When accessing the root realm XUI login page using a URL such as: http://host1.example.com:18080/openam/XUI/#login/, the page does not load and displays a Loading... message.
The following response is shown if you examine network traffic using your browser's Developer Tools or capture a HAR file:HTTP 500 - Internal Server Error
You can capture a HAR file as described in: How do I create a HAR file for troubleshooting AM (All versions)?
Additionally, you will notice that the iplanet-am-auth-hmac-signing-shared-secret attribute shows a cleartext value in the Authentication logs, for example:iplanet-am-auth-hmac-signing-shared-secret=sharedSecret
Upgraded to AM 5 or later.
Installed AM 5, 5.5 or 5.5.1.
Updated Organization Authentication Signing Secret in AM 5, 5.5 or 5.5.1.
The Organization Authentication Signing Secret does not meet the criteria of being base64 encoded and at least 128 bit, which causes the XUI to become unstable. In pre-AM 5.5.2, there was no validation for this attribute, which meant a non-compliant value could be set: OPENAM-8264 (insufficient validator for service property 'iplanet-am-auth-hmac-signing-shared-secret').
This issue can still occur in later AM versions if you have upgraded from an earlier version with a non-compliant value.
This issue can be resolved by updating the shared secret to meet the required criteria:
- Generate a random string that is at least 128 bit and base64 encoded. For example, you could use the DS base64 tool to do this.
- Update the shared secret on one AM instance using either the either the console, Amster or ssoadm:
- Console: navigate to: Realms > Top Level Realm / > Authentication > Settings > Security > Organization Authentication Signing Secret and paste in the string you generated in step 1.
Amster: follow the steps in How do I update property values in AM (All versions) using Amster? with these values:
- Entity: Authentication
- Property: sharedSecret
- ssoadm: enter the following command: $ ./ssoadm set-realm-svc-attrs -u [adminID] -f [passwordfile] -s iPlanetAMAuthService -e / -a iplanet-am-auth-hmac-signing-shared-secret=[sharedSecret] replacing [adminID], [passwordfile] and [sharedSecret] with appropriate values, where [sharedSecret] is the string you generated in step 1.
- Restart all web application containers in which your AM instances run to apply these configuration changes.