Solutions
ForgeRock Identity Platform
Does not apply to Identity Cloud

Secret store fails to start with Label must match regex exception in AM 6.5.0.x, 6.5.1 and 6.5.2.x

Last updated Jan 17, 2023

The purpose of this article is to provide assistance if a secret store fails to start in AM and you see the following exception in the logs: "Label must match regex". This will be accompanied by "Could not load some secret stores" or "Failed to load secret store" errors.

Symptoms

One of the following errors is shown in the debug logs when the secret store fails to start:

  • Could not load some secret stores:Caused by: com.google.common.util.concurrent.UncheckedExecutionException: org.forgerock.openam.secrets.SecretInitialisationException: Could not load some secret stores   at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2050)    at com.google.common.cache.LocalCache.get(LocalCache.java:3952)    at com.google.common.cache.LocalCache.getOrLoad(LocalCache.java:3974)    .... Caused by: org.forgerock.openam.secrets.SecretInitialisationException: Could not load some secret stores    at org.forgerock.openam.secrets.Secrets.resolveSecretStores(Secrets.java:258)    at org.forgerock.openam.secrets.Secrets.loadSecretStores(Secrets.java:227)    at org.forgerock.openam.secrets.Secrets.loadRealmSecrets(Secrets.java:196)    at com.google.common.cache.CacheLoader$FunctionToCacheLoader.load(CacheLoader.java:165)    at com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3528)    ... Caused by: java.lang.IllegalArgumentException: Label must match regex: [a-zA-Z0-9]+(\.[a-zA-Z0-9]+)*    at org.forgerock.util.Reject.ifFalse(Reject.java:183)    at org.forgerock.secrets.Purpose.<init>(Purpose.java:91)    at org.forgerock.secrets.Purpose.purpose(Purpose.java:103)    at org.forgerock.openam.secrets.config.KeyStoreSecretStore.lambda$createStore$2(KeyStoreSecretStore.java:136)    at java.util.Optional.map(Optional.java:215)    at org.forgerock.openam.secrets.config.KeyStoreSecretStore.createStore(KeyStoreSecretStore.java:136)    at org.forgerock.openam.secrets.config.KeyStoreBasedSecretStoreProvider.getStore(KeyStoreBasedSecretStoreProvider.java:50)    at org.forgerock.openam.secrets.config.KeyStoreBasedSecretStoreProvider.getStore(KeyStoreBasedSecretStoreProvider.java:38)    at org.forgerock.openam.secrets.Secrets.resolveSecretStores(Secrets.java:245)    ... 124 more
  • Failed to load secret store:org.forgerock.openam.secrets.Secrets:03/23/2021 10:07:18:480 AM UTC: Thread[http-nio-8080-exec-61,5,main]: TransactionId[1a997a76-4c50-49c9-97eb-0ca22a0248ca-217] Failed to load secret store keystore-name using the currently available secrets java.lang.IllegalArgumentException: Label must match regex: [a-zA-Z0-9]+(\.[a-zA-Z0-9]+)*   at org.forgerock.util.Reject.ifFalse(Reject.java:183)    at org.forgerock.secrets.Purpose.<init>(Purpose.java:91)    at org.forgerock.secrets.Purpose.purpose(Purpose.java:103)    at org.forgerock.openam.secrets.config.KeyStoreSecretStore.lambda$createStore$2(KeyStoreSecretStore.java:136)    at java.util.Optional.map(Optional.java:215)    at org.forgerock.openam.secrets.config.KeyStoreSecretStore.createStore(KeyStoreSecretStore.java:136)    at org.forgerock.openam.secrets.config.KeyStoreBasedSecretStoreProvider.getStore(KeyStoreBasedSecretStoreProvider.java:50)    at org.forgerock.openam.secrets.config.KeyStoreBasedSecretStoreProvider.getStore(KeyStoreBasedSecretStoreProvider.java:38)    at org.forgerock.openam.secrets.Secrets.resolveSecretStores(Secrets.java:245)    at org.forgerock.openam.secrets.Secrets.loadSecretStores(Secrets.java:227)    at org.forgerock.openam.secrets.Secrets.loadGlobalSecretStores(Secrets.java:192) ... org.forgerock.openam.secrets.Secrets:03/23/2021 10:07:18:489 AM UTC: Thread[http-nio-8080-exec-61,5,main]: TransactionId[1a997a76-4c50-49c9-97eb-0ca22a0248ca-217] ERROR: Unable to load all configured secret stores, last failure was: java.lang.IllegalArgumentException: Label must match regex: [a-zA-Z0-9]+(\.[a-zA-Z0-9]+)*    at org.forgerock.util.Reject.ifFalse(Reject.java:183)    at org.forgerock.secrets.Purpose.<init>(Purpose.java:91)    at org.forgerock.secrets.Purpose.purpose(Purpose.java:103)    at org.forgerock.openam.secrets.config.KeyStoreSecretStore.lambda$createStore$2(KeyStoreSecretStore.java:136)    at java.util.Optional.map(Optional.java:215)Where keystore-name shown in this example log is the name of your keystore (for example, keystore-name.jks).

Recent Changes

Configured a keystore secret store.

Changed the Store Password Secret ID or Entry Password Secret ID in an existing secret store.

Causes

The Store Password Secret ID, Entry Password Secret ID or keystore name is in the wrong format, which causes the keystore secret store to fail. For example, your ID or name uses underscore (_) or hyphen (-) to separate strings rather than dots.

Solution

This issue can be resolved by upgrading to AM 6.5.3 or later; you can download this from Backstage.

Workaround

You can workaround this issue by changing the secret ID(s) and/or keystore name to conform to the following regex pattern: 

[a-zA-Z0-9]+(\.[a-zA-Z0-9]+)*

Additionally, secret IDs and keystore names must not start or end with a dot (.) nor can they contain two dots in a row.

See To Configure a Keystore Secret Store for further information.

See Also

Setting Up Secret Stores

Related Training

N/A

Related Issue Tracker IDs

OPENAM-15758 (KeyStore Secret Store fails to start due to secretId having some characters.)

Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.