Solutions
ForgeRock Identity Platform
Does not apply to Identity Cloud

Public key not found error and cannot log in to Admin UI after upgrading to IDM 7.1

Last updated Jan 11, 2023

The purpose of this article is to provide assistance if you receive a "Public key not found" error, and cannot log in to the Admin UI or use the REST API after upgrading to, or installing IDM 7.1.

Symptoms

IDM starts successfully but you cannot log in to the Admin UI or use the REST API.

 The following error is shown in the openidm log when this happens:[153] Nov 12, 2021 16:30:17.183 PM org.forgerock.http.servlet.HttpFrameworkServlet lambda$service$1 SEVERE: RuntimeException caught - rootId:97fef852-412b-b298-8c83-77294926e49a-207 org.forgerock.security.keystore.KeystoreManagerException: Public key not found

If you see this error, you should increase the IDM logging level to FINE, restart IDM and attempt to log in or use the REST API again. You should then look for errors similar to the following to verify you are seeing the issue outlined in this article: [159] 2021-11-12 16:31:07.951 FINE org.forgerock.secrets.SecretBuilder build Constraint allowedKeyUsage=[encrypt] for purpose Purpose{'idm.jwt.session.module.encryption', DataEncryptionKey} is not satisfied by secret DataEncryptionKey{stableId=idm, expiryTime=2021-11-12T19:22:09.263651Z, factory=CryptoServiceFactory{provider=SunJCE version 11}, keyUsages=[sign, verify, wrap key, unwrap key]}

Recent Changes

Upgraded to, or installed IDM 7.1.

Imported a CA-signed certificate into the keystore.

Causes

IDM 7.1 introduced changes to respect the keyUsage of a certificate, which ensures the certificate is only used for its intended purpose. This error occurs when IDM fails to load a CA-signed certificate due to restrictive keyUsage constraints in the certificate. 

Prior to this release, the keyUsage was not checked.

Solution

This issue can be resolved by upgrading to IDM 7.1.2 or later; you can download this from Backstage.

Workaround

If you are using your own CA, you should reissue the certificate and include the dataEncipherment option in the keyUsage X.509 extension, or remove the KeyUsage extension altogether. You can then use this CA certificate with IDM 7.1.

See Also

Using CA-Signed Certificates

RFC 5280: Key Usage

Related Training

N/A

Related Issue Tracker IDs

OPENIDM-16696 (Failing to load a CA-signed certificate due to restrictive KeyUsage constraints in the certificates themselves)

COMMONS-720 (Secrets API should accept "wrap key" KeyUsage for DataEncryption with RSA)

Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.