Solutions

Finding org.forgerock.json.crypto.JsonCryptoException: Decryption failed errors in IDM/OpenIDM

Last updated Dec 21, 2018

The purpose of this article is to provide assistance if you encounter "org.forgerock.json.crypto.JsonCryptoException: Decryption failed" errors in IDM/OpenIDM. These errors can occur in a variety of situations but indicate the same issue.


Symptoms

You will see the "org.forgerock.json.crypto.JsonCryptoException: Decryption failed" error in different contexts depending on where the issue is occurring. Common related errors include:

  • Configuration invalid and could not be parsed, can not start JDBC repository:
    WARNING: Configuration invalid and could not be parsed, can not start JDBC repository: 
    org.forgerock.json.JsonValueException: /password: org.forgerock.json.crypto.JsonCryptoException: Decryption failed 
       at org.forgerock.json.crypto.JsonDecryptFunction.traverseMap(JsonDecryptFunction.java:48) 
       at org.forgerock.json.JsonValueTraverseFunction.traverse(JsonValueTraverseFunction.java:50) 
       at org.forgerock.json.JsonValueTraverseFunction.apply(JsonValueTraverseFunction.java:42) 
       at org.forgerock.json.JsonValueTraverseFunction.traverseMap(JsonValueTraverseFunction.java:80) 
       at org.forgerock.json.crypto.JsonDecryptFunction.traverseMap(JsonDecryptFunction.java:52) 
       at org.forgerock.json.JsonValueTraverseFunction.traverse(JsonValueTraverseFunction.java:50) 
       at org.forgerock.json.JsonValueTraverseFunction.apply(JsonValueTraverseFunction.java:42) 
    
  • Failed to load configuration file to bootstrap jdbc-default:
    WARNING: Failed to load configuration file to bootstrap jdbc-default
    org.forgerock.json.JsonValueException: /password: org.forgerock.json.crypto.JsonCryptoException: Decryption failed
       at org.forgerock.json.crypto.JsonDecryptFunction.traverseMap(JsonDecryptFunction.java:48)
       at org.forgerock.json.JsonValueTraverseFunction.traverse(JsonValueTraverseFunction.java:50)
       at org.forgerock.json.JsonValueTraverseFunction.apply(JsonValueTraverseFunction.java:42)
       at org.forgerock.json.JsonValueTraverseFunction.traverseMap(JsonValueTraverseFunction.java:80)
       at org.forgerock.json.crypto.JsonDecryptFunction.traverseMap(JsonDecryptFunction.java:52)
       at org.forgerock.json.JsonValueTraverseFunction.traverse(JsonValueTraverseFunction.java:50)
       at org.forgerock.json.JsonValueTraverseFunction.apply(JsonValueTraverseFunction.java:42)
    
    
  • OpenICF Provisioner Service configuration has errors:
    SEVERE: OpenICF Provisioner Service configuration has errors
    org.forgerock.json.JsonValueException: /configurationProperties/credentials: org.forgerock.json.crypto.JsonCryptoException: Decryption failed
       at org.forgerock.json.crypto.JsonDecryptFunction.traverseMap(JsonDecryptFunction.java:48)
       at org.forgerock.json.JsonValueTraverseFunction.traverse(JsonValueTraverseFunction.java:50)
       at org.forgerock.json.JsonValueTraverseFunction.apply(JsonValueTraverseFunction.java:42)
       at org.forgerock.json.JsonValueTraverseFunction.traverseMap(JsonValueTraverseFunction.java:80)
       at org.forgerock.json.crypto.JsonDecryptFunction.traverseMap(JsonDecryptFunction.java:52)
       at org.forgerock.json.JsonValueTraverseFunction.traverse(JsonValueTraverseFunction.java:50)
       at org.forgerock.json.JsonValueTraverseFunction.apply(JsonValueTraverseFunction.java:42)
    
  • Configuration invalid, can not start Audit service:
    WARNING: Configuration invalid, can not start Audit service.
    org.forgerock.json.JsonValueException: /eventHandlers/2/config/security/password: org.forgerock.json.crypto.JsonCryptoException: Decryption failed
       at org.forgerock.json.crypto.JsonDecryptFunction.traverseMap(JsonDecryptFunction.java:48)
       at org.forgerock.json.JsonValueTraverseFunction.traverse(JsonValueTraverseFunction.java:50)
       at org.forgerock.json.JsonValueTraverseFunction.apply(JsonValueTraverseFunction.java:42)
       at org.forgerock.json.JsonValueTraverseFunction.traverseMap(JsonValueTraverseFunction.java:80)
       at org.forgerock.json.crypto.JsonDecryptFunction.traverseMap(JsonDecryptFunction.java:52)
       at org.forgerock.json.JsonValueTraverseFunction.traverse(JsonValueTraverseFunction.java:50)
       at org.forgerock.json.JsonValueTraverseFunction.apply(JsonValueTraverseFunction.java:42)
    
