Solutions
ForgeRock Identity Platform
Does not apply to Identity Cloud

Login page fails to load with HTTP 500 response in AM (All versions)

Last updated Jan 16, 2023

The purpose of this article is to provide assistance if the login page (/json/root/authenticate endpoint) does not load in AM. You may also see an HTTP 500 response. This issue can occur after upgrading AM.

Symptoms

When accessing the root realm login page using a URL such as: https://am.example.com:8443/am/XUI/#login/, the page does not load and displays a Loading... message.

The following response is shown if you examine network traffic using your browser's Developer Tools or capture a HAR file:

HTTP 500 - Internal Server Error

You can capture a HAR file as described in: How do I create a HAR file for troubleshooting AM?

Additionally, you will notice that the iplanet-am-auth-hmac-signing-shared-secret attribute shows a cleartext value in the Authentication logs, for example:

iplanet-am-auth-hmac-signing-shared-secret=sharedSecret

Recent Changes

Upgraded AM to a later version.

Causes

The Organization Authentication Signing Secret does not meet the criteria of being base64 encoded and at least 128 bit, which causes the user interface to become unstable.

This issue can also occur if you have upgraded from an earlier version with a non-compliant value.

Solution

This issue can be resolved by updating the shared secret to meet the required criteria:

  1. Generate a random string that is at least 128 bit and base64 encoded. For example, you could use the DS base64 tool to do this.
  2. Update the shared secret on one AM instance using either the either the AM admin UI, Amster or ssoadm:
    • AM admin UI: navigate to: Realms > Top Level Realm / > Authentication > Settings > Security > Organization Authentication Signing Secret and paste in the string you generated in step 1.
    • Amster: follow the steps in How do I update property values in AM (All versions) using Amster? with these values:
      • Entity: Authentication
      • Property: sharedSecret
    • ssoadm: enter the following command: $ ./ssoadm set-realm-svc-attrs -u [adminID] -f [passwordfile] -s iPlanetAMAuthService -e / -a iplanet-am-auth-hmac-signing-shared-secret=[sharedSecret] replacing [adminID], [passwordfile] and [sharedSecret] with appropriate values, where [sharedSecret] is the string you generated in step 1.
  3. Restart all web application containers in which your AM instances run to apply these configuration changes.

See Also

Security

base64 — encode and decode base64 strings

Related Training

N/A

Related Issue Tracker IDs

N/A
Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.