Unable to retrieve certificate with alias 'test' from keystore after making changes to the keystore in AM (All versions)
The purpose of this article is to provide assistance if you receive an "Internal Server Error" response to the jwk_uri or the well-known OAuth2 endpoints in AM after making changes to the keystore. You will also see the following error in the logs: "Unable to retrieve certificate with alias 'test' from keystore". This issue also occurs when IDM is integrated with AM with a "Cannot find resolver for issuer" error.
Symptoms
For calls made to the jwk_uri endpoint or the well-known endpoint, for example:
- GET https://am.example.com:8443/am/oauth2/realms/root/connect/jwk_uri
- GET https://am.example.com:8443/am/oauth2/realms/root/.well-known/openid-configuration
You will receive the following response (or possibly an empty response):
{"error":"server_error","error_description":"Internal Server Error"}The following error is shown in the OAuth2Provider debug log (warning or message level) when this happens:
OAuth2Provider:03/08/2018 10:22:57:121 AM MDT: Thread[tomcat-http--22,5,main]: TransactionId[269d260b-ebd3-4014-b6f0-13eaa880161f-1034] WARNING: Unhandled exception: Internal Server Error (500) - The server encountered an unexpected condition which prevented it from fulfilling the request Internal Server Error (500) - The server encountered an unexpected condition which prevented it from fulfilling the request at org.restlet.resource.ServerResource.doHandle(ServerResource.java:539) at org.restlet.resource.ServerResource.get(ServerResource.java:742) at org.restlet.resource.ServerResource.doHandle(ServerResource.java:617) ... at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:744) Caused by: java.lang.NullPointerException at org.forgerock.oauth2.core.AgentOAuth2ProviderSettings.getJWKSet(AgentOAuth2ProviderSettings.java:363) at org.forgerock.openidconnect.restlet.OpenIDConnectJWKEndpoint.getJWKSet(OpenIDConnectJWKEndpoint.java:73) ...An error similar to the following is shown in the CoreSystem debug log at the same time:
amSecurity:03/08/2018 10:22:57:116 AM MDT: Thread[tomcat-http--22,5,main]: TransactionId[269d260b-ebd3-4014-b6f0-13eaa880161f-1034] ERROR: Unable to retrieve certificate with alias 'test' from keystore '/path/to/am/keystore.jks'IDM/AM integration
If you have integrated IDM with AM, you will see the following error in the IDM log when this happens:
Caused by: org.forgerock.oauth.OAuthException: Cannot find resolver for issuer https://am.example.com:8443/am/oauth2 at org.forgerock.oauth.clients.oidc.OpenIDConnectClient.lambda$getJwtClaimsSet$3(OpenIDConnectClient.java:367) at java.util.Optional.orElseThrow(Optional.java:290) at org.forgerock.oauth.clients.oidc.OpenIDConnectClient.getJwtClaimsSet(OpenIDConnectClient.java:367) at org.forgerock.oauth.clients.oidc.OpenIDConnectClient.lambda$validateNonce$0(OpenIDConnectClient.java:270) ...Recent Changes
Upgraded AM.
Created a new keystore.
Changed the default key alias (called test).
Causes
There is a signing key alias used by the Agents, which defaults to test. If you have changed your keystore and/or the default key alias without updating this key alias, you will see this error.
Solution
This issue can be resolved by updating the key alias used by Agents as detailed in the documentation:
- Configure AM to sign authentication information (Web Agents)
- Configure communication with AM servers (Java Agents)
Note that the process has changed between AM 6 and AM 6.5.
You should double-check you have updated the key alias in all the places noted in the documentation: Changing Default Key Aliases.
See Also
How do I update the certificate alias for the signing key in the AM (All versions) keystore?
How does the OIDC authorization flow work when IDM (All versions) is integrated with AM?
Related Training
N/A
Related Issue Tracker IDs
N/A