Unable to retrieve certificate with alias 'test' from keystore after making changes to the keystore in AM (All versions)

Symptoms

For calls made to the jwk_uri endpoint or the well-known endpoint, for example:

• GET http://host1.example.com:8080/openam/oauth2/realms/root/connect/jwk_uri
• GET http://host1.example.com:8080/openam/oauth2/realms/root/.well-known/openid-configuration

You will receive the following response (or possibly an empty response):

{"error":"server_error","error_description":"Internal Server Error"} 

The following error is shown in the OAuth2Provider debug log (warning or message level) when this happens:

OAuth2Provider:03/08/2018 10:22:57:121 AM MDT: Thread[tomcat-http--22,5,main]: TransactionId[269d260b-ebd3-4014-b6f0-13eaa880161f-1034]
WARNING: Unhandled exception: Internal Server Error (500) - The server encountered an unexpected condition which prevented it from fulfilling the request
Internal Server Error (500) - The server encountered an unexpected condition which prevented it from fulfilling the request
   at org.restlet.resource.ServerResource.doHandle(ServerResource.java:539)
   at org.restlet.resource.ServerResource.get(ServerResource.java:742)
   at org.restlet.resource.ServerResource.doHandle(ServerResource.java:617)
...
   at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
   at java.lang.Thread.run(Thread.java:744)
Caused by: java.lang.NullPointerException
   at org.forgerock.oauth2.core.AgentOAuth2ProviderSettings.getJWKSet(AgentOAuth2ProviderSettings.java:363)
   at org.forgerock.openidconnect.restlet.OpenIDConnectJWKEndpoint.getJWKSet(OpenIDConnectJWKEndpoint.java:73)
...

An error similar to the following is shown in the CoreSystem debug log at the same time:

amSecurity:03/08/2018 10:22:57:116 AM MDT: Thread[tomcat-http--22,5,main]: TransactionId[269d260b-ebd3-4014-b6f0-13eaa880161f-1034]
ERROR: Unable to retrieve certificate with alias 'test' from keystore '/path/to/openam/keystore.jks'

IDM/AM integration

If you have integrated IDM with AM, you will see the following error in the IDM log when this happens:

Caused by: org.forgerock.oauth.OAuthException: Cannot find resolver for issuer https://host1.example.com:8080/openam/oauth2
   at org.forgerock.oauth.clients.oidc.OpenIDConnectClient.lambda$getJwtClaimsSet$3(OpenIDConnectClient.java:367)
   at java.util.Optional.orElseThrow(Optional.java:290)
   at org.forgerock.oauth.clients.oidc.OpenIDConnectClient.getJwtClaimsSet(OpenIDConnectClient.java:367)
   at org.forgerock.oauth.clients.oidc.OpenIDConnectClient.lambda$validateNonce$0(OpenIDConnectClient.java:270)
...

Recent Changes

Upgraded to AM 5 or later.

Created a new keystore.

Changed the default key alias (called test).

Causes

AM 5 introduced a new configuration property for the signing key alias used by Agents 5, which defaults to test. If you have changed your keystore and/or the default key alias without updating this key alias, you will see this error.

Solution

This issue can be resolved by updating the key alias used by Agents 5 as detailed in the documentation:

• Web Agents User Guide › Configuring Access Management Servers to Communicate With Web Agents
• Java Agents User Guide › Configuring Access Management Servers to Communicate With Java Agents

Noting that the process has changed between AM 6 and AM 6.5.

You should double-check you have updated the key alias in all the places noted in the documentation: Setup and Maintenance Guide › Changing Default Key Aliases.

See Also

Cannot recover key error shown when renewing expired certificates or changing the password for the keystore or truststore in AM/OpenAM (All versions)

How do I update the certificate alias for the signing key in the AM/OpenAM (All versions) keystore?

How does the OIDC authorization flow work when IDM 5.5.x or 6.x is integrated with AM?

OpenID Connect 1.0 Guide › OAuth2 Provider

Related Training

N/A

Related Issue Tracker IDs

OPENAM-11492 (OpenID Jwk_uri URL returns Internal Server Error )