


    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 7.0.0
    • Fix Version/s: 7.0.0
    • Labels:
    • Environment:
    • Target Version/s:
    • Verified Version/s:
    • Story Points:
    • Sprint:
      2020.10 - IDM


      When I try to change the default self-signed SSL certificate (which has the openidm-localhost alias) by following https://qa-backstage.forgerock.com/docs/idm/7/security-guide/import-signed-cert.html, restarting IDM gives decryption errors and IDM can not be accessed anymore over HTTPS.


      Steps to reproduce:

      • Start a default IDM instance
      • Stop the instance
      • Add a CA signed certificate to the keystore
      • update the secrets.json accordingly
      • Restart IDMopenidm0.log.0


      The nohup.out will contain the following stack trace:


      Executing ./startup.sh...

            2 Using OPENIDM_HOME:   /opt/forgerock/products/IDM/openidm

            3 Using PROJECT_HOME:   /opt/forgerock/products/IDM/projects/StarCas

            4 Using OPENIDM_OPTS:   -Xmx2048m -Xms2048m

            5 Using LOGGING_CONFIG: -Djava.util.logging.config.file=/opt/forgerock/products/IDM/projects/StarCas/conf/logging.properties

            6 WARNING: An illegal reflective access operation has occurred

            7 WARNING: Illegal reflective access by org.apache.felix.framework.ext.ClassPathExtenderFactory$DefaultClassLoaderExtender (file:/opt/forgerock/products/IDM/openidm/bin/felix.ja        r) to method java.net.URLClassLoader.addURL(java.net.URL)

            8 WARNING: Please consider reporting this to the maintainers of org.apache.felix.framework.ext.ClassPathExtenderFactory$DefaultClassLoaderExtender

            9 WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations

           10 WARNING: All illegal access operations will be denied in a future release

           11 -> ShellTUI: Unable to read from stdin...exiting.

           12 [17] août 03, 2020 6:06:26.543 PM org.forgerock.openidm.config.logging.LogServiceTracker logEntry

           13 GRAVE: Bundle: org.forgerock.openidm.external-rest [250] bundle org.forgerock.openidm.external-rest:7.0.0.SNAPSHOT (250)[org.forgerock.openidm.external.rest(106)] : The activa        te method has thrown an exception

           14 org.apache.felix.log.LogException: org.osgi.service.component.ComponentException: Failed to initialize External REST service

           15         at org.forgerock.openidm.external.rest.RestService.activate(RestService.java:228)

           16         at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

           17         at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)

           18         at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

           19         at java.base/java.lang.reflect.Method.invoke(Method.java:566)

           20         at org.apache.felix.scr.impl.inject.methods.BaseMethod.invokeMethod(BaseMethod.java:228)



      Caused by: java.security.UnrecoverableKeyException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.

          123         at java.base/com.sun.crypto.provider.KeyProtector.recover(KeyProtector.java:221)

          124         at java.base/com.sun.crypto.provider.JceKeyStore.engineGetKey(JceKeyStore.java:141)

          125         at java.base/java.security.KeyStore.getKey(KeyStore.java:1057)

          126         at java.base/sun.security.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:145)

          127         at java.base/sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:70)

          128         at java.base/javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:271)

          129         at org.forgerock.opendj.security.KeyManagers.getX509KeyManager(KeyManagers.java:311)

          130         at org.forgerock.opendj.security.KeyManagers.useJvmDefaultKeyManager(KeyManagers.java:366)

          131         at org.forgerock.openidm.external.rest.RestService.activate(RestService.java:213)

          132         ... 106 more


      In spite the new keystore file can be read (default keystore.jcekskeystore type or keystore password unchanged) with keytool, 




        1. idp.p12
          3 kB
          Cyril Grosjean
        2. keystore.jceks
          9 kB
          Cyril Grosjean
        3. nohup.out
          189 kB
          Cyril Grosjean
        4. nohup.out.debug
          189 kB
          Cyril Grosjean
        5. openidm0.log.0
          261 kB
          Cyril Grosjean
        6. secrets.json
          2 kB
          Cyril Grosjean



            • Assignee:
              Lana Lana Frost
              cgrosjean Cyril Grosjean
              QA Assignee:
              Son Nguyen
            • Votes:
              0 Vote for this issue
              5 Start watching this issue


              • Created: