Solutions

Unable to retrieve certificate with alias 'test' from keystore after making changes to the keystore in AM (All versions)

Last updated Nov 13, 2018

The purpose of this article is to provide assistance if you receive an "Internal Server Error" response to the jwk_uri or the well-known OAuth2 endpoints in AM after making changes to the keystore. You will also see the following error in the logs: "Unable to retrieve certificate with alias 'test' from keystore". This issue also occurs when IDM is integrated with AM with a "Cannot find resolver for issuer" error.

Symptoms

For calls made to the jwk_uri endpoint or the well-known endpoint, for example:

  • GET http://host1.example.com:8080/openam/oauth2/realms/root/connect/jwk_uri
  • GET http://host1.example.com:8080/openam/oauth2/realms/root/.well-known/openid-configuration

You will receive the following response (or possibly an empty response):

{"error":"server_error","error_description":"Internal Server Error"}

The following error is shown in the OAuth2Provider debug log (warning or message level) when this happens:

OAuth2Provider:03/08/2018 10:22:57:121 AM MDT: Thread[tomcat-http--22,5,main]: TransactionId[269d260b-ebd3-4014-b6f0-13eaa880161f-1034]
WARNING: Unhandled exception: Internal Server Error (500) - The server encountered an unexpected condition which prevented it from fulfilling the request
Internal Server Error (500) - The server encountered an unexpected condition which prevented it from fulfilling the request
   at org.restlet.resource.ServerResource.doHandle(ServerResource.java:539)
   at org.restlet.resource.ServerResource.get(ServerResource.java:742)
   at org.restlet.resource.ServerResource.doHandle(ServerResource.java:617)
...
   at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
   at java.lang.Thread.run(Thread.java:744)
Caused by: java.lang.NullPointerException
   at org.forgerock.oauth2.core.AgentOAuth2ProviderSettings.getJWKSet(AgentOAuth2ProviderSettings.java:363)
   at org.forgerock.openidconnect.restlet.OpenIDConnectJWKEndpoint.getJWKSet(OpenIDConnectJWKEndpoint.java:73)
...

An error similar to the following is shown in the CoreSystem debug log at the same time:

amSecurity:03/08/2018 10:22:57:116 AM MDT: Thread[tomcat-http--22,5,main]: TransactionId[269d260b-ebd3-4014-b6f0-13eaa880161f-1034]
ERROR: Unable to retrieve certificate with alias 'test' from keystore '/path/to/openam/keystore.jks'

IDM/AM integration

If you have integrated IDM with AM, you will see the following error in the IDM log when this happens:

Caused by: org.forgerock.oauth.OAuthException: Cannot find resolver for issuer https://host1.example.com:8080/openam/oauth2
   at org.forgerock.oauth.clients.oidc.OpenIDConnectClient.lambda$getJwtClaimsSet$3(OpenIDConnectClient.java:367)
   at java.util.Optional.orElseThrow(Optional.java:290)
   at org.forgerock.oauth.clients.oidc.OpenIDConnectClient.getJwtClaimsSet(OpenIDConnectClient.java:367)
   at org.forgerock.oauth.clients.oidc.OpenIDConnectClient.lambda$validateNonce$0(OpenIDConnectClient.java:270)
...

Recent Changes

Upgraded to AM 5 or later.

Created a new keystore.

Changed the default key alias (called test).

Causes

AM 5 introduced a new configuration property for the signing key alias used by Agents 5, which defaults to test. If you have changed your keystore and/or the default key alias without updating this key alias, you will see this error.

Solution

This issue can be resolved by updating the key alias used by Agents 5 using either the console, Amster or ssoadm:

  • Console: navigate to: Configure > Global Services > OAuth2 Provider > Global Attributes > ID Token Signing Key Alias for Agent Clients and update the test key alias to one that exists.
  • Amster: follow the steps in How do I update property values in AM (All versions) using Amster? with these values:
    • Entity: OAuth2Provider
    • Property: agentIdTokenSigningKeyAlias
  • ssoadm: enter the following command: 
    $ ./ssoadm set-attr-defs -s OAuth2Provider -t global -u [adminID] -f [passwordfile] -a agentIdTokenSigningKeyAlias=[keyAlias]
    replacing [adminID], [passwordfile] and [keyAlias] with appropriate values.

You should double-check you have updated the key alias in all the places noted in the documentation: Setup and Maintenance Guide › Changing Default Key Aliases.

See Also

Cannot recover key error shown when renewing expired certificates or changing the password for the keystore or truststore in AM/OpenAM (All versions)

How do I update the certificate alias for the signing key in the AM/OpenAM (All versions) keystore?

How does the OIDC authorization flow work when IDM (All versions) is integrated with AM?

OpenID Connect 1.0 Guide › OAuth2 Provider

Related Training

N/A

Related Issue Tracker IDs

OPENAM-11492 (OpenID Jwk_uri URL returns Internal Server Error )

Copyright and TrademarksCopyright © 2018 ForgeRock, all rights reserved.

Recommended Books
Loading...