Secret store fails to start with Label must match regex exception in AM 6.5.0.x, 6.5.1 and 6.5.2.x
The purpose of this article is to provide assistance if a secret store fails to start in AM and you see the following exceptions in the logs: "Could not load some secret stores" and "Label must match regex".
Symptoms
The following error is shown in the debug logs when the secret store fails to start:
Caused by: com.google.common.util.concurrent.UncheckedExecutionException: org.forgerock.openam.secrets.SecretInitialisationException: Could not load some secret stores at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2050) at com.google.common.cache.LocalCache.get(LocalCache.java:3952) at com.google.common.cache.LocalCache.getOrLoad(LocalCache.java:3974) .... Caused by: org.forgerock.openam.secrets.SecretInitialisationException: Could not load some secret stores at org.forgerock.openam.secrets.Secrets.resolveSecretStores(Secrets.java:258) at org.forgerock.openam.secrets.Secrets.loadSecretStores(Secrets.java:227) at org.forgerock.openam.secrets.Secrets.loadRealmSecrets(Secrets.java:196) at com.google.common.cache.CacheLoader$FunctionToCacheLoader.load(CacheLoader.java:165) at com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3528) ... Caused by: java.lang.IllegalArgumentException: Label must match regex: [a-zA-Z0-9]+(\.[a-zA-Z0-9]+)* at org.forgerock.util.Reject.ifFalse(Reject.java:183) at org.forgerock.secrets.Purpose.<init>(Purpose.java:91) at org.forgerock.secrets.Purpose.purpose(Purpose.java:103) at org.forgerock.openam.secrets.config.KeyStoreSecretStore.lambda$createStore$2(KeyStoreSecretStore.java:136) at java.util.Optional.map(Optional.java:215) at org.forgerock.openam.secrets.config.KeyStoreSecretStore.createStore(KeyStoreSecretStore.java:136) at org.forgerock.openam.secrets.config.KeyStoreBasedSecretStoreProvider.getStore(KeyStoreBasedSecretStoreProvider.java:50) at org.forgerock.openam.secrets.config.KeyStoreBasedSecretStoreProvider.getStore(KeyStoreBasedSecretStoreProvider.java:38) at org.forgerock.openam.secrets.Secrets.resolveSecretStores(Secrets.java:245) ... 124 moreRecent Changes
Configured a keystore secret store.
Changed the Store Password Secret ID or Entry Password Secret ID in an existing secret store.
Causes
The Store Password Secret ID or Entry Password Secret ID is in the wrong format, which causes the keystore secret store to fail. For example, your ID uses underscore (_) or hyphen (-) to separate strings rather than dots.
An RFE exists to improve validation to stop this happening in the future: OPENAM-15758 (KeyStore Secret Store fails to start due to secretId having some characters.) This has been resolved in AM 6.5.3 and later.
Solution
This issue can be resolved by upgrading to AM 6.5.3 or later; you can download this from BackStage.
Workaround
You can workaround this issue by changing the secret ID(s) to conform to the following regex pattern:
[a-zA-Z0-9]+(\.[a-zA-Z0-9]+)*Additionally, the secret ID must not start or end with a dot (.) nor can it contain two dots in a row.
See Setup and Maintenance Guide › To Configure a Keystore Secret Store for further information.
See Also
Related Training
N/A
Related Issue Tracker IDs
OPENAM-15758 (KeyStore Secret Store fails to start due to secretId having some characters.)