Solutions

Resource exception: 500 Internal Server Error keeps happening in IDM/OpenIDM (All versions)

Last updated Sep 16, 2019

The purpose of this article is to provide assistance if you encounter "Resource exception: 500 Internal Server Error: "/password: org.forgerock.json.crypto.JsonCryptoException: Decryption failed" errors in IDM/OpenIDM.


Symptoms

The following error is shown on startup or after specific operations that affect users in the repository (such as a reconciliation or deleting a user):

WARNING: Resource exception: 500 Internal Server Error: "/password: org.forgerock.json.crypto.JsonCryptoException: Decryption failed" 
org.forgerock.json.resource.InternalServerErrorException: /password: org.forgerock.json.crypto.JsonCryptoException: Decryption failed
   at org.forgerock.openidm.audit.util.RouterActivityLogger.log(RouterActivityLogger.java:133)
   at org.forgerock.openidm.managed.ManagedObjectSet.readInstance(ManagedObjectSet.java:859)
   at org.forgerock.json.resource.InterfaceCollectionInstance.handleRead(InterfaceCollectionInstance.java:60)
   at org.forgerock.json.resource.FilterChain$Cursor.handleRead(FilterChain.java:105)
   at org.forgerock.json.resource.Resources$CollectionInstanceIdContextFilter.filterRead(Resources.java:522)
   at org.forgerock.json.resource.FilterChain$Cursor.handleRead(FilterChain.java:103)
   at org.forgerock.json.resource.FilterChain.handleRead(FilterChain.java:252)
   at org.forgerock.json.resource.Router.handleRead(Router.java:333)

Note

The affected field is indicated in this error by the /password part just after "Resource exception: 500 Internal Server Error".

Recent Changes

The keystore has been updated.

Causes

Repository data was encrypted with a different key to the one being used to decrypt it. The key must not be changed in the keystore between encryption and decryption taking place.

Solution

Note

If you want to change the encryption key, see How do I change the symmetric key in IDM 5.x, 6 and OpenIDM 4.x? for details on the recommended process to avoid future decryption issues.

This issue can be resolved by re-creating the data in the repository; this option is only feasible if you have a valid backup. You can use the following process to identify the data that has been encrypted with the wrong key.

Identifying data encrypted with the wrong key

One way of identifying data that has been encrypted with the wrong key is to look for invalidly encrypted fields since any operation that tries to decrypt an attribute encrypted with a different key will fail. For example:

  1. Create a temporary onRetrieve script for managed users as follows (if a different field is noted in the error, replace password with the name of the affected field):
    try {
      if (typeof object.password != 'undefined' && object.password != null) {
        openidm.decrypt(object.password);
      }
    }
    catch (e) {
      logger.warn("unable to decrypt " + object.userName);
    }
    
  2. Update the users section in the managed.json file (located in /path/to/idm/conf) to use this new script (called wrongKey.js in this example):
    "onRetrieve" : {
           "type" : "text/javascript",
           "file" : "wrongKey.js"
       },
    
  3. Use a query such as the following to return all objects; a warning message will show the userName of any users who have a password (or other field specified in step 1) that cannot be decrypted:
    $ curl -u openidm-admin:openidm-admin "http://localhost:8080/openidm/managed/user?_queryFilter=true&executeOnRetrieve=true&_prettyPrint=true"
    
  4. Remove the script and script hook added in steps 1 and 2.

See Also

Given final block not properly padded error when starting IDM/OpenIDM (All versions)

Finding org.forgerock.json.crypto.JsonCryptoException: Decryption failed errors in IDM/OpenIDM

How do I change the default keystore password in OpenIDM 4.x?

How do I update the certificate alias for the signing key in the AM/OpenAM (All versions) keystore?

How do I hash the password for openidm-admin before the first startup of IDM/OpenIDM (All versions)?

 Integrator's Guide › Securing and Hardening Servers

 Integrator's Guide › Configuring SSL with a JDBC Repository

 Integrator's Guide › Clustering, Failover, and Availability

Related Training

N/A

Related Issue Tracker IDs

N/A



Copyright and TrademarksCopyright © 2019 ForgeRock, all rights reserved.
Loading...