ForgeRock Identity Platform
Does not apply to Identity Cloud

Resource exception: 500 Internal Server Error keeps happening in IDM (All versions)

Last updated Jan 12, 2023

The purpose of this article is to provide assistance if you encounter "Resource exception: 500 Internal Server Error: "/password: org.forgerock.json.crypto.JsonCryptoException: Decryption failed" errors in IDM.


The following error is shown on startup or after specific operations that affect users in the repository (such as a reconciliation or deleting a user):

WARNING: Resource exception: 500 Internal Server Error: "/password: org.forgerock.json.crypto.JsonCryptoException: Decryption failed" org.forgerock.json.resource.InternalServerErrorException: /password: org.forgerock.json.crypto.JsonCryptoException: Decryption failed    at org.forgerock.openidm.audit.util.RouterActivityLogger.log(    at org.forgerock.openidm.managed.ManagedObjectSet.readInstance(    at org.forgerock.json.resource.InterfaceCollectionInstance.handleRead(    at org.forgerock.json.resource.FilterChain$Cursor.handleRead(    at org.forgerock.json.resource.Resources$CollectionInstanceIdContextFilter.filterRead(    at org.forgerock.json.resource.FilterChain$Cursor.handleRead(    at org.forgerock.json.resource.FilterChain.handleRead(    at org.forgerock.json.resource.Router.handleRead(

The affected field is indicated in this error by the /password part just after "Resource exception: 500 Internal Server Error".

Recent Changes

The keystore has been updated.


Repository data was encrypted with a different key to the one being used to decrypt it. The key must not be changed in the keystore between encryption and decryption taking place.



If you want to change the encryption key, see Encryption key management (IDM 6.5 and later) or How do I change the symmetric key in IDM 6? for details on the recommended process to avoid future decryption issues.

This issue can be resolved by re-creating the data in the repository; this option is only feasible if you have a valid backup. You can use the following process to identify the data that has been encrypted with the wrong key.

Identifying data encrypted with the wrong key

One way of identifying data that has been encrypted with the wrong key is to look for invalidly encrypted fields since any operation that tries to decrypt an attribute encrypted with a different key will fail. For example:

  1. Create a temporary onRetrieve script for managed users as follows (if a different field is noted in the error, replace password with the name of the affected field): try {  if (typeof object.password != 'undefined' && object.password != null) {     openidm.decrypt(object.password);   } } catch (e) {   logger.warn("unable to decrypt " + object.userName); }
  2. Update the users section in the managed.json file (located in /path/to/idm/conf) to use this new script (called wrongKey.js in this example): "onRetrieve" : {       "type" : "text/javascript",        "file" : "wrongKey.js"    },
  3. Use a query such as the following to return all objects; a warning message will show the userName of any users who have a password (or other field specified in step 1) that cannot be decrypted: $ curl -u openidm-admin:openidm-admin "http://localhost:8080/openidm/managed/user?_queryFilter=true&executeOnRetrieve=true&_prettyPrint=true"
  4. Remove the script and script hook added in steps 1 and 2.

See Also

Given final block not properly padded error when starting IDM (All versions)

Finding org.forgerock.json.crypto.JsonCryptoException: Decryption failed errors in IDM (All versions)

How do I update the certificate alias for the signing key in the AM (All versions) keystore?



IDM in a cluster

Related Training


Related Issue Tracker IDs


Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.