Skip to content

2025.1.1 AM fails: Can't open boot keystore #692

New issue
New issue
Open
Open
2025.1.1 AM fails: Can't open boot keystore#692
Assignees
lee-baines
@jsanhc

Description

@jsanhc
jsanhc
opened on Mar 2, 2025

Environment

  • MacBook Pro M2 Pro, 16GB, Sequoia 15.3.1
  • Minikube v1.34.0
    • cpus: 4
    • disk-size: 40g
    • driver: docker
    • kubernetes:
      • Client Version: v1.32.1
      • Kustomize Version: v5.5.0
      • Server Version: v1.31.0
    • memory: 8g
  • Deployment helm procedure
  • Forgeops Tag 2025.1.1
    • secret-agent 1.2.0 (currently the version provided in charts/identity-platform/scripts/install-prereqs)

Description

I'm currently deploying using Helm the identity-platform locally using minikube all seems to work properly, the SAC generates properly the secrets.
AM start fails with the below error:
com.sun.identity.common.configuration.ConfigurationException: Configuration store is not available.
Caused by:

"exception":"java.io.IOException: Can't open boot keystore
...
Caused by: java.security.KeyStoreException: Exception trying to fetch key with alias configStorePwd
...
Caused by: java.security.KeyStoreException: Incorrect password used to retrieve secret key with alias configStorePwd

am-keystore has been generated properly with all expected aliases but seems that the password used to import the aliases configstorepwd and dsameuserpwd is not the expected .keypass defined in the SAC, or maybe the importpassword secret-agent command doesn't work properly, these are the only two entries in the SAC that use importpassword command.

I have copied the keystore /home/forgerock/openam/security/keystores/keystore.jceks locally to verify that the password used for the keystore and the key are correct.

Effectively cannot get the password keys configstorepwd and dsameuserpwd, they are the only password keys imported using the cmd alias importpassword, the sourcePath defined in the SAC to import these passwords are ok, the keystore can be opened using the .storepass but is not possible get the aliases configstorepwd and dsameuserpwd using the expected .keypass, the other keys are ok and can be opened with the .keypass.

Using keyStore Explorer and a Simple Java

Java simple class to retrieve the password keys aliases to verification

import javax.crypto.SecretKey;

import java.io.FileInputStream;
import java.math.BigInteger;
import java.security.KeyStore;

public class Main {
    public static void main(String[] args) throws Exception {
        /* Boot
        "keystores" : {
            "default" : {
              "keyStorePasswordFile" : "/home/forgerock/openam/security/secrets/default/.storepass",
              "keyPasswordFile" : "/home/forgerock/openam/security/secrets/default/.keypass",
              "keyStoreType" : "JCEKS",
              "keyStoreFile" : "/home/forgerock/openam/security/keystores/keystore.jceks"
            }
         */
        String fileName = "keystore.jceks";
        char[] storepass = "STOREPASS_VALUE".toCharArray(); // .storepass value 
        char[] keypass = "KEYPASS_VALUE".toCharArray(); // .keypass value
        String alias = "configstorepwd";

        KeyStore ks = KeyStore.getInstance("JCEKS");

        try (FileInputStream fis = new FileInputStream(Main.class.getResource(fileName).getFile())) {
            ks.load(fis, storepass);
            SecretKey secretKey = (SecretKey) ks.getKey(alias, keypass);
            System.out.println(new BigInteger(1, secretKey.getEncoded()).toString(16));
        }
        
    }
}

Exception in thread "main" java.security.UnrecoverableKeyException: java.security.Key: [SECRET] [PBEWithMD5AndDES] [RAW]

AM Stack trace

{"timestamp":"2025-03-02T12:13:35.011Z","level":"ERROR","thread":"main","logger":"com.sun.identity.setup.AMSetupServlet",
"message":"AMSetupServlet.checkConfigProperties","context":"default",
"exception":"java.io.IOException: Can't open boot keystore
    at com.sun.identity.setup.BootstrapData.<init>(BootstrapData.java:95)
    at com.sun.identity.setup.AMSetupServlet.checkConfigProperties(AMSetupServlet.java:344)
    at com.sun.identity.setup.AMSetupServlet.init(AMSetupServlet.java:241)
    at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:984)
    at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:941)
    at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:838)
    at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4193)
    at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:4494)
    at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:164)
    at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:599)
    at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:571)
    at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:603)
    at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1175)
    at org.apache.catalina.startup.HostConfig$DeployDirectory.run(HostConfig.java:1888)
    at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539)
    at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
    at org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75)
    at java.base/java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:123)
    at org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:1086)
    at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:470)
    at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1584)
    at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:312)
    at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:109)
    at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:389)
    at org.apache.catalina.util.LifecycleBase.setState(LifecycleBase.java:336)
    at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:776)
    at org.apache.catalina.core.StandardHost.startInternal(StandardHost.java:721)
    at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:164)
    at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1203)
    at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1193)
    at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
    at org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75)
    at java.base/java.util.concurrent.AbstractExecutorService.submit(AbstractExecutorService.java:145)
    at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:749)
    at org.apache.catalina.core.StandardEngine.startInternal(StandardEngine.java:211)
    at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:164)
    at org.apache.catalina.core.StandardService.startInternal(StandardService.java:415)
    at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:164)
    at org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:874)
    at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:164)
    at org.apache.catalina.startup.Catalina.start(Catalina.java:739)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
    at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.base/java.lang.reflect.Method.invoke(Method.java:569)
    at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:345)
    at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:473)
Caused by: java.security.KeyStoreException: Exception trying to fetch key with alias configStorePwd
    at org.forgerock.openam.utils.AMKeyProvider.getSecret(AMKeyProvider.java:630)
    at com.sun.identity.setup.BootstrapData.<init>(BootstrapData.java:92)
    ... 46 common frames omitted
Caused by: java.security.KeyStoreException: Incorrect password used to retrieve secret key with alias configStorePwd
    at org.forgerock.openam.utils.AMKeyProvider.getSecret(AMKeyProvider.java:624)
    ... 47 common frames omitted
","transactionId":null}
02-Mar-2025 12:13:35.721 INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web application directory [/usr/local/tomcat/webapps/am] has finished in [4,669] ms
02-Mar-2025 12:13:35.725 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["http-nio-8080"]
02-Mar-2025 12:13:35.730 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["http-nio-8081"]
02-Mar-2025 12:13:35.731 INFO [main] org.apache.catalina.startup.Catalina.start Server startup in [4694] milliseconds
com.sun.identity.common.configuration.ConfigurationException: Configuration store is not available.
        at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:124)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:168)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
        at org.forgerock.openam.validation.RequestEntitySizeVerificationFilter.doFilter(RequestEntitySizeVerificationFilter.java:66)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:168)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
        at org.forgerock.openam.audit.context.AuditContextFilter.doFilter(AuditContextFilter.java:43)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:168)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:168)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:482)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:130)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93)
        at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:660)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:346)
        at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:396)
        at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63)
        at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:937)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1791)
        at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52)
        at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1190)
        at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:63)
        at java.base/java.lang.Thread.run(Thread.java:840)
10.244.0.1 - - [02/Mar/2025:12:13:39 +0000] "GET /am/json/health/live HTTP/1.1" 500 3511 51ms
com.sun.identity.common.configuration.ConfigurationException: Configuration store is not available.

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions