Secret store fails to start with Label must match regex exception in AM 6.5.0.x, 6.5.1 and 6.5.2.x
The purpose of this article is to provide assistance if a secret store fails to start in AM and you see the following exception in the logs: "Label must match regex". This will be accompanied by "Could not load some secret stores" or "Failed to load secret store" errors.
Symptoms
One of the following errors is shown in the debug logs when the secret store fails to start:
- Could not load some secret stores:Caused by: com.google.common.util.concurrent.UncheckedExecutionException: org.forgerock.openam.secrets.SecretInitialisationException: Could not load some secret stores at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2050) at com.google.common.cache.LocalCache.get(LocalCache.java:3952) at com.google.common.cache.LocalCache.getOrLoad(LocalCache.java:3974) .... Caused by: org.forgerock.openam.secrets.SecretInitialisationException: Could not load some secret stores at org.forgerock.openam.secrets.Secrets.resolveSecretStores(Secrets.java:258) at org.forgerock.openam.secrets.Secrets.loadSecretStores(Secrets.java:227) at org.forgerock.openam.secrets.Secrets.loadRealmSecrets(Secrets.java:196) at com.google.common.cache.CacheLoader$FunctionToCacheLoader.load(CacheLoader.java:165) at com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3528) ... Caused by: java.lang.IllegalArgumentException: Label must match regex: [a-zA-Z0-9]+(\.[a-zA-Z0-9]+)* at org.forgerock.util.Reject.ifFalse(Reject.java:183) at org.forgerock.secrets.Purpose.<init>(Purpose.java:91) at org.forgerock.secrets.Purpose.purpose(Purpose.java:103) at org.forgerock.openam.secrets.config.KeyStoreSecretStore.lambda$createStore$2(KeyStoreSecretStore.java:136) at java.util.Optional.map(Optional.java:215) at org.forgerock.openam.secrets.config.KeyStoreSecretStore.createStore(KeyStoreSecretStore.java:136) at org.forgerock.openam.secrets.config.KeyStoreBasedSecretStoreProvider.getStore(KeyStoreBasedSecretStoreProvider.java:50) at org.forgerock.openam.secrets.config.KeyStoreBasedSecretStoreProvider.getStore(KeyStoreBasedSecretStoreProvider.java:38) at org.forgerock.openam.secrets.Secrets.resolveSecretStores(Secrets.java:245) ... 124 more
- Failed to load secret store:org.forgerock.openam.secrets.Secrets:03/23/2021 10:07:18:480 AM UTC: Thread[http-nio-8080-exec-61,5,main]: TransactionId[1a997a76-4c50-49c9-97eb-0ca22a0248ca-217] Failed to load secret store keystore-name using the currently available secrets java.lang.IllegalArgumentException: Label must match regex: [a-zA-Z0-9]+(\.[a-zA-Z0-9]+)* at org.forgerock.util.Reject.ifFalse(Reject.java:183) at org.forgerock.secrets.Purpose.<init>(Purpose.java:91) at org.forgerock.secrets.Purpose.purpose(Purpose.java:103) at org.forgerock.openam.secrets.config.KeyStoreSecretStore.lambda$createStore$2(KeyStoreSecretStore.java:136) at java.util.Optional.map(Optional.java:215) at org.forgerock.openam.secrets.config.KeyStoreSecretStore.createStore(KeyStoreSecretStore.java:136) at org.forgerock.openam.secrets.config.KeyStoreBasedSecretStoreProvider.getStore(KeyStoreBasedSecretStoreProvider.java:50) at org.forgerock.openam.secrets.config.KeyStoreBasedSecretStoreProvider.getStore(KeyStoreBasedSecretStoreProvider.java:38) at org.forgerock.openam.secrets.Secrets.resolveSecretStores(Secrets.java:245) at org.forgerock.openam.secrets.Secrets.loadSecretStores(Secrets.java:227) at org.forgerock.openam.secrets.Secrets.loadGlobalSecretStores(Secrets.java:192) ... org.forgerock.openam.secrets.Secrets:03/23/2021 10:07:18:489 AM UTC: Thread[http-nio-8080-exec-61,5,main]: TransactionId[1a997a76-4c50-49c9-97eb-0ca22a0248ca-217] ERROR: Unable to load all configured secret stores, last failure was: java.lang.IllegalArgumentException: Label must match regex: [a-zA-Z0-9]+(\.[a-zA-Z0-9]+)* at org.forgerock.util.Reject.ifFalse(Reject.java:183) at org.forgerock.secrets.Purpose.<init>(Purpose.java:91) at org.forgerock.secrets.Purpose.purpose(Purpose.java:103) at org.forgerock.openam.secrets.config.KeyStoreSecretStore.lambda$createStore$2(KeyStoreSecretStore.java:136) at java.util.Optional.map(Optional.java:215)Where keystore-name shown in this example log is the name of your keystore (for example, keystore-name.jks).
Recent Changes
Configured a keystore secret store.
Changed the Store Password Secret ID or Entry Password Secret ID in an existing secret store.
Causes
The Store Password Secret ID, Entry Password Secret ID or keystore name is in the wrong format, which causes the keystore secret store to fail. For example, your ID or name uses underscore (_) or hyphen (-) to separate strings rather than dots.
Solution
This issue can be resolved by upgrading to AM 6.5.3 or later; you can download this from Backstage.
Workaround
You can workaround this issue by changing the secret ID(s) and/or keystore name to conform to the following regex pattern:
[a-zA-Z0-9]+(\.[a-zA-Z0-9]+)*Additionally, secret IDs and keystore names must not start or end with a dot (.) nor can they contain two dots in a row.
See To Configure a Keystore Secret Store for further information.
See Also
Related Training
N/A
Related Issue Tracker IDs
OPENAM-15758 (KeyStore Secret Store fails to start due to secretId having some characters.)