Solutions
ForgeRock Identity Platform
Does not apply to Identity Cloud

No secret with id storepass for purpose storepass errors after upgrading to AM 6.5.x or 7.x

Last updated Feb 24, 2021

The purpose of this article is to provide assistance if you encounter "No secret with id storepass for purpose storepass" errors after upgrading AM. You may also encounter this error with a new install.

Symptoms

After successfully upgrading or installing AM, your servers startup but you encounter the following error on one or more of your upgraded/new servers:

Caused by: org.forgerock.secrets.NoSuchSecretException: No secret with id storepass for purpose storepass   at org.forgerock.secrets.propertyresolver.PropertyResolverSecretStore.lambda$getNamed$2(PropertyResolverSecretStore.java:109)    at java.base/java.util.Optional.orElseGet(Optional.java:369)    at org.forgerock.secrets.propertyresolver.PropertyResolverSecretStore.getNamed(PropertyResolverSecretStore.java:107)    at org.forgerock.secrets.propertyresolver.PropertyResolverSecretStore.getActive(PropertyResolverSecretStore.java:96)

You may also notice this error occurring in a number of situations, such as when trying to retrieve an OIDC token or an OAuth2 access token.

Recent Changes

Upgraded to AM 6.5 or later.

Installed AM 6.5 or later. 

Causes

AM cannot load secrets from the keystore on one or more of your upgraded/new servers. 

Typically, this issue occurs after an upgrade if secret stores have not been redeployed to all upgraded servers within your site. The upgrade process only creates the relevant secret store files on the AM instance where you performed the upgrade. After upgrading, you will need to make secrets available to other servers in the site as described in the Upgrade Guide › Configuring Secret Stores After Upgrade.

This can also occur on a new install if you did not follow all the steps in the Installation Guide › To Add a Server to a Site to make the keystore and secret store directory infrastructure available. 

Solution

This issue can be resolved as follows depending on whether you are doing an upgrade or a new install:

  • Upgrade: Follow the steps in the Upgrade Guide › Configuring Secret Stores After Upgrade. In essence, you must:
    1. Copy the following keystores and directories from the server on which you performed the upgrade to all other servers in the site:/path/to/openam/openam/keystore.jceks /path/to/openam/openam/.storepass /path/to/openam/openam/.keypass /path/to/openam/secrets/encrypted/storepass /path/to/openam/secrets/encrypted/entrypass
    2. Check the permissions to make sure that the user who starts AM can also read these files/directories.
    3. Restart the web application container in which AM runs to apply these changes. ​
  • New install: Follow the steps in the Installation Guide › To Add a Server to a Site and ensure you complete steps 10 and 11 to make all the keystore and secret store infrastructure available.

See Also

Secret store fails to start with Label must match regex exception in AM 6.5.0.x, 6.5.1 and 6.5.2.x

Upgrade Guide

Installation Guide › Configuring Sites and Adding Servers to Sites

Security Guide › Configuring Secrets, Certificates, and Keys

Related Training

N/A

Related Issue Tracker IDs

N/A

Copyright and TrademarksCopyright © 2021 ForgeRock, all rights reserved.
Loading...