Unable to retrieve certificate with alias 'test' from keystore after making changes to the keystore in AM (All versions)

Last updated Feb 24, 2021

The purpose of this article is to provide assistance if you receive an "Internal Server Error" response to the jwk_uri or the well-known OAuth2 endpoints in AM after making changes to the keystore. You will also see the following error in the logs: "Unable to retrieve certificate with alias 'test' from keystore". This issue also occurs when IDM is integrated with AM with a "Cannot find resolver for issuer" error.

Symptoms

For calls made to the jwk_uri endpoint or the well-known endpoint, for example:

GET http://host1.example.com:8080/openam/oauth2/realms/root/connect/jwk_uri
GET http://host1.example.com:8080/openam/oauth2/realms/root/.well-known/openid-configuration

You will receive the following response (or possibly an empty response):

{"error":"server_error","error_description":"Internal Server Error"}

The following error is shown in the OAuth2Provider debug log (warning or message level) when this happens:

OAuth2Provider:03/08/2018 10:22:57:121 AM MDT: Thread[tomcat-http--22,5,main]: TransactionId[269d260b-ebd3-4014-b6f0-13eaa880161f-1034] WARNING: Unhandled exception: Internal Server Error (500) - The server encountered an unexpected condition which prevented it from fulfilling the request Internal Server Error (500) - The server encountered an unexpected condition which prevented it from fulfilling the request at org.restlet.resource.ServerResource.doHandle(ServerResource.java:539) at org.restlet.resource.ServerResource.get(ServerResource.java:742) at org.restlet.resource.ServerResource.doHandle(ServerResource.java:617) ... at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:744) Caused by: java.lang.NullPointerException at org.forgerock.oauth2.core.AgentOAuth2ProviderSettings.getJWKSet(AgentOAuth2ProviderSettings.java:363) at org.forgerock.openidconnect.restlet.OpenIDConnectJWKEndpoint.getJWKSet(OpenIDConnectJWKEndpoint.java:73) ...

An error similar to the following is shown in the CoreSystem debug log at the same time:

amSecurity:03/08/2018 10:22:57:116 AM MDT: Thread[tomcat-http--22,5,main]: TransactionId[269d260b-ebd3-4014-b6f0-13eaa880161f-1034] ERROR: Unable to retrieve certificate with alias 'test' from keystore '/path/to/openam/keystore.jks'

IDM/AM integration

If you have integrated IDM with AM, you will see the following error in the IDM log when this happens:

Caused by: org.forgerock.oauth.OAuthException: Cannot find resolver for issuer https://host1.example.com:8080/openam/oauth2 at org.forgerock.oauth.clients.oidc.OpenIDConnectClient.lambda$getJwtClaimsSet$3(OpenIDConnectClient.java:367) at java.util.Optional.orElseThrow(Optional.java:290) at org.forgerock.oauth.clients.oidc.OpenIDConnectClient.getJwtClaimsSet(OpenIDConnectClient.java:367) at org.forgerock.oauth.clients.oidc.OpenIDConnectClient.lambda$validateNonce$0(OpenIDConnectClient.java:270) ...

Recent Changes

Upgraded to AM 5 or later.

Created a new keystore.

Changed the default key alias (called test).

Causes

AM 5 introduced a new configuration property for the signing key alias used by Agents 5, which defaults to test. If you have changed your keystore and/or the default key alias without updating this key alias, you will see this error.

Solution

This issue can be resolved by updating the key alias used by Agents 5 as detailed in the documentation:

Noting that the process has changed between AM 6 and AM 6.5.

You should double-check you have updated the key alias in all the places noted in the documentation: Security Guide › Changing Default Key Aliases.

Related Training

N/A

Related Issue Tracker IDs

OPENAM-11492 (OpenID Jwk_uri URL returns Internal Server Error )