Solutions

Login page fails to load with HTTP 500 response in AM (All versions)

Last updated May 22, 2020

The purpose of this article is to provide assistance if the XUI login page (/json/root/authenticate endpoint) does not load in AM. You may also see an HTTP 500 response. This issue can occur after upgrading or installing AM.


Symptoms

When accessing the root realm XUI login page using a URL such as: http://host1.example.com:18080/openam/XUI/#login/, the page does not load and displays a Loading... message.  

The following response is shown if you examine network traffic using your browser's Developer Tools or capture a HAR file: 

HTTP 500 -  Internal Server Error

You can capture a HAR file as described in: How do I create a HAR file for troubleshooting AM/OpenAM (All versions)?

Additionally, you will notice that the iplanet-am-auth-hmac-signing-shared-secret attribute shows a cleartext value in the Authentication logs, for example:

iplanet-am-auth-hmac-signing-shared-secret=sharedSecret

Recent Changes

Upgraded to AM 5 or later.

Installed AM 5, 5.5 or 5.5.1.

Updated Organization Authentication Signing Secret in AM 5, 5.5 or 5.5.1.

Causes

The Organization Authentication Signing Secret does not meet the criteria of being base64 encoded and at least 128 bit, which causes the XUI to become unstable. In pre-AM 5.5.2, there was no validation for this attribute, which meant a non-compliant value could be set: OPENAM-8264 (insufficient validator for service property 'iplanet-am-auth-hmac-signing-shared-secret').

This issue can still occur in later AM versions if you have upgraded from an earlier version with a non-compliant value.

Solution

This issue can be resolved by updating the shared secret to meet the required criteria:

  1. Generate a random string that is at least 128 bit and base64 encoded. For example, you could use the DS base64 tool to do this. 
  2. Update the shared secret on one AM instance using either the either the console, Amster or ssoadm:
    • Console: navigate to: Realms > Top Level Realm / > Authentication > Settings > Security > Organization Authentication Signing Secret and paste in the string you generated in step 1.
    • Amster: follow the steps in How do I update property values in AM (All versions) using Amster? with these values:
      • Entity: Authentication
      • Property: sharedSecret
    • ssoadm: enter the following command:
      $ ./ssoadm set-realm-svc-attrs -u [adminID] -f [passwordfile] -s iPlanetAMAuthService -e / -a iplanet-am-auth-hmac-signing-shared-secret=[sharedSecret]
      
      replacing [adminID], [passwordfile] and [sharedSecret] with appropriate values, where [sharedSecret] is the string you generated in step 1.
  3. Restart all web application containers in which your AM instances run to apply these configuration changes.

See Also

AM Authentication and Single Sign-On Guide › Security

DS Reference › base64 — encode and decode base64 strings

Related Training

N/A

Related Issue Tracker IDs

OPENAM-8264 (insufficient validator for service property 'iplanet-am-auth-hmac-signing-shared-secret')



Copyright and TrademarksCopyright © 2020 ForgeRock, all rights reserved.
Loading...