  • The activate method has thrown an exception:
    SEVERE: Bundle: org.forgerock.openidm.authnfilter [59] [org.forgerock.openidm.authentication(20)] The activate method has thrown an exception
    org.apache.felix.log.LogException: org.forgerock.json.JsonValueException: /serverAuthContext/authModules/0/properties/password: org.forgerock.json.crypto.JsonCryptoException: Decryption failed
       at org.forgerock.json.crypto.JsonDecryptFunction.traverseMap(JsonDecryptFunction.java:48)
       at org.forgerock.json.JsonValueTraverseFunction.traverse(JsonValueTraverseFunction.java:50)
       at org.forgerock.json.JsonValueTraverseFunction.apply(JsonValueTraverseFunction.java:42)
       at org.forgerock.json.JsonValueTraverseFunction.traverseMap(JsonValueTraverseFunction.java:80)
       at org.forgerock.json.crypto.JsonDecryptFunction.traverseMap(JsonDecryptFunction.java:52)
       at org.forgerock.json.JsonValueTraverseFunction.traverse(JsonValueTraverseFunction.java:50)
       at org.forgerock.json.JsonValueTraverseFunction.apply(JsonValueTraverseFunction.java:42)
    
Note

The affected field is indicated in these errors by the /password or /credentials part just before the common error. You may see other fields mentioned depending on your configuration.

Recent Changes

Copied configuration files from one instance to another.

Copied the keystore from one instance to another.

Causes

The affected field (typically password or credential) was encrypted with a different key to the one being used to decrypt it. The key must not be changed in the keystore between encryption and decryption taking place. This situation typically occurs when configuration has been shared between environments and the keys in those environments do not match, but can also happen when keystores are copied between environments.

Solution

Note

Please be aware of the following:

This issue can be resolved as follows:

  1. Ensure all keystores and truststores are the same across all servers if you have a clustered deployment; you can compare checksums of the keystore files to check this, for example using sha1 or md5 checksums.
  2. Identify which file(s) need updating:
    • For the "Configuration invalid and could not be parsed, can not start JDBC repository" error, you should update the datasource.jdbc-default.json file (located in the /path/to/idm/conf directory).
    • For the "Configuration invalid, can not start Audit service" error, you should update the audit.json file (located in the /path/to/idm/conf directory).
    • For "OpenICF Provisioner Service configuration has errors", you should update your provisioner configuration files.
    • For the other errors, you should search all files in the /path/to/idm/conf directory for $crypto blocks and update any files that you find. You can use a grep command such as the following to find them:
      $ grep -iR "cipher" *
  3. Shutdown the IDM/OpenIDM instance.
  4. Remove the $crypto block from the relevant configuration file(s) for the affected field noted in the error and replace it with plain text. For example, to update the password field in the datasource.jdbc-default.json file, you would change the password field from:
       "password" : {
            "$crypto" : {
                "type" : "x-simple-encryption",
                "value" : {
                    "cipher" : "AES/CBC/PKCS5Padding",
                    "stableId" : "openidm-sym-default",
                    "salt" : "cQT6VZXz9G91RV87dbLM+A==",
                    "data" : "YTpjLiT1igQ1ATrHIKcsiQ==",
                    "keySize" : 16,
                    "purpose" : "idm.config.encryption",
                    "iv" : "CaorpaRq6v410nPFRjmIXw==",
                    "mac" : "Q+GQGOQllGy4DPq8Ti88MQ=="
                }
        },
    
    To:
      "password" : "plain_text_value",
    
  5. Restart the IDM/OpenIDM instance. The startup process will re-encrypt the plain text values with the key in the instance keystore.
  6. Repeat steps 3 to 5 on all servers if you have a clustered deployment.

See Also

Given final block not properly padded error when starting IDM/OpenIDM (All versions)

Resource exception: 500 Internal Server Error keeps happening in IDM/OpenIDM (All versions)

How do I change the default keystore password in IDM/OpenIDM (All versions)?

How do I update the certificate alias for the signing key in the AM/OpenAM (All versions) keystore?

How do I hash the password for openidm-admin before the first startup of IDM/OpenIDM (All versions)?

Integrator's Guide › Securing and Hardening Servers

Integrator's Guide › Configuring SSL with a JDBC Repository

Integrator's Guide › Clustering, Failover, and Availability

Integrator's Guide › Configuring an IDM Instance as Part of a Cluster 

Related Training

N/A

Related Issue Tracker IDs

OPENIDM-10542 (IDM decryption fails with AES 256-bit key)



Copyright and TrademarksCopyright © 2018 ForgeRock, all rights reserved.
Loading...