Solutions

Secret store fails to start with Label must match regex exception in AM 6.5.0.x, 6.5.1 and 6.5.2.x

Last updated Sep 17, 2020

The purpose of this article is to provide assistance if a secret store fails to start in AM and you see the following exceptions in the logs: "Could not load some secret stores" and "Label must match regex".

Symptoms

The following error is shown in the debug logs when the secret store fails to start:

Caused by: com.google.common.util.concurrent.UncheckedExecutionException: org.forgerock.openam.secrets.SecretInitialisationException: Could not load some secret stores
   at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2050)
   at com.google.common.cache.LocalCache.get(LocalCache.java:3952)
   at com.google.common.cache.LocalCache.getOrLoad(LocalCache.java:3974)
   ....
Caused by: org.forgerock.openam.secrets.SecretInitialisationException: Could not load some secret stores
   at org.forgerock.openam.secrets.Secrets.resolveSecretStores(Secrets.java:258)
   at org.forgerock.openam.secrets.Secrets.loadSecretStores(Secrets.java:227)
   at org.forgerock.openam.secrets.Secrets.loadRealmSecrets(Secrets.java:196)
   at com.google.common.cache.CacheLoader$FunctionToCacheLoader.load(CacheLoader.java:165)
   at com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3528)
   ...
Caused by: java.lang.IllegalArgumentException: Label must match regex: [a-zA-Z0-9]+(\.[a-zA-Z0-9]+)*
   at org.forgerock.util.Reject.ifFalse(Reject.java:183)
   at org.forgerock.secrets.Purpose.<init>(Purpose.java:91)
   at org.forgerock.secrets.Purpose.purpose(Purpose.java:103)
   at org.forgerock.openam.secrets.config.KeyStoreSecretStore.lambda$createStore$2(KeyStoreSecretStore.java:136)
   at java.util.Optional.map(Optional.java:215)
   at org.forgerock.openam.secrets.config.KeyStoreSecretStore.createStore(KeyStoreSecretStore.java:136)
   at org.forgerock.openam.secrets.config.KeyStoreBasedSecretStoreProvider.getStore(KeyStoreBasedSecretStoreProvider.java:50)
   at org.forgerock.openam.secrets.config.KeyStoreBasedSecretStoreProvider.getStore(KeyStoreBasedSecretStoreProvider.java:38)
   at org.forgerock.openam.secrets.Secrets.resolveSecretStores(Secrets.java:245)
   ... 124 more

Recent Changes

Configured a keystore secret store.

Changed the Store Password Secret ID or Entry Password Secret ID in an existing secret store.

Causes

The Store Password Secret ID or Entry Password Secret ID is in the wrong format, which causes the keystore secret store to fail. For example, your ID uses underscore (_) or hyphen (-) to separate strings rather than dots.

An RFE exists to improve validation to stop this happening in the future: OPENAM-15758 (KeyStore Secret Store fails to start due to secretId having some characters.) This has been resolved in AM 6.5.3 and later.

Solution

This issue can be resolved by upgrading to AM 6.5.3 or later; you can download this from BackStage.

Workaround

You can workaround this issue by changing the secret ID(s) to conform to the following regex pattern: 

[a-zA-Z0-9]+(\.[a-zA-Z0-9]+)*

Additionally, the secret ID must not start or end with a dot (.) nor can it contain two dots in a row.

See Setup and Maintenance Guide › To Configure a Keystore Secret Store for further information.

See Also

Setup and Maintenance Guide › Setting Up Secret Stores

Related Training

N/A

Related Issue Tracker IDs

OPENAM-15758 (KeyStore Secret Store fails to start due to secretId having some characters.)

Copyright and TrademarksCopyright © 2020 ForgeRock, all rights reserved.
Loading...