Public key not found error and cannot log in to Admin UI after upgrading to IDM 7.1
The purpose of this article is to provide assistance if you receive a "Public key not found" error, and cannot log in to the Admin UI or use the REST API after upgrading to, or installing IDM 7.1.
Symptoms
The following error is shown in the openidm log when this happens:[153] Nov 12, 2021 16:30:17.183 PM org.forgerock.http.servlet.HttpFrameworkServlet lambda$service$1 SEVERE: RuntimeException caught - rootId:97fef852-412b-b298-8c83-77294926e49a-207 org.forgerock.security.keystore.KeystoreManagerException: Public key not found
If you see this error, you should increase the IDM logging level to FINE, restart IDM and attempt to log in or use the REST API again. You should then look for errors similar to the following to verify you are seeing the issue outlined in this article: [159] 2021-11-12 16:31:07.951 FINE org.forgerock.secrets.SecretBuilder build Constraint allowedKeyUsage=[encrypt] for purpose Purpose{'idm.jwt.session.module.encryption', DataEncryptionKey} is not satisfied by secret DataEncryptionKey{stableId=idm, expiryTime=2021-11-12T19:22:09.263651Z, factory=CryptoServiceFactory{provider=SunJCE version 11}, keyUsages=[sign, verify, wrap key, unwrap key]}
Recent Changes
Upgraded to, or installed IDM 7.1.
Imported a CA-signed certificate into the keystore.
Causes
IDM 7.1 introduced changes to respect the keyUsage of a certificate, which ensures the certificate is only used for its intended purpose. This error occurs when IDM fails to load a CA-signed certificate due to restrictive keyUsage constraints in the certificate.
Prior to this release, the keyUsage was not checked.
Solution
This issue can be resolved by upgrading to IDM 7.1.2 or later; you can download this from Backstage.
Workaround
If you are using your own CA, you should reissue the certificate and include the
dataEncipherment
option in the keyUsage X.509 extension, or remove the KeyUsage extension
altogether. You can then use this CA certificate with IDM 7.1.
See Also
Related Training
N/A
Related Issue Tracker IDs
COMMONS-720 (Secrets API should accept "wrap key" KeyUsage for DataEncryption with RSA)