JCEEncryption:: failed to decrypt data error when accessing the admin console in OpenAM 13.x

Last updated Jan 5, 2021

The purpose of this article is to provide assistance if you encounter an "ERROR: JCEEncryption:: failed to decrypt data" when accessing the OpenAM console.


This article has been archived and is no longer maintained by ForgeRock.


The following error is shown in the IdRepo debug log when this happens:

amSDK:01/28/2016 10:37:25:166 AM JST: Thread[localhost-startStop-1,5,main]: TransactionId[b3fea1eb-aaad-4d20-9b66-941b90e78ad8-2] ERROR: JCEEncryption:: failed to decrypt data javax.crypto.BadPaddingException: Given final block not properly padded at com.sun.crypto.provider.CipherCore.doFinal( at com.sun.crypto.provider.CipherCore.doFinal( at com.sun.crypto.provider.PBES1Core.doFinal( at com.sun.crypto.provider.PBEWithMD5AndDESCipher.engineDoFinal( at javax.crypto.Cipher.doFinal( at at at at at at

You may see the following message in the browser when accessing the OpenAM console:

Authentication service is not initialized. Contact your system administrator.

You may also notice "ERROR: JCEEncryption:: Unsupported version: -98" errors in the IdRepo log. This is a known issue: OPENAM-3009 (IdRepo - JCEEncryption 98 ). If you are not experiencing any functional problems, you can safely ignore these messages.

Recent Changes

Upgraded to OpenAM 13. 


This error can occur for one of the following reasons depending on your version of OpenAM:

  • OpenAM 13.0 only: When OpenAM starts, the configuration manager (DSConfigMgr) is first initialized with the password values from the bootstrap file; these are used as placeholders and are encrypted with the bootstrap encryption key. The actual server configuration is subsequently loaded from the OpenDJ config store, the JCEEncryption password is set to the correct value for this site and the encryption key is updated to the one specified in the AM_ENC_KEY property (set when you configure OpenAM). DSConfigMgr is then reinitialized to a new instance with the actual configuration data. However, since the SMS ServerConfigurationFactory caches the DSConfigMgr instance when it is first requested, it's a race as to which version of the configuration manager is retrieved. If the first copy is retrieved with the placeholder passwords, OpenAM is unable to decrypt the passwords from the actual configuration since it is using the wrong encryption key. This is a known issue: OPENAM-8214 (JCEEncryption errors are recorded during/after upgrading to 13).
  • All versions of OpenAM: The encryption key is corrupt, which means the directory manager's password (which is stored in the bootstrap file) cannot be decrypted. The encryption key is specified in the AM_ENC_KEY property when you configure OpenAM.


The solution depends on your version of OpenAM.

OpenAM 13.0

You should first ensure your encryption key is correct using one of the following approaches:

If you still see the error after restarting the web application container in which OpenAM runs, it means you are encountering the known issue. This can be resolved by upgrading to OpenAM 13.5 or later; you can download this from BackStage.

Other versions of OpenAM

You should correct your encryption key using one of the following options:


Restarting the web application container in which OpenAM runs will clear the "Authentication service is not initialized. Contact your system administrator." message shown in the browser.

See Also

How do I re-create a bootstrap file for OpenAM 13.x if the bootstrap file has become corrupt?

FAQ: Upgrading AM

OpenAM Installation Guide › Removing OpenAM Software

Related Training


Related Issue Tracker IDs

OPENAM-8215 (Guice provision errors during upgrade to 13)

OPENAM-8214 (JCEEncryption errors are recorded during/after upgrading to 13)

OPENAM-3009 (IdRepo - JCEEncryption 98 )

Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.